By Jessica Bowker
Over the years, employers have used digital monitoring in disciplinary proceedings against Local 21 members, many times to the surprise of these employees.
While Local 21 and employers may disagree about digital policies and the enforcement of those policies, it is nevertheless important that Local 21 members have the facts on what their employers are technically capable of monitoring so they can avoid unnecessary problems or unknowingly violate any policies.
We sat down with three Local 21 IT chapter members- William Goldberg, Principal Engineer, CCSF Department of Technology, Paul J. Zabriskie, Information Systems Principal Engineer, CCSF Department of Public Health, and Steve Solnit, Information Systems Principal Business Analyst, CCSF Department of Public Health- as well as with Joe Voje, CCSF Department of Technology’s Chief Information Security Officer to ask questions about what the City’s capabilities are for digital monitoring of employee activities. While this information is based on CCSF’s capabilities, it is good information for Local 21 members everywhere.
What online activity can your employer monitor? Pretty much everything. When you are using the City’s secure network, IT has the ability to produce web server logs of your online activities with great detail. A web server log documents your internet history. For example, an employer can tell what sites you have visited and when, how long you were actively on a webpage, what you downloaded, and what links you clicked on.
Personal devices are also potentially vulnerable to monitoring. Because each user has a unique login to the City’s secure wifi, it is not difficult to figure out if someone is engaging in inappropriate activities on the job while using the City’s network. Only when using a personal device and connecting with a personal cellular data plan or through free public wifi is activity not subject to digital monitoring. For example, if you are using your personal cell phone at work and connected to your work’s wifi, you are still subject to monitoring, but if you’re connected to your phone’s LTE or 4G, web server logs would not be recorded by your employer.
Your employer may also digitally monitor other behavior while you’re on the job. For example, tagging in and out with badges, security cameras, and logging in and out of computers and programs all create a record that can be accessed by an employer.
There is no standard for purging of weblogs and email. Purging, or permanently deleting data, occurs on a sporadic basis. As such, an employer may well be able to have access to a deleted email weeks afterwards, or to web server logs several years after the fact.
It is important that every Local 21 member familiarize themselves with the relevant policies in their workplace. The City generally forbids non-work related use of digital resources. While the Department of Technology (DT) does produce a set of digital policies, its guidelines act in an advisory capacity and each individual department may have their own additional firewalls, digital policies, and monitoring practices. For example, DT’s web filtering capabilities target certain illegal sites and things like hacking tools, while the Department of Public Health (DPH) also filters shopping sites.
Our Local 21 roundtable or experts all agreed that there is a need for standardized city-wide policies regarding digital use and monitoring that are fair. DT’s Vojeemphasized the need for more attention to be placed on issues like cyber security, and not on unnecessary monitoring of employee activities. He said that his team “does not have time to be the moral police” and that he would prefer to focus on raising awareness around “good cyber hygiene.” While the multitude of current policies and practices are still in place however, Local 21 members should be very careful to follow their departments’ rules for digital use.
Solnit advised members to keep in mind that every email sent and every document created are also potentially subject to both employer scrutiny and to a public information request. Goldberg agrees, “Operate on the assumption that everything you write is public.”