Is a client identifying my device (which caused high network traffic) possibly in violation of privacy regulations? [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
29
down vote
favorite
I live in Belgium and I'm working for a government institution as a contractor.
About two months ago I've had to reinstall my (own - but professionally used) laptop that is connected to the corporate "Bring Your Own Device" (BYOD) wifi throughout the day. I reinstalled my computer at home, on my own time. But, apparently, it seems that my laptop's Dropbox has been syncing over the company network (which doesn't seem to be blocked by it) while I was at work and has consumed about a 100 gigs of network-traffic-data in a few weeks time.
Today, I've received a very stern talking-to from the network department saying that this is unacceptable (which I do not deny) and that appropriate action will be taken against me. I've notified the network administrator that this is the first time this has happened and that I will take care not to let it happen any more in the future.
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
So my question is: Considering the new EU privacy regulations (GDPR and such), to what lengths can an employer go in terms of checking the traffic on the company wifi-BYOD-network?
Note that I'm not looking to harass the organisation, because I was at fault (even though I did not know it at the time) I just want to find out if their course of action is according to procedure.
This is the first time they have notified me and I've never had any of these issues before.
Notes:
- I have full authorization to connect to the network even with a
personal device - this is a "bring your own device network", apart
from downloading a lot for which the IT policy states no hard limit,
I've not breached any official IT regulations. - We are talking about network usage data (there are no
personal files of mine stored on a company resource - I only use
their network), I'm very well aware how back-up and sync systems
work, I just happened to forget that Dropbox was on and syncing on my
own laptop (which I use as part of my job professionally, so it
holds meetings notes, my designs, models and such) while connected to
the company BYOD-wifi-network. - This is a government organisation, in a government owned building but the provide a corporate wifi. Their internet access is top tier in Belgium and bandwidth is generally not a problem.
- Things might be different in the UK, but in Belgium internal IT policies certainly do not overrule privacy concerns. Privacy is taken very seriously.
- Here, it is very common for an independent contractor to use their own equipment in addition to the equipment provided by the client. In this case, my laptop is my own professional equipment that I mostly use to take notes and create models. I do most of my "real" work on my client's infrastructure.
privacy gdpr
closed as off-topic by gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy Aug 14 at 14:55
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." â gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy
add a comment |Â
up vote
29
down vote
favorite
I live in Belgium and I'm working for a government institution as a contractor.
About two months ago I've had to reinstall my (own - but professionally used) laptop that is connected to the corporate "Bring Your Own Device" (BYOD) wifi throughout the day. I reinstalled my computer at home, on my own time. But, apparently, it seems that my laptop's Dropbox has been syncing over the company network (which doesn't seem to be blocked by it) while I was at work and has consumed about a 100 gigs of network-traffic-data in a few weeks time.
Today, I've received a very stern talking-to from the network department saying that this is unacceptable (which I do not deny) and that appropriate action will be taken against me. I've notified the network administrator that this is the first time this has happened and that I will take care not to let it happen any more in the future.
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
So my question is: Considering the new EU privacy regulations (GDPR and such), to what lengths can an employer go in terms of checking the traffic on the company wifi-BYOD-network?
Note that I'm not looking to harass the organisation, because I was at fault (even though I did not know it at the time) I just want to find out if their course of action is according to procedure.
This is the first time they have notified me and I've never had any of these issues before.
Notes:
- I have full authorization to connect to the network even with a
personal device - this is a "bring your own device network", apart
from downloading a lot for which the IT policy states no hard limit,
I've not breached any official IT regulations. - We are talking about network usage data (there are no
personal files of mine stored on a company resource - I only use
their network), I'm very well aware how back-up and sync systems
work, I just happened to forget that Dropbox was on and syncing on my
own laptop (which I use as part of my job professionally, so it
holds meetings notes, my designs, models and such) while connected to
the company BYOD-wifi-network. - This is a government organisation, in a government owned building but the provide a corporate wifi. Their internet access is top tier in Belgium and bandwidth is generally not a problem.
- Things might be different in the UK, but in Belgium internal IT policies certainly do not overrule privacy concerns. Privacy is taken very seriously.
- Here, it is very common for an independent contractor to use their own equipment in addition to the equipment provided by the client. In this case, my laptop is my own professional equipment that I mostly use to take notes and create models. I do most of my "real" work on my client's infrastructure.
privacy gdpr
closed as off-topic by gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy Aug 14 at 14:55
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." â gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy
2
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
3
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40
add a comment |Â
up vote
29
down vote
favorite
up vote
29
down vote
favorite
I live in Belgium and I'm working for a government institution as a contractor.
About two months ago I've had to reinstall my (own - but professionally used) laptop that is connected to the corporate "Bring Your Own Device" (BYOD) wifi throughout the day. I reinstalled my computer at home, on my own time. But, apparently, it seems that my laptop's Dropbox has been syncing over the company network (which doesn't seem to be blocked by it) while I was at work and has consumed about a 100 gigs of network-traffic-data in a few weeks time.
Today, I've received a very stern talking-to from the network department saying that this is unacceptable (which I do not deny) and that appropriate action will be taken against me. I've notified the network administrator that this is the first time this has happened and that I will take care not to let it happen any more in the future.
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
So my question is: Considering the new EU privacy regulations (GDPR and such), to what lengths can an employer go in terms of checking the traffic on the company wifi-BYOD-network?
Note that I'm not looking to harass the organisation, because I was at fault (even though I did not know it at the time) I just want to find out if their course of action is according to procedure.
This is the first time they have notified me and I've never had any of these issues before.
Notes:
- I have full authorization to connect to the network even with a
personal device - this is a "bring your own device network", apart
from downloading a lot for which the IT policy states no hard limit,
I've not breached any official IT regulations. - We are talking about network usage data (there are no
personal files of mine stored on a company resource - I only use
their network), I'm very well aware how back-up and sync systems
work, I just happened to forget that Dropbox was on and syncing on my
own laptop (which I use as part of my job professionally, so it
holds meetings notes, my designs, models and such) while connected to
the company BYOD-wifi-network. - This is a government organisation, in a government owned building but the provide a corporate wifi. Their internet access is top tier in Belgium and bandwidth is generally not a problem.
- Things might be different in the UK, but in Belgium internal IT policies certainly do not overrule privacy concerns. Privacy is taken very seriously.
- Here, it is very common for an independent contractor to use their own equipment in addition to the equipment provided by the client. In this case, my laptop is my own professional equipment that I mostly use to take notes and create models. I do most of my "real" work on my client's infrastructure.
privacy gdpr
I live in Belgium and I'm working for a government institution as a contractor.
About two months ago I've had to reinstall my (own - but professionally used) laptop that is connected to the corporate "Bring Your Own Device" (BYOD) wifi throughout the day. I reinstalled my computer at home, on my own time. But, apparently, it seems that my laptop's Dropbox has been syncing over the company network (which doesn't seem to be blocked by it) while I was at work and has consumed about a 100 gigs of network-traffic-data in a few weeks time.
Today, I've received a very stern talking-to from the network department saying that this is unacceptable (which I do not deny) and that appropriate action will be taken against me. I've notified the network administrator that this is the first time this has happened and that I will take care not to let it happen any more in the future.
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
So my question is: Considering the new EU privacy regulations (GDPR and such), to what lengths can an employer go in terms of checking the traffic on the company wifi-BYOD-network?
Note that I'm not looking to harass the organisation, because I was at fault (even though I did not know it at the time) I just want to find out if their course of action is according to procedure.
This is the first time they have notified me and I've never had any of these issues before.
Notes:
- I have full authorization to connect to the network even with a
personal device - this is a "bring your own device network", apart
from downloading a lot for which the IT policy states no hard limit,
I've not breached any official IT regulations. - We are talking about network usage data (there are no
personal files of mine stored on a company resource - I only use
their network), I'm very well aware how back-up and sync systems
work, I just happened to forget that Dropbox was on and syncing on my
own laptop (which I use as part of my job professionally, so it
holds meetings notes, my designs, models and such) while connected to
the company BYOD-wifi-network. - This is a government organisation, in a government owned building but the provide a corporate wifi. Their internet access is top tier in Belgium and bandwidth is generally not a problem.
- Things might be different in the UK, but in Belgium internal IT policies certainly do not overrule privacy concerns. Privacy is taken very seriously.
- Here, it is very common for an independent contractor to use their own equipment in addition to the equipment provided by the client. In this case, my laptop is my own professional equipment that I mostly use to take notes and create models. I do most of my "real" work on my client's infrastructure.
privacy gdpr
privacy gdpr
edited Aug 14 at 7:50
asked Aug 13 at 12:42
ElGringoMagnifico
3651311
3651311
closed as off-topic by gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy Aug 14 at 14:55
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." â gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy
closed as off-topic by gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy Aug 14 at 14:55
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." â gnat, jcmack, Rui F Ribeiro, Jan Doggen, mandy
2
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
3
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40
add a comment |Â
2
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
3
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40
2
2
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
3
3
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40
add a comment |Â
5 Answers
5
active
oldest
votes
up vote
12
down vote
accepted
One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.
There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):
- The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.
- Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.
These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.
Some sources for all this (dutch):
- https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL
- https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/
- https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
add a comment |Â
up vote
72
down vote
I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.
Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).
The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
 |Â
show 7 more comments
up vote
36
down vote
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.
In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
add a comment |Â
up vote
9
down vote
Ignoring GDPR which I don't think will help you; You stated:
- the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.
This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.
- You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.
This means your manager can't complain, because you didn't spend any man hours doing this.
From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.
Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
 |Â
show 1 more comment
up vote
7
down vote
Also Belgian here with some GDPR insight.
The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.
Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).
- Metadata
- Email addresses
- Social media details and data attributed to them
- IP addresses (edge case)
Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.
So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
add a comment |Â
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
12
down vote
accepted
One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.
There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):
- The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.
- Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.
These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.
Some sources for all this (dutch):
- https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL
- https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/
- https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
add a comment |Â
up vote
12
down vote
accepted
One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.
There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):
- The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.
- Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.
These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.
Some sources for all this (dutch):
- https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL
- https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/
- https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
add a comment |Â
up vote
12
down vote
accepted
up vote
12
down vote
accepted
One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.
There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):
- The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.
- Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.
These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.
Some sources for all this (dutch):
- https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL
- https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/
- https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren
One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.
There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):
- The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.
- Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.
These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.
Some sources for all this (dutch):
- https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL
- https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/
- https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren
answered Aug 14 at 8:38
KillianDS
33929
33929
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
add a comment |Â
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
1
1
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
I have accepted this answer because it is the only answer that actually answers the question (the phrase in bold in my post). It also provides relevant information and it is not merely a justification of the actions of the network administrator (which I had already stated that I had no issue with apart from a sincere concern about the procedure). Even though AdzzzUK's has the most upvotes, this answer is what I was looking for.
â ElGringoMagnifico
Aug 14 at 8:44
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
@ElGringoMagnifico you have asked multiple questions, however. ´However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?´
â Maarten Wachters
Aug 14 at 13:33
add a comment |Â
up vote
72
down vote
I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.
Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).
The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
 |Â
show 7 more comments
up vote
72
down vote
I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.
Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).
The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
 |Â
show 7 more comments
up vote
72
down vote
up vote
72
down vote
I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.
Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).
The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.
I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.
Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).
The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.
edited Aug 13 at 14:32
answered Aug 13 at 12:51
AdzzzUK
3,0983714
3,0983714
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
 |Â
show 7 more comments
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
31
31
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
Yes, I'm not familiar with the UK, but this is pretty standard admin... only real problem I see is the admin should have proactively prevented this from happening. They shouldn't assume users know how to manage their own machines. Possibly they got reprimanded and they're taking it out on the OP.
â Kilisi
Aug 13 at 13:07
14
14
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
@Kilisi Yes, it does seem rather heavy-handed by the network admin. If it was me, a quiet word usually would suffice in the first instance.
â AdzzzUK
Aug 13 at 13:08
1
1
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
First line of the OP, it says "Government institution". So, my assumption is while it may be a closed (corporate) network, there could possibly be links the wider govt. infrastructure too. IT Security is - assume worst case, which is what I've done here.
â AdzzzUK
Aug 13 at 14:27
6
6
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
I strongly disagree - The network admins may have established that there was a high network usage ... so what? OP had permission, and with no limits imposed. The network admins are right to have a discussion, but wrong to take any further action.
â UKMonkey
Aug 13 at 19:55
1
1
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
@Dan it would be easy to see and routine work to block. Easiest way is security groups on the firewalls. Best guess is the admin are overreacting because now they actually have to do some basic work which isn't what they signed up in govt for.
â Kilisi
Aug 13 at 22:37
 |Â
show 7 more comments
up vote
36
down vote
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.
In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
add a comment |Â
up vote
36
down vote
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.
In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
add a comment |Â
up vote
36
down vote
up vote
36
down vote
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.
In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.
However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?
You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.
In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.
edited Aug 13 at 14:08
answered Aug 13 at 14:03
Dan
4,1371719
4,1371719
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
add a comment |Â
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
3
3
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
Adding to this, I would turn the tables on the network administrator. Why is such a big fuss being made now? It was harmless, and unearthed a potential security breach. A monitoring agent should have automatically raised an alert for the admin and denied network access to that MAC address. Instead OP was able to download continuously for several WEEKS. Perhaps the network department is embarrassed and lashing out. I would not allow any action to be taken against me and involve my manager.
â LVDV
Aug 14 at 8:25
2
2
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
@LVDV I asked them the same questions but the answer was simply: "that is too much work to implement, and you'll find a way around it anyway" and "we've only just now seen this traffic". Considering I'm likely to be called into the security officer's office for this, I'm planning on suggesting these improvements to the network (it is actually part of my job to do so). And no, I have no intention of allowing action to be taken against me, but I do plan on solving this issue within the network.
â ElGringoMagnifico
Aug 14 at 9:39
add a comment |Â
up vote
9
down vote
Ignoring GDPR which I don't think will help you; You stated:
- the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.
This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.
- You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.
This means your manager can't complain, because you didn't spend any man hours doing this.
From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.
Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
 |Â
show 1 more comment
up vote
9
down vote
Ignoring GDPR which I don't think will help you; You stated:
- the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.
This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.
- You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.
This means your manager can't complain, because you didn't spend any man hours doing this.
From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.
Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
 |Â
show 1 more comment
up vote
9
down vote
up vote
9
down vote
Ignoring GDPR which I don't think will help you; You stated:
- the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.
This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.
- You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.
This means your manager can't complain, because you didn't spend any man hours doing this.
From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.
Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.
Ignoring GDPR which I don't think will help you; You stated:
- the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.
This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.
- You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.
This means your manager can't complain, because you didn't spend any man hours doing this.
From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.
Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.
answered Aug 13 at 16:19
UKMonkey
1,312411
1,312411
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
 |Â
show 1 more comment
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
I agree. I don't understand the apologetic tone in this question - because I was at fault etc.
â ugoren
Aug 13 at 19:25
1
1
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
Actually, I think he uploaded gigs of data. That's a bit scary for a business, because it's exactly what a breach would involve.
â Martin Bonner
Aug 14 at 7:26
1
1
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
Uploading 100 GB of data is the kind of thing that gets policies changed. And in the UK, it would be seen as "taking the piss" and getting you into IT's bad books. Their job is getting the company dataflow running, if your laptop interferes with that they absolutely have the right to ban your private laptop from your networks.
â gnasher729
Aug 14 at 8:21
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@MartinBonner No, it was downloading. OP states they had reinstalled the OS and it was syncing dropbox - ie downloading only. Even if they were uploading, so what? If they think it's a security risk, then they should add a policy. Warnings stick, and can be provided by HR as part of a reference ....
â UKMonkey
Aug 14 at 10:57
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
@gnasher729 if the personal wifi that the company has set up is impacting the non-personal wifi, then IT absolutely need to be replaced, and they've got no place in banning a laptop because they're too incompetent to set up separate networks, QoS or even just a written policy.
â UKMonkey
Aug 14 at 10:59
 |Â
show 1 more comment
up vote
7
down vote
Also Belgian here with some GDPR insight.
The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.
Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).
- Metadata
- Email addresses
- Social media details and data attributed to them
- IP addresses (edge case)
Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.
So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
add a comment |Â
up vote
7
down vote
Also Belgian here with some GDPR insight.
The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.
Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).
- Metadata
- Email addresses
- Social media details and data attributed to them
- IP addresses (edge case)
Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.
So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
add a comment |Â
up vote
7
down vote
up vote
7
down vote
Also Belgian here with some GDPR insight.
The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.
Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).
- Metadata
- Email addresses
- Social media details and data attributed to them
- IP addresses (edge case)
Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.
So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.
Also Belgian here with some GDPR insight.
The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.
Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).
- Metadata
- Email addresses
- Social media details and data attributed to them
- IP addresses (edge case)
Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.
So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.
answered Aug 13 at 14:56
Maarten Wachters
1426
1426
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
add a comment |Â
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
2
2
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
Logging IP addresses is still allowed under GDPR, but only if you explicitly document why (purpose, etc) and on which legal foundation (one of the foundations defined in GDPR), and that you don't store it longer than necessary for the defined purpose(s).
â Mark Rotteveel
Aug 14 at 10:49
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
@MarkRotteveel You raise a good point, I am not an expert / professional on this topic. But from my understanding within the confinements presented by the EC there is still much a gray zone about wether or not you could store them and wether or not they fit within your purpose limitation.
â Maarten Wachters
Aug 14 at 12:08
1
1
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
As far as I know (but IANAL), the GDPR doesn't forbid anything, it just requires that you explicitly document what, why, for how long, and which legal ground you apply. If there isn't a solid legal ground, then your only remaining option is asking for explicit permission (which brings some additional constraints). Not having documented your use, or exceeding those constraints is what is forbidden and punishable.
â Mark Rotteveel
Aug 14 at 12:15
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
Please feel free to edit the OP to include this information.
â Maarten Wachters
Aug 14 at 12:17
add a comment |Â
2
Comments are not for extended discussion; this conversation has been moved to chat.
â Snowâ¦
Aug 14 at 8:42
3
100 GB over multiple weeks that was a result of syncing files you use at work? This sounds like reasonable network traffic that was in line with your responsibilities. Why are you getting disciplined?
â Glen Pierce
Aug 14 at 13:40