Personal use of work IT systems

Vetch

We have an Acceptable Use Policy at work for IT and telecommunications systems. It allows employees a 'reasonable' amount of personal use of the systems.

I am wondering 'reasonable personal use' has been tested or delimited anywhere as it's a common feature in policies. The person who wrote our policy could not tell me what it means.

What I'm interested in are personal emails and documents created or stored on work systems, and that are unrelated to the employer. Emails could be to a friend, organising car insurance, their own medical information and the like. Thanks for reading.

Samuel T. Cogley

Not taking the piss is no where near as professional but usually delimits things nicely.

F1ngers

Vetch wrote: »

We have an Acceptable Use Policy at work for IT and telecommunications systems. It allows employees a 'reasonable' amount of personal use of the systems.

I am wondering 'reasonable personal use' has been tested or delimited anywhere as it's a common feature in policies. The person who wrote our policy could not tell me what it means.

What I'm interested in are personal emails and documents created or stored on work systems, and that are unrelated to the employer. Emails could be to a friend, organising car insurance, their own medical information and the like. Thanks for reading.

What you've mentioned there would be acceptable use - also using it during designated breaks and not when you are working.

I don't think I'd be storing personal medical information in work, their systems, they have full access to everything.

Vetch

Samuel T. Cogley wrote: »

Not taking the piss is no where near as professional but usually delimits things nicely.

I hear you. I'm looking at it from a GDPR perspective where employees have an entitlement to a 'reasonable' amount of privacy at work. That word 'reasonable' again.

coylemj

Vetch wrote: »

I am wondering 'reasonable personal use' has been tested or delimited anywhere as it's a common feature in policies.

It can't be 'tested or delimited' because no two situations are the same. What might be appropriate or reasonable in one situation could be grossly irresponsible and inappropriate in another.

Vetch wrote: »

The person who wrote our policy could not tell me what it means.

You actually expected them to explain what they meant by 'reasonable' use?

Vetch wrote: »

I hear you. I'm looking at it from a GDPR perspective where employees have an entitlement to a 'reasonable' amount of privacy at work. That word 'reasonable' again.

It's not possible to quantify levels of privacy so what else can an employer do except agree that you should except and have a 'reasonable' level of privacy?

Vetch

coylemj wrote: »

It can't be 'tested or delimited' because no two situations are the same. What might be appropriate or reasonable in one situation could be grossly irresponsible and inappropriate in another.



You actually expected them to explain what they meant by 'reasonable' use?



It's not possible to quantify levels of privacy so what else can an employer do except agree that you should except and have a 'reasonable' level of privacy?

Thanks – this is the answer I was expecting. I expected to hear a rationale for use of the term ‘reasonable use’. But I didn’t get any answer at all. While every situation might be different the employer surely still has to know what they mean when they are applying policies to staff, and apply the policies consistently.

4ensic15

"reasonable use" is used as a term because it is an amorphous test which can be tailored to individual circumstances. The problem with specifiying exact parameters is that this can then be seen as an invitation to go up to the exact parameters.

Ash.J.Williams

Vetch wrote: »

Samuel T. Cogley wrote: »

Not taking the piss is no where near as professional but usually delimits things nicely.

I hear you. I'm looking at it from a GDPR perspective where employees have an entitlement to a 'reasonable' amount of privacy at work. That word 'reasonable' again.

The company own and are responsible for your email. You are not entitled to privacy however unreasonable invasions of privacy can be covered by bullying and harassment I'm sure.

Eric Cartman

as somebody who works in IT and has clients who adopt a similar policy, I'd like to chime in.

I had a problem before where a client had to have me put a block on websites related to dogs, a staff member was spending literally all day looking at pictures of dogs, completely interfering with their work day and beyond 'reasonable'

a lot of companies allow things like sorting car insurance, putting on internet radio stations, doing the basics yet block Facebook, youtube and twitter as those are complete time sinks and decrease productivity.

torrenting, downloading large files etc... would also usually be completely unacceptable.

Generally the term 'fair and reasonable use' applies where the impact of your personal internet use does not 1)decrease your productivity or distract from work and 2) does not impact on the efficiency of the IT systems in the workplace (hogging internet etc...)

from a GDPR perspective , a lot of companies have web logging , packet inspection and trending info on top websites visited etc... , they are not storing the information you submit or other personal data. they can see what websites your computer visits and for how long etc.. but usually not any identifiable info that would cause any data protection concerns.

alias no.9

With work email, don't presume you have any privacy from your employer.

Similarly, don't assume Google isn't snooping on your Gmail but you're not answerable to Google unless they're also your employer.

Use a Gmail account for personal stuff, it's just better that way, even if you access it through a work computer, they won't be keeping records of the content of your email.

Paulw

Vetch wrote: »

I'm looking at it from a GDPR perspective where employees have an entitlement to a 'reasonable' amount of privacy at work. That word 'reasonable' again.

In relation to work computers and work IT infrastructure, you have no entitlement to privacy. This has been proven time and time again in court, even as far up as the European Court of Human Rights.

Anything you do on a work computer is subject to inspection by the company.

Many companies monitor network traffic (in many ways), so even using "Private mode" on your browser isn't safe. The same with using your own mobile phone on the work wifi network.

You should really consider and believe that you have zero privacy when it comes to IT in your company.

What is normally meant by "reasonable use" would tend to fall in to use of your time. So, it's fine to surf on breaks, but not fine to spend all day on facebook, twitter, boards.ie, etc. And the "reasonable" will vary from employee to employee. So, your 30 min on facebook might be more acceptable than someone's 2 min on a porn site.

Reasonable personal use would generally mean you can do a bit of banking, insurance, limited social media (facebook, twitter, boards), general news, etc, as long as it does not interfere with your work duties.

Robbo

Paulw wrote: »

In relation to work computers and work IT infrastructure, you have no entitlement to privacy. This has been proven time and time again in court, even as far up as the European Court of Human Rights.

That is an incorrect blanket statement. As ever, it depends on the circumstances, context and whether the measures taken are proportional. The ECHR has made findings that workplace monitoring methods can be a violation of an individuals right to privacy under the Charter. Recently, it was noted in Barbelescu that:

“an employer's instructions cannot reduce private social life in the  workplace to zero”

From an EU data protection perspective, the Article 29 Working Party has published documents (most recently Opinion 2 of 2017) on this. There's your GDPR angle.

It's not an area of law with a large number of bright lines, everything is very much case dependent and opinions even amongst professionals in the field may differ.

Paulw wrote: »

You should really consider and believe that you have zero privacy when it comes to IT in your company.

100% with you there. One should always behave in a privacy conscious manner no matter what the context but let's not use that as an excuse for pretending that we have limited rights to privacy. It's that kind of thinking that leads to the classic Photographers Phallacy (sic) of "I can take a picture of anyone as long as they're in public without any concern for their privacy because they waived that right the minute they stepped outside their front door".

Vetch

Paulw wrote: »

In relation to work computers and work IT infrastructure, you have no entitlement to privacy. This has been proven time and time again in court, even as far up as the European Court of Human Rights.

Anything you do on a work computer is subject to inspection by the company.

Many companies monitor network traffic (in many ways), so even using "Private mode" on your browser isn't safe. The same with using your own mobile phone on the work wifi network.

You should really consider and believe that you have zero privacy when it comes to IT in your company.

What is normally meant by "reasonable use" would tend to fall in to use of your time. So, it's fine to surf on breaks, but not fine to spend all day on facebook, twitter, boards.ie, etc. And the "reasonable" will vary from employee to employee. So, your 30 min on facebook might be more acceptable than someone's 2 min on a porn site.

Reasonable personal use would generally mean you can do a bit of banking, insurance, limited social media (facebook, twitter, boards), general news, etc, as long as it does not interfere with your work duties.

Opinion 2/17, which Robbo mentions, is the reason I started this thread. Two sections from it:

'It should be ensured that employees can designate certain private spaces to
which the employer may not gain access unless under exceptional circumstances. This, for
example, is relevant for calendars, which are often also used for private appointments. If the
employee sets an appointment to “Private” or notes this in appointment itself, employers (and
other employees) should not be allowed to review the contents of the appointment.'

and

'This Opinion makes a new assessment of the balance between legitimate interests of
employers and the reasonable privacy expectations of employees by outlining the risks posed
by new technologies and undertaking a proportionality assessment of a number of scenarios
in which they could be deployed'

When I asked in my OP if anyone knows of a case where this 'reasonable use' ground has been tested, I obviously worded it in a not so great way. I hope this is clearer - what I'm asking is it anyone knows of a case where this principle has been discussed and there is commentary on factors that are taken into consideration.