Story image

The murky world of Australia & Singapore's workforce monitoring laws

16 Feb 18

Australia is one of the least complex countries in the world for workforce monitoring - second only to the United States, says a Forcepoint-sponsored study by legal firm Hogan Lovells.

The study examines the fine balance between the need for IP and data protection with employees’ privacy and legal rights, particularly when applied to regulations such as the GDPR.

Forcepoint claims this is the first published review of the international legal landscape that looks specifically at cyber-focused workforce threat program implementation.

The report ranks 14 countries including Australia and Singapore for 10 different monitoring activities.

Those activities include monitoring internet browsing, keylogging, social media monitoring, monitoring employee-owned devices and higher-level IT activities including monitoring temporal metadata (eg logons and session length) and monitoring privileged access use.

Workforce monitoring activities are also governed by a variety of data protection, data privacy, communications secrecy, and employment laws.

“Numerous recent events have shown how cyber incidents can disrupt operations, damage reputation, and expose organisations to regulatory consequences and private litigation,” comments Hogan Lovells partner Harriet Pearson.

Australian organisations need express consent for monitoring social media and employee-owned devices, however does not need higher levels of consent besides required notice for monitoring other areas.

The report mentions that some Australian states such as New South Wales and Victoria have regulations that require employees must obtain express consent to monitor employee activities on non-company devices when the employee is not working or at the workplace.

However, “The Privacy Act generally supports the use and disclosure of information collected via monitoring activities when an employer has reason to suspect that an employee has engaged in unlawful activities or otherwise serious misconduct,” the report says.

In contrast, Singapore put significant levels of effort into capturing on-screen activities, keylogging, monitoring social media and employee-owned devices.

“Employers need not obtain consent for monitoring activities that reasonably support the management or termination of employment relationships, including activities that are necessary to evaluate the suitability, eligibility, or qualifications of an employee for promotion or continued employment or for evaluation purposes,” the report says.

Both countries are described as requiring a ‘basic’ level of compliance to implement comprehensive workforce monitoring, however other countries such as Finland and Italy require far more effort and compliance.

Finland, for example requires significant levels of effort in most categories, however temporal metadata and privileged access monitoring are less complex. Employers are often prohibited from accessing communications contents sent or received by employees.

In the United States, federal law provides that organisations are exempt from liability to the extent that they monitor their information systems for cybersecurity purposes.

“Any workforce monitoring program must be proportionate, respectful and transparently deployed to ensure the continued trust of the workforce,” comments Forcepoint CISO Allan Alford.

Forcepoint believes that traditional tools are failing to provide human risk information with context. As a result, behaviours where data, users and networks intersect, are growing in demand.

 “It’s a careful balancing act: employees and employers must work hand-in-hand to protect each other. We all want better protection for ourselves and our important information and data, but monitoring when, how and why employees interact with various corporate data has some clear and important privacy implications,” Alford concludes.

The Managing Workforce Cyber Risk in a Global Landscape analysed regulations in Australia, Singapore, the United States, Canada, Finland, France, Germany, Italy, the Netherlands, Spain, Sweden, Switzerland, the United Kingdom and Turkey.

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.