[angdis]

OK, that is what is "legally possible" in a worst-case scenario.

But IN PRACTICE, what is normal?

Your statement seems to indicate that IT staff can just browse personal communications, desktop displays, keypresses. I am sure that they can if necessary, but what kinds of scale and automation are we talking about? Doing such surveillance ad-hoc or without a very small number of targets seems like it would easily become intractable for any org with thousands of people.

I am not in an IT department, so I have no idea what goes on.

It seems the standard advice is always to take the most extreme precautions and to follow the corporate rules to the letter... but here I am typing this into a work computer on a chrome browser without a care in the world.

[nullrouted]

So I work in information security and I'll tell you i haven't seen good standards around this. In some places IT people regularly look at emails or web traffic, which i think is wrong.

When I go into a company I make sure we put a policy in place that to review an employees emails / web traffic / devices we need to have Legal and HR sign off on it unless the person being investigated is part of one of those groups then it is one group and an executive.

This covers me from legal/HR fallout and it covers the employees because they know we aren't just sneaking around looking at their stuff, it creates trust.

[mhurron]

Normal and possible are not the same thing, and you have to plan for possible.

http://www.huffingtonpost.com/2010/02/26/dan-ackerman-school...

So here is an example of a school administrator spying on students via their provided laptops. It's not the only one. This was 'normal' for the school system until they got called on it.

Blanket collection and searching of data by a company is very possible, in just the same way as you search through mass of logs from applications. They aren't going to have someone watching these logs all the time though, so you don't have to have a huge staff to handle it. They may spot check, they may only go thought the data when something suspicious occurs. They may automatically troll through the data looking for keywords which escalate to a real person for further analysis.