I work in a children’s home (for 11-17 year olds with emotional/behavioural difficulties). The young people have a shared, computer in the home, content filtered via a proxy server, which they all use to go on facebook etc. As part of the risk assessment for this, we use Cybersentinel software to monitor their internet use and flag up anything dodgy (bullying/grooming etc.).
My supervisor is asking me to use this software to monitor all the young people’s public and private internet use on a weekly basis. This is where my dilemma lies. I was under the impression that organs of the state (which we are) could not arbitrarily invade people’s privacy in this manner. I feel as though we are using this technology as a bit of a short cut, as in we might get lucky with what we find, as opposed to using our skills working face to face with the young people to recognise and solve issues.
I’m not saying that this kind of monitoring doesn’t have a place, but surely we should only be looking at people’s personal communications if we have reason to believe they are in some sort of danger, and only after multi-agency agreement or with the informed consent of the young person in question?
Opinions from the STW would be greatly appreciated, even if I am exposed as a fool…

When you say ‘monitor all the young people’s public and private internet use’, you mean logging which sites they visit, what they do there etc etc, or just how long they use the Internet each week? Sounds dodgy to me, presuming that you don’t have consent from the users or their families…

It logs a screenshot any time anyone uses foul or sexualised language (which is nearly every conversation a teenager has) and lists all the sites they visit. The young people all sign an agreement which states that use can be monitored, but it is very vague and I don’t feel that the young people fully understand what that means.

I work in a special need school , not directly with the students but I am aware of the rules for IT .

they are not allowed to go on facebook or any other social networks .
staff must monitor all the IT activities , and in extreme cases , they are allowed to unplug the pc to shut it down , even if it damages the equipment .

the only phones allowed dont have 3g .

Legally, you can monitor their usage so long as you tell them you’re doing it; you can’t do it in secret.

How that translates to minors I’m not sure.

This is another thing that troubles me, all of the young people have 3g phones, which we top up for them but do not monitor at all. I can’t help but feel I’m being asked to do a bit of “fishing”. We have had young people before at very high risk of sexual exploitation and have managed to protect them through individual risk assessment and good hard work. I just can’t deal with the arbitrary nature of what I’m being asked to do…

I can’t see how monitoring can be that effective if you’re monitoring computer usage but not Internet access phones…

If they have phones just take the computer away. Much easier.

Not my decision to make iolo, though I have suggested that.

not public sector but i suspect the principles apply – see esp section 5

http://ico.org.uk/Global/faqs/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.ashx#p=12

I had a similar problem, I was asked to do a password hacking activity (ethical hacking) to reveal weak passwords. This was all above board and with the intention of strengthening security practises, but I still felt that it was on dodgy ground legally. So insisted that all users were formally warned about what was to happen, and that I had a letter from the companies legal department that the activity was within the law.

I have no issue with white hat hacking. My password would almost certainly have been cracked in the above (was a password suggested by an old VMS system, which makes up strings that look like words, but aren’t in the dictionary), so voluntarily changed it. If the password hack told the operator Andy’s password is this, I’d have been a bit peeved. If it says dictionary attack successful, I’d have no issue.

Not sure about the school stuff though. I know my local school had some kind of netnanny sentinel thing, but none are perfect. One 8yr old kid sussed out how to see porn. Since the UK has inherited the US blame culture the parent tried to sue to school, the headmaster, the local authority, and told BBC South East news. All she succeeded in doing is advertising to the whole of Kent and Sussex that her son knew how to surf for porn.

So I’d be worried more about the parents than the kids. And it is them that needs to know what s/w is used, that it is not perfect, and exactly what is monitored.

MrsMC suggests that the answer may depend on the order that the kids are under to be placed in the home?

If the parents have voluntarily agreed to the kids going there then you may need parental permission. If it’s a court order then you may have full legal rights to monitor their activity.

Personally, until they are paying for their own devices and internet access I would expect to be able to monitor usage of any children I am responsible for, which may be why IANASW.

Dealt with a number of young females at risk of sexual exploitation when I was a bobby, the people who were abusing them were local and did most of their initial contact through Facebook.
I would not hesitate to monitor their usage as requested, I’ve sat through the interviews and saw the images what the girls were subjected too, and if preventing that means you are invading their privacy,well too bad.

Bear in mind legal restrictions on things such as facebook. Under 13’s shouldn’t be on it at all.
If your institution is unhappy about computer use, block it. that is legitimate.
Finally, my experience is from working in schools and care homes. I would guess (without meaning to be rude) that most of the advice above comes from people who have at best the same experience as me. I think you should be checking with legal experts, social workers etc. Get it in writing maybe?

Personally? they are under 18.children. Tough on them.

We have had young people before at very high risk of sexual exploitation and have managed to protect them through individual risk assessment and good hard work. I just can’t deal with the arbitrary nature of what I’m being asked to do…

Some of your clients may be more overtly at risk than others, but its probably fair to say they’re all likely targets of coercive and exploitative individuals. Kids in care are a defacto target. It might seem like a fishing expedition to monitor so widely but what you’d hope to spot is people who are on fishing expeditions themselves. And it might seem arbitrary to monitor one channel and not another but internet monitoring is available to you and monitoring phones isn’t. Its just as arbitrary to not take one measure because you can’t take every measure

Are you actually hoping to find a legal reason to avoid doing something you find personally unacceptable? It’s a perfectly valid problem given the nature of the work you are involved in. Especially as there is rarely a proper legally correct answer with these kids.

You need to balance the risk to these vulnerable young people if you don’t monitor their usage, which is linked to your duty of care to them, against any infringement of their rights. I would suggest that given their vulnerability, not monitoring their usage in this day and age would be a failure to take reasonable steps to safeguard them.

Not actually qualified, but MrsMC works in and trains NQSW in child protection, I’ve probably absorbed quite a bit in the last 19 years when she has been letting off steam after a hard day at the office. 😐

Quick phone call or email to to the information commisioner will provide an answer.

There is duty of care fir vulnerable adults and children and procedures to follow so this monitoring may go above and beyond the legal remit. You should voice your concerns if only for clarity.

The interception and acquisition of communications data is governed by the Regulation of Investigatory Powers Act 2000.

I don’t know whether a children’s home would be deemed a ‘public body’ that RIPA seeks to regulate. I doubt it.

Are children in care not informed that their internet activity will be routinely monitored (as any parent or guardian would do)? Which must be accepted as a condition of use?

I’d suggest a call to the Information Commissioner’s Office as suggested by project to firm things up.

Personally, I’m in complete agreement with MoreCashThanDash’s 2nd para.

not sure of the legalities but two issues

1. you need a policy about their phones as that is where the obvious risk is
2. if they give consent [ however vague] and it is done to protect them because they are vulnerable then I would not have a huge problem doing it personally but i would want a clear instruction from a supervisor saying to do it and that it was legal.

3. you really really need to sort out 1.

Snooping to protect them from harm is noble if intrusive

Thanks for all the advice, I guess my main uncertainty comes from the fact that the management is a little unprofessional and draconian at times. The phones thing is kind of a separate issue that I have been bothering them about for a couple of years now.
I guess my main problem is not with the act of monitoring communication, but the clarity of the framework around said monitoring.
I think a long chat with the manager may be in order…

My cousin is severely mentally and physically disabled and will be cared for all her life and always has been . She has just graduated from assisted boarding school and is home during summer before a place is found at assisted living. During her last month the school signed 3 of the student up to face book, i called her grandma(official guardian )and her mum and sisters and said she should be taken off FB as she is not capable of making judgements( she kissed a boy and then told everyone she has done sex ?) I think in some cases internet usage should be monitored . I would do the same with a teenager son daughter ,if these are vunerable it should be monitored .

I’m strictly an amateur but my gut feeling would be that between the consent (although I think the questions about whether it is valid is a good one), the fact that the institution is providing the access/machines (my ball, my rules), and the fact that the body is in loco parentis (that’s probably not the right term any more), the software use would be legal. on the other hand, laws around children’s welfare and telecoms are (rightfully) complicated. on the RIPA issue, I wonder whether it is actually interception of data in the sense that it hasn’t been “sent” from the computer yet. I think someone on the exlawyers thread said they were a data protection guru, come to think of it.

I certainly don’t think you’re being unreasonable by asking the question – although if you think it’s a bad idea and you’re looking for a reason to stop it, that’s a slightly different question.

other people are much better placed to comment on whether it’s practical, ethical and normal.

I very much believe that it is a good thing to monitor internet use, but I just feel that it has been done very badly in my workplace. The young people have not, in my opinion, given informed consent and we are not doing enough to ensure the process is robust and transparent.

Take, for example, our room search policy. We get a lot of self harm issues and have to search certain young people’s rooms for sharp objects when the need arises. All young people, when moving into the home are made aware of the potential need for staff or Police to search their rooms in certain circumstances. Then, when a room search is carried out, two staff must be involved and must fill out a room search record, which is then given to the young person to read and sign to confirm their understanding of why the search took place. If the young person does not agree with or understand the reasons, a Children’s Rights officer and/or the young person’s Field Social Worker is brought in to review the process and follow up any complaints. We do not arbitrarily search all of the young people’s rooms on a weekly basis, all young people are risk assessed on an individual basis and any need for regular room searches would be a result of that process of risk assessment.

Our internet use policy has a very brief sentence about web monitoring, which the young people may or may not fully understand before signing. We then conduct a search of their public and private internet use on a weekly basis. This check is completed by a single member of staff, who fills in a form with any issues (or a lack thereof), puts it in a folder, then locks it in a cupboard. The young people are not informed of these weekly searches. Obviously, if any issues are found in the search, they are followed up with Police, social workers etc.

To me, searching someone’s room is not really all that different to searching someone’s internet use. They are both (however necessary) an invasion of privacy. I guess the crux of my frustration is the wild difference in policy and procedure. I am happy to carry out searches and monitoring of young people’s internet use, it is, and has been, a vital tool in protecting young people. I just feel that I have been asked to do it within a flawed and potentially unethical framework.

Thanks again for your various comments, cannot find one that was not of help. I know it’s a bit weird posting these sorts of problems on public web forums, but it really has allowed me to focus on what the problem is and find a solution to my dilemma.

as an aside, thank you for doing the difficult and important work that you do.

as an aside, thank you for doing the difficult and important work that you do

+1 from me.

I think the devil is in the detail here – “monitoring” a persons internet usage could mean anything. Yes they agreed that you can do this monitoring – but whatever you do needs to pass a “reasonableness” test IMO.

Eg:

Reviewing a list of sites they visit – reasonable.
Reading every email/IM they send – not reasonable.

I would want a clear description of EXACTLY what the monitoring protocols are – and I would want that documented in an SOP. If the excrement does hit the fan at a later date – at least the organisation will not be able to hang you out to dry.

I would want a clear description of EXACTLY what the monitoring protocols are – and I would want that documented in an SOP. If the excrement does hit the fan at a later date – at least the organisation will not be able to hang you out to dry.

This, also do you have a sensible union type organisation who may be able to help. That and most local government type organisations will have a legal option to check this out.
I’d make sure that you phrase it with your boss that you are happy to do your job but you want to make sure for all of your sakes that what you are doing is right and legal. It’s for their benefit as much as yours.

The interception and acquisition of communications data is governed by the Regulation of Investigatory Powers Act 2000.

…except when youre using a system owned by someone else to access it, when it is exempt from RIPA. Known as Lawful Business Monitoring. The kids are using computers owned by the home, the home makes it condition of use, by using it the kids accept those conditions. Same goes for people using their employers phones/computers.

Google finds my employers policy

http://www.thamesvalley.police.uk/policy_-_lawful_business_practice_final.pdf

and this is the relevant legislation

Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 which allows businesses,
including public authorities, to monitor electronic communications (e.g. telephone
calls, fax transmissions, e-mails, and internet access) transmitted on their systems
for certain purposes.

which is a long-winded way of saying the OP isnt being asked to break the law, though their employer should know under what legislation they are working lawfully!

How the bloody hell can you spot anything with just face to face? The tool in this case and only in this case is a good tool to help you PROTECT vunerable young people.

You aint snoopin on well adjusted adolesants who have more savvy/ability to flag issues.

Are you actually hoping to find a legal reason to avoid doing something you find personally unacceptable? It’s a perfectly valid problem given the nature of the work you are involved in. Especially as there is rarely a proper legally correct answer with these kids.

You need to balance the risk to these vulnerable young people if you don’t monitor their usage, which is linked to your duty of care to them, against any infringement of their rights. I would suggest that given their vulnerability, not monitoring their usage in this day and age would be a failure to take reasonable steps to safeguard them.

Very good post.

Just another ‘tool’ in your ‘toolbox’ I would suggest, although based on the number of ‘alerts’ you will probably get (just on a daily basis), to actually review every one will be a full-time job.

Will the powers that be swing the wording to say that you are monitoring internet usage? I’m pretty sure that to use the equipment the kids will have had to agree to its use and the fact this may be monitored, certainly on every school system I’ve seen there is a speal about this on the login screen (granted no one reads it). Will it be a case of what unacceptable usage is happening and then by whom?

I worked for many years in kids units, both open & secure so have some background.

You know this already, some posters above need top understand that although all kids are vulnerable, kids in care are just on a whole new level of vulnerability in that they are actively, aggressively targeted to be sexually abused. Just look at the many recent high profile cases of young teenage girls being targeted by gangs of (predominately Asian) men. This has been going on for years, Social Media just makes it easier. It is a seriously ugly business and I could still cry now thinking back to what some of our kids went through.

I would not not hesitate to support the type of monitoring you are being asked to do. What I would say though is that it should be explicitly clear in policy, linked to risk assessments and the kids understand what is being done. It should also not just be your responsibility because you happen to be the guy who can work computers! If it is being done, all staff need to support it, understand it and be involved.

Despite their vulnerability, kids can also be very sensible so, as a team, consider how you discuss this with, or include kids in, any changes to how computers are monitored. Having said that, I was involved in more ‘challenging behavior’ over shutting the computer room than pretty much anything else in my unit!

Your 3G phones are a problem but that doesn’t mean you should ignore the PC’s.

So I’d be worried more about the parents than the kids

The OP know that this is the least of his problems to be honest. In nearly every case the parents will be either utterly incompetent or don’t give a toss, hence the fact their kids are in care.

I think my concern would be that this all sounds very ad hoc, as if the manager has decided thats what needs doing ‘because they can’ rather than it being some form of official policy with guidelines and a way of escalating concerns.

Of course the inevitable outcome of this would be the OP being hung out to dry by everyone in the entire chain of management as they disowned him when it blew up in their faces.

The OP needs to read Annex P of the OFSTED inspection regime

http://www.ofsted.gov.uk/sites/default/files/documents/inspection–forms-and-guides/c/Conducting%20inspections%20of%20children%27s%20homes%20from%20April%202014.pdf

OP businesses can and do this with their employees. Work computers are provided on the basis this is allowed (usually with a document to sign to say so or embedded in standard employments T&C’s). I would imagine you can do the same thing at the home, the computer is only provided on the basis that the kids agree everything can be monitored. On that basis it’s not illegal.

Hmm, I’m not all that convinced that the relationship between employer/employee is comparable to that of a child in care. Although vulnerable, the kids have a right to privacy too and although its clearly never going to be easy to offset one against the other, I’d be doubtful whether routine monitoring could be justified (ie. unless there were particular concerns)

Work computers are for work use in work time (he says whilst posting on STW from work…)

Computers in a kids home are provided for educational and personal use, therefore not comparing like with like.

We talk about establishments, kits units, liability etc, just remember that it is still their actual home.

For fear of repeating myself, my problem is not with the act of monitoring itself, I see it as absolutely essential to protect the young people. My problem is that, as the “computer guy” at work, all this sort of thing falls on me, which means that, when I do find evidence of grooming or criminal behaviour, it will be me that ends up in court, again, not in itself a problem for me. My problem is that, when I am faced with cross examination by a defence lawyer, I don’t want there to be any weaknesses in our processes that could see paedophiles walk free.

is there a governing body/trade regulator/ type organisation that you can get advice and maybe a good practice / process check /certificate signed? after discussing this with a manager etc?

maybe legal cover / insurance should be raised with the manager too?

My problem is that, when I am faced with cross examination by a defence lawyer, I don’t want there to be any weaknesses in our processes that could see paedophiles walk free.

@fin for that you have my wholehearted support (and admiration for having been involved in the legal process previously)

I suppose this is why so many things these days cost so much money, you are going to need some professional guidance here.