An acquaintance approached me with a dilemma recently.
Her supervisor had requested the password of a coworker who was out on
extended sick leave. The supervisor said, ”Joe gave it to me before he
left, but I misplaced it. Just go ahead and give it to me again,
The system administrator told me that at first she was going to just give
the password to her boss, but began to have second thoughts about it.
What was the right thing to do?
If it meant saying no, how was she supposed to do that without getting
It turned out that Joe’s password wasn’t available, and the system
administrator didn’t have to actually say no. But the situation raises
larger questions, involving the ethical administration of corporate
assets. Often the situation can be sidestepped with some creative
solutions. However, it can be tricky to face the situation in a manner
that won’t lead to the end of your career or a colleague’s.
First, find out what your supervisor really wants.
It may be that Joe forgot to turn in the quarterly report, but left you a
copy. It’s possible the required information resides in more than one
location. If your supervisor has authorization for administrative access
on the system, providing him with his own administrative-level password
should be sufficient.
Second, it’s possible your supervisor is looking for evidence. It may not
be something he/she is allowed to discuss with you, or it may be they
can’t articulate specifically what they’re looking for. This presents a
different ethical dilemma that can be examined from two different
First, does explicit corporate policy exist regarding the use of company
assets for personal use? Are there awareness notifications? When you
login, are you required to do something like click through a window with
huge letters saying something like:
The use of this system is restricted to authorized users and is for
official use only. This computer system, including all related equipment,
networks, and network devices (specifically including Internet access)
may be monitored for all lawful purposes. Use of this computer system,
authorized or unauthorized, constitutes consent to monitoring of this
system. etc. etc.
Is this caveat enforced? Understand that I’m not a lawyer, and I don’t
play one on TV, but in HR terms, this is an unenforced corporate policy
which lends itself to a concept known as ‘acceptable practice’. Having
unenforced corporate policies could leave an organization vulnerable to
Here is an example of unenforced corporate policy and acceptable
practice. Let’s say, a company policy states working hours are from 8
a.m. to 7 p.m. with one hour for lunch. An individual or individuals
consistently arrive late, take an hour and 20 minutes for lunch or leave
15 minutes early. This behavior is not documented and the individuals
involved are not counseled or marked adversely on performance
evaluations. Thus, a standard of acceptable practice is set that the
company must tolerate based on this previous behavior, or aggressively
pursue a re-education campaign that has clear requirements and consistent
Even if the company spells out what is and isn’t acceptable, if there is
no accountability for inappropriate behavior, it is much more difficult
to pursue disciplinary action.
The notion of acceptable behavior leads us to the second concept that
must be examined.
Is there an expectation of privacy? Is it commonly understood and
accepted that private materials can be kept on a company workstation and
will be kept confidential or considered confidential by management?
Litigation also is a possibility when dealing with matters that involve
personal privacy in the workplace.
Let’s look at one final consideration.
You and Joe are friends and you know he spends a good portion of his day
online looking for stuff, chatting with pals, and surfing various
questionable Web sites. Where should your loyalties lie? Your decision
might seem more difficult because sometimes it’s hard to identify with an
impassive impersonal corporate entity, or you may disagree with corporate
I look at it like this: Even if Joe is my friend, he causes more work for
me and for others when he doesn’t do his share. He lowers the value of
the company by stealing time and services from the corporation. This
places my job at greater risk. Finally, Joe has the audacity to put me,
as system administrator, in an awkward position because I know what
happens on his computer, and NOW, my boss also is interested.
OK, let’s get back to the system administrator who was asked to hand over
I’m still personally unwilling to just give out the password. Depending
on the circumstances, suggest contacting the employee to retrieve the
password. This is a reasonable option if you don’t retain password
records. An alternative would be to change the user’s password (as
administrator), and then have the user change it again when he or she
Earlier we talked about administrative access. This method should be used
if at all possible. This is a reasonable option if you don’t retain
Remember that every set of circumstances is different and I can’t give
you the definitive answer on how to handle your specific situation.
Whatever you do, get the request in writing before you act on it. Ask
your boss to send you email, print it, with the complete headers, sign
and date it and put it away. You don’t ever want to be in a position
later where your recollection and your boss’s recollection differs.
If you believe your supervisor’s request to be unlawful, against company
policy or suspicious in some other way, tell them you are acting in
protest on their written request, and you will be documenting the
exchange. You can then speak to your supervisor’s boss, where you might
gain a better understanding of actions being taken. If you think it is
appropriate, you also can speak to someone in HR, or if your organization
has legal counsel, speak to them. Be aware they get paid by the company
as well, and you may find they have a conflict of interest.