The BBC recently posted an article in relation to remote workers being monitored in terms of their use of technology, when at home (You can read the article here). Obviously, this issue has largely became pertinent given the pandemic and the various lockdowns which have resulted in individuals, including teachers, having to work from home. The thought of your employer, school leadership or IT staff monitoring what you are doing seems “creepy”, inappropriate and an invasion of personal privacy but is it that simple?
A world of tracking
Before I look at remote working lets first consider the work devices used within a school and the monitoring that may be possible. Within a school, especially larger schools, it is likely that school devices will have remote support software installed which allows for IT staff to remotely access a device in order to provide assistance without the need to actually visit the computer in question. All well so far. However, this functionality means it would be possible for IT staff to watch your screen and every action, every word typed, every social media interaction. Now that sounds creepy already and we are only on school owned devices!
Your email and internet activity are also recorded. For school email this likely means your emails are accessible by IT teams in terms of support but also in terms of compliance with GDPR legislation, to resolve Subject Access Requests, etc. In terms of internet activity, although most data from and to websites are now encrypted, the timing of site visits, the sites visited, the device used, etc are all recorded. And this happens irrespective of if you use a school or personal device connected to the internet via the schools infrastructure.
The above hints to the huge logs generated where IT systems are used, whether this be accessing the schools management system from a school PC in a classroom, or accessing MS Teams to deliver an online lesson from home. As soon as we access the system information such as the device name, device type, username, time, IP address, etc are all logged. And from this data further data can be generated, such as your IP address allowing for geographical information to be identified, albeit this isnt always reliable. So, some for of tracking and/or monitoring will always be possible.
But what does it mean?
My view on this whole situation is that tracking/monitoring is unavoidable. Data will be and must be gathered for the purposes of troubleshooting, auditing, legal compliance, etc. So, the question becomes how do we manage the risk associated with the existence of this data? And as to ability to access and monitor a specific user’s machine, and view their screen, again this needs to be possible to provide support so again it is about managing risk.
I think one of the key issues is that of transparency and acknowledging that data which could be used for tracking or monitoring purposes exists, and that remote access and screen viewing is also possible. In doing so it is also important to be clear on the acceptable use of this data or these remote access solutions such as its use in trouble shooting. In relation to remote access software, I also think it is important to have clear protocols in relation to usage and privacy, such as a requirement to request users approve before accessing a machine a user is currently using. Access should also be limited on the basis of “least privilege” such that only those that truly need access and have a valid reason for access actually have access.
For me policy plays a key part in all of this. In your Acceptable Usage policy should be clear indication of the creation of data and potential monitoring along with stated limitations as to where it can and cannot be used. Additionally, I believe IT staff and those with admin access to large amounts of data, or to sensitive data, should be agreeing to a high-level access agreement which sets out additional requirements regarding their privileged access, plus sets out the higher level of penalties for misuse which comes out of increased responsibility.
As always, the newspaper article is a little bit sensationalist. The reality isnt as simple. Tracking and monitoring is possible, but the result of systems designed to support users and ensure systems which are robust and reliable, plus to ensure legal compliance, rather than for the purposes of invading individuals’ privacy. As such the key thing is transparency and trust, with a little bit of policy thrown in just in case.