Slashdot Mirror
What Is A Fair Privacy Policy?
"From the employee's position, it's easy to scoff at the fascist-sounding stuff we read on here regularly ('We can and will see and hear everything you do when and if we want to.') but as a 'responsible' member of the management team, I have to take into consideration the legal ramifications of NOT reserving such rights. If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise).
I'd like to come up with a healthy compromise -- We want to create a policy that shows our 'user friendliness', yet we must please the big VCs and protect ourselves as a corporation. We want to say 'We respect your privacy and will make every effort not to monitor you, but we reserve the right to do so.' Is such a compromise possible? What should a reasonable privacy policy say (and how should it be said?) Where does the line between 'employer covering its ass' and 'fascist bastards' get drawn?"
Fight the lawyers over the wording - they want it in their vernacular, you need to ensure it's simple & clear.
Accept that you're going to have to reserve all rights as broadly as possible. Yes you'll likely never spy on someone or snoop their email but you might have to someday & you need to make this possibility clear up front.
Spend an hour with your buddies dreaming up scenarios where you might need to do these actions and plan for them now. Again, you'll likely (hopefully) never need to do any of these but you have to make provisions for the possibility now.
The most basic rule is if it is done on company property or on company time or with company resources the company reserves all rights it can to viewing, recording, and using such.
Lots of /.'ers will recoil at this but I bet if they're employed by a publicly-listed company most will find the same basic tenants in their own employee handbook (please don't post your own unique circumstances - I said "most" & "publicly-listed". Yes there is the option of self-employment and there are unusual circumstances etc. but that's not really the topic.)
Bring the existing employees in on the planning. Don't surprise folks. Keep key figures involved in the evolution so it won't be a surprise. If folks learn along the way the why's of the policies and have their input sought, repected & used then they'll respect the policies and the company and share this confidence with others.
Strongly consider getting in an expert on this sort of thing - not just a lawyer who's first instinct is to cover your ass as much as possible but a seasoned HR-type who you folks like & respect and get their input. Listen to them about what is really important to you, to your employees, and presumably to the VC's who are mandating this.
Finally, look at the nearly-final product and decide if you'd want to work for the company you're creating. If not then start editing.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Employer (former) was concerned an executive was getting ready to jump ship - and was going to walk with a lot of our propriatary information.
A few weeks previously I'd shocked the VP's when they asked about recovering a piece of email when I pointed out it was all backed-up on tape and that I had full access to *everything* (current and archived.) Apparently they'd never put together the implications of my being Sr. Net Admin & being a backup Postmaster, etc.
I'd then pulled some old tapes and gone (with permission) into the execs old email then run a few keyword searches for the password he'd forgotten (don't get me started - they really were a clueless lot... Brilliant in their fields but just sooo out of their depth with the technology in front of them.)
Anyway, I got them to put the snoop request in writing (cover my ass) then got the CEO to countersign it (yes a multi-billion-dollar corperation and he was a great guy; approachable and sharp.)
Duped the subjects email account (don't want to break anything by both of us being in it) and then, with a couple VP's looking over my shoulder, ran a few searches.
Not going to tell the results (irrelevant) but yes, we had authority to do what we did and yes, it was necc. How'd we have authority - cause the employee's handbook said we did (and heavily vetted by Legal) & regular memos reminded folks.
Did we publicize any of this? No. No no no. If the person had been not playing nice (again, not telling) then he'd have been locked out of all accounts ASAP, everything sequestered, and the next day the CEO would have met him at the door, accepted his resignation (form happening to be handy along with the head of HR and a few lawyers) and handed him his last (fat) check.
Word around the company: none. Gone - no comment, wish the best in future endeavors. Why? Well, one he could sue for word getting out (yeah yeah yeah the truth but that's a lot of legal bills later...) Two we didn't need to spook everyone and make them so paranoid that folks just couldn't work. Three - less problem. Most places operate on the path of least resistance and my former no less. If they could get away with just having stuff happen in the background so much the better.
So, the short of it is that no, I don't agree with your 'open' policy. Folks knew ('bout everyone but the VP's it seems) that stuff was an open book and just assumed that my staff had better things to do then read their email. They were of course right, but yeah, there were times where we did go into email and web logs, etc. under direction. Would have publicizing any of this served any purpose? Not really. Few would have understood it, most would have assumed we weren't telling all, and it would have been problematic to implement.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Couldn't an attacker (euphamism for plantiff's attorney, seemed appropriate with all of the security talk these days) argue that the instruction was overly vague?
Well they could, but it probably wouldn't be terribly effective. As technical as lawyers are portrayed, in reality judges and juries are pretty unforgiving of people who fail the "reasonable person" standard. If a resonable person would understand that the contract said such-and-such, then that's the standard you'll be held to (even in some cases where it turns out the contract wasn't even valid, it was the belief of both parties that it WAS valid that made a contract).
Recent cases have, in fact, been leaning the other way -- people getting out of contracts because they were too complicated and impossible to understand, because you cannot enter into a legally binding agreement voluntarily if you don't understand it. There has to be a "meeting of the minds" and if the contract is so complex as to be impossible to understand, you can't possibly agree to it...
---------------------------------------------
Recursive: Adj. See Recursive.
XXXXXX understands how central computers have become to each employee¦s work-day. Much as it has become acceptable for employees to use their phone for personal calls on their break or lunch hour, there are certain acceptable personal uses for your desktop computer. These include:
A reasonable number of personal e-mails
Web-browsing or other Internet activities
Writing personal letters
These acceptable uses are modified by the following restrictions:
Web browsing should be limited to sites appropriate for a business environment, particularly in view of the conduct policies listed above.
Downloads must not include copyrighted materials of any kind without the copyright holder¦s permission.
No printing of web content, letters or envelopes on Office printers.
Failure to follow these terms may result in disciplinary action.
Acceptable use may result in an employee¦s personal files, or records of personal activities, residing on the computer system. Employees should keep in mind that the Systems Administrator might need to access a particular computer for maintenance or security reasons. The Office reserves the right to access any computer or file at any time for official purposes. Every effort will be made to preserve the individuals users privacy. No files on an office desktop system should be considered secure or confidential.
While it is technologically possible to track each employee¦s personal use of the computers, it is the policy of the office not to monitor the file access or keystrokes of its employees. Review of system logs and other computer records may take place only after an allegation of misconduct has been made.
>>>>>>>>>>
The restrictions on printing, etc. are due to the fact that this policy is for a public office, the materials, paper, toner, etc. are therefore intended only for official use, and it would be irresponsible/illegal to allow private use. The same arguement might be made for your responsibility to shareholders, but I would generally allow some limited use of office materials.
THE YEAR WAS 2081, and everybody was finally equal...
Look, we understand as employees that what you're saying is true, that you have to cover your own ass. What bugs me is the terms of service kind of legalese that is so over the top that it is literally offensive.
Why not write an employee handbook like Borland used to do software licenses? They used plain language, and explained WHY they had limitations in place, not just a bunch of legal jargon. It is no less legal because it's written in plain English.
You say yourself, "we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise)". That sounds great -- why not just flesh that out as a policy statement?
You really don't have to say "The party in the first part abrogates all claims and reservations for privacy and security of his person, belongings, personal space, and equipment". That's how lawyers write, but you can actually have a legally binding agreement that says "We pay for office equipment and have liability for your actions at work, so you need to know that we do have the right to check your computer or desk. We don't want to do it, but you know as well as we that there's always some nutball with porn on his hard drive, and we don't want to lay you off because we've gone bankrupt from a sexual harassment lawsuit".
Sincerity like that can buy you a LOT of goodwill.
---------------------------------------------
Recursive: Adj. See Recursive.
It's actually pretty simple: make the handbook say pretty much what you're saying here. You want to preserve your rights, while providing some assurance that you won't routinely spy on your employees "just in case". Perhaps something like this:
The company reserves the right to monitor or search all company property and equipment if improper or illegal conduct is suspected. However, all such monitoring or searching will be performed with at least one witness or explicit written instruction from at least two managers.
I'm not a lawyer. Run the above past one before using it.
--
Forward, retransmit, or republish anything I say here. Just don't misquote me.