Security & Compliance Policy

Workplace Monitoring & Employee Consent Policy

WorkforceDunder Mifflin

Control mapping: HIPAA §164.308(a)(1)(ii)(D) information system activity review, §164.308(a)(3) workforce security; CIS Control 8 (Audit Log Management); workforce conduct & consent

Establishes the company's right to monitor its systems, devices, data, and usage — and the consent each workforce member attests to.

Purpose

This policy informs workforce members that Dunder Mifflin monitors its information systems and the activity conducted on them, and establishes each workforce member's acknowledgment of and consent to that monitoring. Monitoring protects Dunder Mifflin's data, systems, customers, and workforce, supports security and IT operations, and enables Dunder Mifflin to meet its legal, regulatory, and contractual obligations.

Scope

This policy applies to all workforce members — employees, contractors, temporary staff, and anyone else granted access to Dunder Mifflin systems — and to all Dunder Mifflin-owned or Dunder Mifflin-managed information resources. This includes company computers, servers, mobile devices, networks, internet connections, email and messaging accounts, business applications and cloud services, file and data stores, telephony, and physical facilities. It also applies to personally owned devices to the extent they are enrolled in Dunder Mifflin's management or used to access Dunder Mifflin systems or data.

Company Right to Monitor

Dunder Mifflin owns its information systems and the data they hold, and reserves the right — at any time, with or without prior notice, and to the extent permitted by law — to access, monitor, intercept, record, review, copy, retain, and disclose all activity and data on those systems, including:

  • Computers, laptops, mobile devices, and other endpoints, including the files, software, and configuration on them.
  • Network, internet, and Wi-Fi usage, including sites visited, bandwidth consumed, and connections made.
  • Email, instant messaging, collaboration tools, and other communications sent, received, or stored on company systems.
  • Files, documents, and data created, stored, transmitted, or deleted on company systems or storage.
  • Use of business applications and cloud/SaaS services, including logins, actions taken, and data accessed.
  • Security and endpoint telemetry, audit logs, and system activity collected by Dunder Mifflin and Methodology IT.
  • Company-owned mobile devices and vehicles, which may include location information, where used for business and permitted by law.
  • Physical access systems and video surveillance in company facilities, where deployed.
  • Screen, session, and detailed activity, where reasonably necessary for security, support, or a legitimate investigation.

No Expectation of Privacy

Workforce members should have no expectation of privacy in anything they create, store, send, receive, or access on Dunder Mifflin systems, devices, or accounts, including incidental personal use. Deleting a message or file does not remove it from backups or logs. Anyone who needs privacy for personal matters should use their own devices, accounts, time, and network.

Use & Protection of Monitoring Data

  • Monitoring is conducted for legitimate business purposes, including security; IT support and troubleshooting; capacity and performance management; policy and legal compliance; protection of Dunder Mifflin and its customers; and investigation of suspected misconduct or security incidents.
  • Access to monitoring data is limited to authorized personnel and Methodology IT staff with a need to know, and is handled in accordance with the Data Classification & Handling Policy.
  • Monitoring data is retained only as long as needed for these purposes or as required by law, and is protected with the same controls as other sensitive Dunder Mifflin information.
  • Dunder Mifflin conducts monitoring consistent with applicable law and does not intentionally monitor lawful off-duty activity, personal accounts, or personal devices outside the scope of company management.

Acknowledgment & Consent

By accepting this policy, accessing Dunder Mifflin systems, or signing below, each workforce member acknowledges that they have read and understood this policy and expressly consents to Dunder Mifflin's monitoring as described — including the access, interception, recording, review, and retention of activity and data on Dunder Mifflin systems, devices, accounts, and usage. This consent remains in effect for the duration of the individual's access to Dunder Mifflin systems.

Enforcement & Exceptions

Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.

Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.