Proactive release of Official Information Act response regarding Data Loss Prevention software installed on work computers
The information below is the response to Fairfax media regarding Data Loss Prevention software installed on work computers.
Has MIT installed software designed to record details of activities on employee computers (i.e., internet activities, as well as productivity)?
MIT has recently installed Data Loss Prevention software (DLP) on its staff computers to guard against sensitive data leaks. The software is designed to prevent critical information such as private staff records, student records and intellectual property being sent outside the institute without permission.
Data loss is a big issue, especially in the educational context.
MIT has recently invested in designing courses for staff to help them adjust to increased online teaching. We have also been investing in creating tools so our programmes can be delivered online to in-work learners. Generating IP carries with it cost in terms of time, money and expertise. MIT has an obligation to protect these assets in a competitive marketplace for skills training.
While not the main function of the new DLP software, it does have the ability to identify excessive internet usage and productivity.
If yes, what is the name of the software?
Safetica.
When was it first installed?
Late September, 2017
How many staff computers was it installed on within the first month?
60
How many staff computers was it installed on by the end of 2017?
All of them.
What did the software cost MIT?
This information is commercially sensitive and is withheld under section 9(2)(b)(ii) of the Official Information Act. Under section 28(3) of the Act, you have the right to ask an Ombudsman to review this decision.
Has MIT advised staff the software has been installed can be used to analyse their activities (as well as productivity)?
The software has been installed within the policies notified to staff by email, on the intranet and referenced in their employment agreements.
The most recent ICTS Acceptable Use Policy outlines that “a web content control system monitors and controls website visits” and that “MIT monitors and logs websites visited, files downloaded and social networking accounts.” (See sections 7.1 and 7.2). The policy also states that “Directors/senior managers can request reports that allow them to monitor and moderate internet usage.”
The policy was highlighted to all staff in an institute-wide email dated 4 April 2016 with the explicit instruction for staff to “familiarise yourself with the new Acceptable Use policy, at a minimum.”
Another institute-wide email dated 7 December 2017 informed staff that Data Loss Protection software had been installed: “…in response to an increase in attacks globally, we implemented software which detects and prevents data loss, making our data and IP more secure.”
We understand that internet usage at work, not directly pertaining to work tasks is sometimes necessary. This is allowed for in the policy provided that “use must be reasonable and appropriate, not impact on staff productivity or system performance or bring MIT into disrepute.”
If individuals are concerned that monitoring of work devices impinges on their privacy they are entitled to undertake personal business on their own hardware, in their own time.
Does the software record keystrokes and screen shots?
No. The version of Safetica installed by MIT does not record keystrokes or screen shots.
If yes, a) has MIT advised staff that their bank account details and personal email accounts including passwords may be recorded by MIT, if accessed on work computers? And b) Did MIT seek any advice concerning employees’ rights under the Privacy Act (1993) prior to installing software?
Not applicable.