Slashdot Mirror
What Is A Fair Privacy Policy?
"From the employee's position, it's easy to scoff at the fascist-sounding stuff we read on here regularly ('We can and will see and hear everything you do when and if we want to.') but as a 'responsible' member of the management team, I have to take into consideration the legal ramifications of NOT reserving such rights. If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise).
I'd like to come up with a healthy compromise -- We want to create a policy that shows our 'user friendliness', yet we must please the big VCs and protect ourselves as a corporation. We want to say 'We respect your privacy and will make every effort not to monitor you, but we reserve the right to do so.' Is such a compromise possible? What should a reasonable privacy policy say (and how should it be said?) Where does the line between 'employer covering its ass' and 'fascist bastards' get drawn?"
I've found that what separates most companies in terms of their privacy is how well _they_ follow it. The policy might look nice on paper, but is meaningless if you don't make an effort to actually follow it.
All those legal disclaimers is there for a reason. Forget something little, and it could be the grounds for a lawsuit against your company. Being too friendly is not good because it can open loopholes against your company. Do I like it? No, but its a litigious world. People will sue for whatever reason they can to make money. Dont give them the opportunity to hurt and ruin your company. The problem with setting rules in some legal disclaimers stating when you will inspect it -- and you dont follow it and violate it in a small way, it could be grounds for someone to sue you saying the search was not legal and in compliance with the policy. So keeping it broad is sometimes best for the protection of the company, even though nobody likes it. Otherwise, youre putting your company at risk. Is it worth it? Sometimes I think its better to protect your rear, and use it to your advantage when the issue comes up, rather than finding you forgot a little "clause" and getting screwed for it.
As long as I can remember privacy policies have been of the nature that "We don't want to watch you, but if we need to we will." What everyone seems to leave ambiguous is what constitutes the need to monitor someone. Perhaps defining this a little further will help. You could say something to the effect of "Monitoring is constituted, but not limited, by the following reasons: harassing other users, breaking the law..." You want to give the users a better idea of your goals without tying your hands.
----------
do { Work(); PayTaxes(); Eat(); Sleep(); } while (alive)
----------
while (alive) { Work(); PayTaxes(); Eat(); Sleep(); }
Bool
I would recommend setting boundaries of when the company can look at the private emails of their users, what sites they visit, etc., instead of just setting what. All too often a business or school will be croning files randomly and pick up on a disturbing usage they wouldn't pick up on normally.
They should have set rules as to when these searches should be permissable, given just cause (like a search warrant). Despite the fact that they own the network, employees shouldn't feel comfortable with a privacy policy that allows usage searches 24/7.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
I truely believe that honesty in all dealing between employer and employee is of paramount concern, this affects all policies regulating employee (and employer) conduct.
If you can lay your hand on a Digital Equipment employee handbook from the beginning of the nineties, that can provide you with good ideas about - what I believe - fair and open communication. Of course it requires adaption in the age of downloading pr0n and filling 60% of the disk capacity with MP3s.
The tricky issue is that you guys have to cover your backs, because if you grow and there's money floating around, somebody will sue.
I'd recommend a top-down approach. I.e.
Set the ground rules in employees dealing with each other and communicating with outside entities. Emphasize an environment of common sense and trust
Go into the tools. Mail, web, phone, company letterheads, public statements. The focus should be on self responsibility
Detail the dos and dont's for each form of communication. Try to keep it liberal. I.e: we don't really care if you fire of a private e-mail or surf /. while munching a sandwich. Make it clear however, that you expect that performance doesn't suffer. Explain why certain control measures are not to be avoided (protection of trademarks, company secrets, legal threats)
If you monitor, be very explicit about the tools you use and the data which is monitored and why. Explain what data is stored for how long and how it will be analyzed.
Make consequences for abuse crystal clear
Grant certain rights to the employees. I.e. open door policy (and stick to it), escalation pathes in case of management abuse, the right to browse /. while munching a sandwich (ok, maybe in more general terms)
Emphasize mutual respect and personal responsibilty
Be very specific and unambigeous regarding the wording, and
unfortunately, have it tripple checked by legal and lawyers
Again, be fair in treating your employees and vice versea. This should be reflected by the manual.
Good look with your venture
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
"If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state..."
Wow, it's like you specifically crafted these three sentences to be one of those "famous last words" things.
You can't BOTH have the power to search anyone's desk/computer at any time AND claim they have any privacy. Especially since your two examples already lead us very far down a very slippery slope. "Might be planning murder" to "might be sending nastygrams" leads very easily to "might be looking for another job" and "might be about to blow the whistle".
Here's a privacy policy: We keep the hell out of your stuff. If you break the law, on your own head be it, we assume no responsibility.
Alternatively, you could have an extremely draconian policy--for people who choose to work in the building. Then have an anything-goes policy if you work from home.
BTW, to people who side with the suits and say "but this stuff belongs to company"--shut up, already. The food in the cafeteria belongs to them too, but I'm allowed to bring the waste products home. More to the point, if I am a net drain on the company's resources, the solution is to fire me and hire someone who is a net producer. It's a lot simpler AND fairer.
--
MailOne
Non-meta-modded "Overrated" mods are killing Slashdot
(Hey Ryan! Here's your proof!)
A privacy policy can be:
Choose any two.
MacOS, Windows, BeOS, GNOME, KDE: they're all just Xerox copies
1) The legal risk mentioned above
2) Potential loss of regulation, therefor output
3) Drop in customer or employee satisfaction
One way to increase privacy and not affect company stature is to be more performance based rather than methods based. If your employees are meeting their expected goals and deadlines, than they most likely need little, if any, watching from your managers.
There will always, of course, be certain issues that will need direct management control, such as porn, illegal activities, or bad customer service, but I believe there are many ways to combat these issues without jeapordizing the loyalty of your employees.
Fight the lawyers over the wording - they want it in their vernacular, you need to ensure it's simple & clear.
Accept that you're going to have to reserve all rights as broadly as possible. Yes you'll likely never spy on someone or snoop their email but you might have to someday & you need to make this possibility clear up front.
Spend an hour with your buddies dreaming up scenarios where you might need to do these actions and plan for them now. Again, you'll likely (hopefully) never need to do any of these but you have to make provisions for the possibility now.
The most basic rule is if it is done on company property or on company time or with company resources the company reserves all rights it can to viewing, recording, and using such.
Lots of /.'ers will recoil at this but I bet if they're employed by a publicly-listed company most will find the same basic tenants in their own employee handbook (please don't post your own unique circumstances - I said "most" & "publicly-listed". Yes there is the option of self-employment and there are unusual circumstances etc. but that's not really the topic.)
Bring the existing employees in on the planning. Don't surprise folks. Keep key figures involved in the evolution so it won't be a surprise. If folks learn along the way the why's of the policies and have their input sought, repected & used then they'll respect the policies and the company and share this confidence with others.
Strongly consider getting in an expert on this sort of thing - not just a lawyer who's first instinct is to cover your ass as much as possible but a seasoned HR-type who you folks like & respect and get their input. Listen to them about what is really important to you, to your employees, and presumably to the VC's who are mandating this.
Finally, look at the nearly-final product and decide if you'd want to work for the company you're creating. If not then start editing.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Employer (former) was concerned an executive was getting ready to jump ship - and was going to walk with a lot of our propriatary information.
A few weeks previously I'd shocked the VP's when they asked about recovering a piece of email when I pointed out it was all backed-up on tape and that I had full access to *everything* (current and archived.) Apparently they'd never put together the implications of my being Sr. Net Admin & being a backup Postmaster, etc.
I'd then pulled some old tapes and gone (with permission) into the execs old email then run a few keyword searches for the password he'd forgotten (don't get me started - they really were a clueless lot... Brilliant in their fields but just sooo out of their depth with the technology in front of them.)
Anyway, I got them to put the snoop request in writing (cover my ass) then got the CEO to countersign it (yes a multi-billion-dollar corperation and he was a great guy; approachable and sharp.)
Duped the subjects email account (don't want to break anything by both of us being in it) and then, with a couple VP's looking over my shoulder, ran a few searches.
Not going to tell the results (irrelevant) but yes, we had authority to do what we did and yes, it was necc. How'd we have authority - cause the employee's handbook said we did (and heavily vetted by Legal) & regular memos reminded folks.
Did we publicize any of this? No. No no no. If the person had been not playing nice (again, not telling) then he'd have been locked out of all accounts ASAP, everything sequestered, and the next day the CEO would have met him at the door, accepted his resignation (form happening to be handy along with the head of HR and a few lawyers) and handed him his last (fat) check.
Word around the company: none. Gone - no comment, wish the best in future endeavors. Why? Well, one he could sue for word getting out (yeah yeah yeah the truth but that's a lot of legal bills later...) Two we didn't need to spook everyone and make them so paranoid that folks just couldn't work. Three - less problem. Most places operate on the path of least resistance and my former no less. If they could get away with just having stuff happen in the background so much the better.
So, the short of it is that no, I don't agree with your 'open' policy. Folks knew ('bout everyone but the VP's it seems) that stuff was an open book and just assumed that my staff had better things to do then read their email. They were of course right, but yeah, there were times where we did go into email and web logs, etc. under direction. Would have publicizing any of this served any purpose? Not really. Few would have understood it, most would have assumed we weren't telling all, and it would have been problematic to implement.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Couldn't an attacker (euphamism for plantiff's attorney, seemed appropriate with all of the security talk these days) argue that the instruction was overly vague?
Well they could, but it probably wouldn't be terribly effective. As technical as lawyers are portrayed, in reality judges and juries are pretty unforgiving of people who fail the "reasonable person" standard. If a resonable person would understand that the contract said such-and-such, then that's the standard you'll be held to (even in some cases where it turns out the contract wasn't even valid, it was the belief of both parties that it WAS valid that made a contract).
Recent cases have, in fact, been leaning the other way -- people getting out of contracts because they were too complicated and impossible to understand, because you cannot enter into a legally binding agreement voluntarily if you don't understand it. There has to be a "meeting of the minds" and if the contract is so complex as to be impossible to understand, you can't possibly agree to it...
---------------------------------------------
Recursive: Adj. See Recursive.
XXXXXX understands how central computers have become to each employee¦s work-day. Much as it has become acceptable for employees to use their phone for personal calls on their break or lunch hour, there are certain acceptable personal uses for your desktop computer. These include:
A reasonable number of personal e-mails
Web-browsing or other Internet activities
Writing personal letters
These acceptable uses are modified by the following restrictions:
Web browsing should be limited to sites appropriate for a business environment, particularly in view of the conduct policies listed above.
Downloads must not include copyrighted materials of any kind without the copyright holder¦s permission.
No printing of web content, letters or envelopes on Office printers.
Failure to follow these terms may result in disciplinary action.
Acceptable use may result in an employee¦s personal files, or records of personal activities, residing on the computer system. Employees should keep in mind that the Systems Administrator might need to access a particular computer for maintenance or security reasons. The Office reserves the right to access any computer or file at any time for official purposes. Every effort will be made to preserve the individuals users privacy. No files on an office desktop system should be considered secure or confidential.
While it is technologically possible to track each employee¦s personal use of the computers, it is the policy of the office not to monitor the file access or keystrokes of its employees. Review of system logs and other computer records may take place only after an allegation of misconduct has been made.
>>>>>>>>>>
The restrictions on printing, etc. are due to the fact that this policy is for a public office, the materials, paper, toner, etc. are therefore intended only for official use, and it would be irresponsible/illegal to allow private use. The same arguement might be made for your responsibility to shareholders, but I would generally allow some limited use of office materials.
THE YEAR WAS 2081, and everybody was finally equal...
Look, we understand as employees that what you're saying is true, that you have to cover your own ass. What bugs me is the terms of service kind of legalese that is so over the top that it is literally offensive.
Why not write an employee handbook like Borland used to do software licenses? They used plain language, and explained WHY they had limitations in place, not just a bunch of legal jargon. It is no less legal because it's written in plain English.
You say yourself, "we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise)". That sounds great -- why not just flesh that out as a policy statement?
You really don't have to say "The party in the first part abrogates all claims and reservations for privacy and security of his person, belongings, personal space, and equipment". That's how lawyers write, but you can actually have a legally binding agreement that says "We pay for office equipment and have liability for your actions at work, so you need to know that we do have the right to check your computer or desk. We don't want to do it, but you know as well as we that there's always some nutball with porn on his hard drive, and we don't want to lay you off because we've gone bankrupt from a sexual harassment lawsuit".
Sincerity like that can buy you a LOT of goodwill.
---------------------------------------------
Recursive: Adj. See Recursive.
It's actually pretty simple: make the handbook say pretty much what you're saying here. You want to preserve your rights, while providing some assurance that you won't routinely spy on your employees "just in case". Perhaps something like this:
The company reserves the right to monitor or search all company property and equipment if improper or illegal conduct is suspected. However, all such monitoring or searching will be performed with at least one witness or explicit written instruction from at least two managers.
I'm not a lawyer. Run the above past one before using it.
--
Forward, retransmit, or republish anything I say here. Just don't misquote me.