Tuesday, October 8, 2024

Protecting Data While Protecting Your Job

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

An acquaintance approached me with a dilemma recently.

Her supervisor had requested the password of a coworker who was out on

extended sick leave. The supervisor said, ”Joe gave it to me before he

left, but I misplaced it. Just go ahead and give it to me again,

please.”

The system administrator told me that at first she was going to just give

the password to her boss, but began to have second thoughts about it.

What was the right thing to do?

If it meant saying no, how was she supposed to do that without getting

fired?

It turned out that Joe’s password wasn’t available, and the system

administrator didn’t have to actually say no. But the situation raises

larger questions, involving the ethical administration of corporate

assets. Often the situation can be sidestepped with some creative

solutions. However, it can be tricky to face the situation in a manner

that won’t lead to the end of your career or a colleague’s.

First, find out what your supervisor really wants.

It may be that Joe forgot to turn in the quarterly report, but left you a

copy. It’s possible the required information resides in more than one

location. If your supervisor has authorization for administrative access

on the system, providing him with his own administrative-level password

should be sufficient.

Second, it’s possible your supervisor is looking for evidence. It may not

be something he/she is allowed to discuss with you, or it may be they

can’t articulate specifically what they’re looking for. This presents a

different ethical dilemma that can be examined from two different

standpoints.

First, does explicit corporate policy exist regarding the use of company

assets for personal use? Are there awareness notifications? When you

login, are you required to do something like click through a window with

huge letters saying something like:

CORPORATE PROPERTY

The use of this system is restricted to authorized users and is for

official use only. This computer system, including all related equipment,

networks, and network devices (specifically including Internet access)

may be monitored for all lawful purposes. Use of this computer system,

authorized or unauthorized, constitutes consent to monitoring of this

system. etc. etc.

Is this caveat enforced? Understand that I’m not a lawyer, and I don’t

play one on TV, but in HR terms, this is an unenforced corporate policy

which lends itself to a concept known as ‘acceptable practice’. Having

unenforced corporate policies could leave an organization vulnerable to

litigation.

Here is an example of unenforced corporate policy and acceptable

practice. Let’s say, a company policy states working hours are from 8

a.m. to 7 p.m. with one hour for lunch. An individual or individuals

consistently arrive late, take an hour and 20 minutes for lunch or leave

15 minutes early. This behavior is not documented and the individuals

involved are not counseled or marked adversely on performance

evaluations. Thus, a standard of acceptable practice is set that the

company must tolerate based on this previous behavior, or aggressively

pursue a re-education campaign that has clear requirements and consistent

consequences.

Even if the company spells out what is and isn’t acceptable, if there is

no accountability for inappropriate behavior, it is much more difficult

to pursue disciplinary action.

The notion of acceptable behavior leads us to the second concept that

must be examined.

Is there an expectation of privacy? Is it commonly understood and

accepted that private materials can be kept on a company workstation and

will be kept confidential or considered confidential by management?

Litigation also is a possibility when dealing with matters that involve

personal privacy in the workplace.

Let’s look at one final consideration.

You and Joe are friends and you know he spends a good portion of his day

online looking for stuff, chatting with pals, and surfing various

questionable Web sites. Where should your loyalties lie? Your decision

might seem more difficult because sometimes it’s hard to identify with an

impassive impersonal corporate entity, or you may disagree with corporate

policy.

I look at it like this: Even if Joe is my friend, he causes more work for

me and for others when he doesn’t do his share. He lowers the value of

the company by stealing time and services from the corporation. This

places my job at greater risk. Finally, Joe has the audacity to put me,

as system administrator, in an awkward position because I know what

happens on his computer, and NOW, my boss also is interested.

OK, let’s get back to the system administrator who was asked to hand over

a password.

I’m still personally unwilling to just give out the password. Depending

on the circumstances, suggest contacting the employee to retrieve the

password. This is a reasonable option if you don’t retain password

records. An alternative would be to change the user’s password (as

administrator), and then have the user change it again when he or she

returns.

Earlier we talked about administrative access. This method should be used

if at all possible. This is a reasonable option if you don’t retain

password records.

Remember that every set of circumstances is different and I can’t give

you the definitive answer on how to handle your specific situation.

Whatever you do, get the request in writing before you act on it. Ask

your boss to send you email, print it, with the complete headers, sign

and date it and put it away. You don’t ever want to be in a position

later where your recollection and your boss’s recollection differs.

If you believe your supervisor’s request to be unlawful, against company

policy or suspicious in some other way, tell them you are acting in

protest on their written request, and you will be documenting the

exchange. You can then speak to your supervisor’s boss, where you might

gain a better understanding of actions being taken. If you think it is

appropriate, you also can speak to someone in HR, or if your organization

has legal counsel, speak to them. Be aware they get paid by the company

as well, and you may find they have a conflict of interest.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles