Instead of spying on staff who snoop into private records while at work, organizations should adopt security measures that prevent staff breaching privacy laws, a Queensland University of Technology (QUT) privacy expert said today.
His comments follow news last week that Centrelink is using keylogging software to monitor staff access to company records. The surveillance has led to the sacking of 19 staff. Similar steps are being taken at the Australian Tax Office (ATO) where 27 workers have been sacked.
Centrelink CEO Jeff Whalan dubbed the surveillance a “success” and said there would be no apologies for the tough stance the welfare agency has taken to protect public records.
Professor Peter Croll, from QUT’s Faculty of Information and Technology, said the current approach to privacy regulation was to wait for workers to breach privacy laws and then take action.
“What’s happening is that we have organizations snooping on their staff to see if their staff are snooping,” he said.”This just isn’t the answer.”
Professor Croll supported privacy protection and moves to prevent staff from snooping, but said organizations shouldn’t just rely on audits. Next month Professor Croll and his research team at QUT’s Information Security Institute will release the first software prototype said to be suitable for all businesses to prevent snooping by staff.
“If you have a security policy then this new software enforces that security policy. It can’t be overridden,” he said.
“It offers military standard, mandatory access controls to ensure privacy is enforced in commercially available, enterprise-level computer systems.”
He said the development of this prototype, which has been funded by an Australian Research Council grant, provides strict access control technology to prevent unauthorized viewing of sensitive data.
Professor Croll, in collaboration with the CSIRO, has also developed another security measure that protects privacy.
“It is a Web-based software tool that asks questions of the user and then makes sure that the user is aware of the relevant privacy regulations and rules before allowing access to information,” he said. “It encourages privacy policy compliance and enforces access controls.”