Agencies have solid reasons to keep watch on their employees’ online activities: Protecting sensitive information, ensuring that the law is upheld, and defending government computer networks from cyber attacks are all legitimate requirements.
Technology today allows employers to spy on every keystroke, mouse click and page view generated by an employee.
Given that the computer and the network belong to the government, that ability is implicit and should be well understood by every federal employee.
But just because they can doesn’t mean they should.
Across government, there is an absence of clear rules and guidance on what is and isn’t acceptable in terms of employee monitoring.
Six current and former employees are suing the Food and Drug Administration, alleging FDA targeted their emails and online activities after they raised questions about the safety of some FDA-approved medical products.
They argue the FDA spied on them in retaliation for their blowing the whistle on what they deemed to be unsafe agency practices; if true, that would be illegal. FDA argues the agency was trying to identify potential leaks of sensitive information following a complaint by a company that claimed proprietary information had been disseminated.
But in the process of tracking the source of the leaks, FDA also collected volumes of personally identifiable information — bank accounts, passwords, private emails and more. And much of it ended up in the possession of an FDA contractor and, inexplicably, on the Web.
Ironically, having invaded the privacy of those six employees, the FDA has thus far evaded direct questions about who made the decision to monitor the employees and how the data that was extracted from their keystrokes made it onto the Internet. Sen. Charles Grassley, R-Iowa, has asked the Health and Human Services Department’s inspector general to investigate.
Most employees know their work activities are subject to monitoring within reasonable limits and that their employer has legitimate needs to ensure they handle sensitive information properly.
But it’s critical that agencies apply a clear, consistent approach to monitoring.
When it comes to singling out specific employees for more extensive monitoring, there must be a clear basis of suspicion that is supported by evidence. And the authority to order that more extensive monitoring should be vested in specific senior officials who will then be accountable for the action they approve. Due process for the employee must be assured.
It is particularly troubling that, even now, key details of how FDA’s monitoring decisions were made and by whom remain a mystery.
Finally, the government needs to establish rules for how personal information is treated when it is collected. Even employees under suspicion of wrongdoing have privacy rights. Who gets access to that data, how it is protected, and what happens to it once an investigation is completed remain critical questions that must be understood.