magazine resources subscribe about advertising




 CD Home < Web Techniques < 2001 < August  

None of your Business?

By Mimi Rosenheim

Imagine demanding access to someone's entire life without a second thought. You want a social security number, DNA, financial history, fingerprints, and access to family information, correspondence, files, and medical history.

Sounds intrusive, but it's likely that you have all of that information about your employees, and then some.

I don't advocate companies ceasing all employee-tracking activities. In fact, I appreciate efforts to ensure that my coworkers will leave their weapons at home and that they will use the company technology to get their work done. However, I'm dismayed by corporate America's lack of sensitivity to employee rights where personal information is concerned.

Data Kings

These days, employers must protect themselves by obtaining more and more information on their employees. Technology has made the data gathering, storage, and analysis as easy as the push of a button. And tightening corporate budgets mean that many companies are reevaluating which assets can be sold to the highest bidder.

For the past few years, customer privacy has been a predominant concern, scaring many potential customers away from Internet commerce. Companies have actually been created to protect the average person from the big bad corporate monster that gathers all the information it can and sells the information to whoever wants it. Even Congress has weighed in on this important topic, placing the issue front and center.

Throughout this tumult, little comment has been made on the issue of employee privacy. The amount of information gathered about consumers pales in comparison to the vast amount of data available on each and every corporate employee.

Information Retrieval

Let's start with the information that you, as an employer, collect before offering someone a job. The resume contains a wealth of personal information including name, address, phone number, email address, education, and a list of former employers and jobs. But many job hunters post resumes online, so let's not paint employers with the evil brush just yet.

Next, let's look at what happens after you offer someone a job. He or she already has a company file that contains an application, a resume, and likely, comments from those who conducted his or her interviews. In many larger corporations, "Congratulations, you've got the job" often translates to, "Now, we're going to do a deep background check on you, and you're going to hand over a bunch of really personal information."

What are these background checks, and why do some businesses insist upon them? Most checks are done through third-party companies that specialize in gathering data and reporting back to their clients. They pull information from the DMV, court records, and other sources to determine whether the candidate has a criminal history that wasn't disclosed, or to unearth any other anomalies that might raise questions about a candidate's appropriateness for the job. These criminal checks are one way your company can protect itself and its employees from those few bad eggs who can't be trusted with the butter knife.

Your company may also perform additional checks depending upon the industry. If an employee is working with large sums of money, as a future employer, you might take a quick peek at that person's credit history. Armed with a social security number, you can pull a candidate's credit history and peruse years of deeply personal financial information including credit score, outstanding credit card balances, unpaid school loans, and that one late telephone bill that went into collections because a college roommate didn't pay it as he or she promised. There's probably information on credit reports that employees don't even know about, and yet employers can now just put a staple in it and toss it in the file.

How Much Do You Know?

When employees show up to work, they frequently have their photos taken and are issued electronic badges. These little mechanisms track an employee's every move in the company—which doors a person enters and exits, and when. Don't forget those bubbles in the ceiling that aren't fooling anyone. Those aren't decorative—they house cameras that tape every area of the building. Did an employee come in one weekend to photocopy a flyer for a garage sale? You can easily find out.

Each cube, every office, has a phone with voicemail. Employees can talk to their significant others every hour if they want. But who they call and what they say is a matter of corporate record. Some companies keep track of every phone number that employees dial, and some even record random conversations.

Employees have T1 access to the Web so they can watch George Lucas in Love every day in minty-fresh streaming format, or play their favorite radio stations without worrying about crappy reception through the steel-reinforced walls of the new office building. Everyone has an email address and receives embarrassing emails from friends and family. As an employer, you can look at every file on the computer, track every Web site an employee visits, monitor every keystroke he or she makes, and read every email to and from a particular address.

This next part may sound even more Orwellian, but it isn't as far fetched as you may think. Let's talk about fingerprints and DNA. My fingerprints along with hundreds of thousands of others are on file at a bank I used to work for. Another bank required me to pee in a cup for a drug test before I could show up for work. Some companies require blood tests. Sound over the top? I've worked for companies that have gathered all of this information.

Who knows what goes on in those labs once bodily fluid is extracted? Although DNA acquisition isn't commonplace today, I've heard tell of it. At the rate at which an increasing variety of information is being gathered, it wouldn't be out of the realm of possibility for this to become a reality in the next ten years.

What's being tracked at your company may be different based on your line of work or company size. What should concern you as a manager is the fact that it may not be difficult for your employees' information to be accessed by someone who has no right to it.

Informed Decisions

This isn't 1984 or Gattaca. There are very good reasons to gather all of this information. Employers must protect themselves and those who work for them from dangerous or malicious people. It's a sad reality that we can't hold the office door open for those we don't know because they may be the ones stealing our laptops and wallets from our cubicles. But don't we appreciate those bubble cameras when we get our belongings back?

Companies are also concerned about employee productivity and resource efficiency. How many of us are sorry to see the guy in the next cubicle get canned because he spent 24 of the 40 work hours in every week watching streaming video on ESPN, or storing MP3 files on the overflowing corporate servers?

Collected information is analyzed. Companies develop useful statistics based on the organization's diversity. HR may run some reports on where employees live to determine where to locate a new office or which commuting discounts to pursue.

Unfortunately, we're a litigious society. Employers need to protect themselves from liability for one employee's negative actions. Bad seeds can use technologies like email and the Internet to harass, offend, or defame others or otherwise disrupt the workplace. You must therefore develop rules to clearly define which actions are prohibited in the workplace and what rights the employer has to detect, investigate, and punish violations.

Employers can find themselves in a sexual harassment suit if employees visit pornographic Web sites during work, because such activities can create a sexually hostile environment for other employees. Companies are liable for employees' actions if a lawyer can prove that the employer allowed such behavior. Continental Airlines was taken to court for sexual harassment because of derogatory and insulting comments that some of its male pilots posted about a fellow employee. The posts appeared on an external, but work-related, bulletin board. A court found that, although it isn't a requirement for employers to monitor personal communications, it's the employer's responsibility to stop coworker harassment should it have reason to believe this is taking place, even if the forum isn't internal to the company.

Management must also be able to protect a corporate brand. Embarrassing email sent from company servers may come back to haunt you. Take the case of an email sent in December 2000 from an employee's email address at Norton Rose, a posh London law firm. The note contained a graphic exchange about oral sex, and spread like wildfire. The international media put the firm's employment and email policies under a magnifying glass. Countless hours were spent on damage control and protecting the firm's reputation. Is it wrong to expect the company to be able to track down who sent this email?

A Good Policy

Visit any e-commerce Web site and look at its customer privacy policy. Go to a site like TRUSTe and read its membership guidelines. Your company has probably already drafted an excellent customer privacy policy that's communicated constantly. It's all over your Web site and is included with every customer order. You even follow the privacy policy, turning down needed revenue, because you're not about to break the bond of trust you've established with your customers.

What about all of those folks in your cubicles and warehouses? Do you treat them with the same respect? Do they know what information you're collecting and why you're collecting it? Do you protect their personal information with as much vigor as you do your customers'? Do you allow your employees access to the information you have on them?

You should consider creating a policy that's as explicit as possible. A clearly stated policy builds trust between you and your employees and protects your company from lawsuits. Instituting a clear policy keeps employees from claiming a right to total privacy, and prevents your company from violating the federal wiretap or electronic communication privacy statutes (these prohibit unlawful access, use, or disclosure of wire or electronic communications, such as email).

Your policy on technology should cover employee use of computers, email, and voicemail. Such a policy should state that use of these technologies is limited to job-related areas, and make clear that there will be zero tolerance for any communications from these technologies that are derogatory, defamatory, obscene, harassing, unlawful, or otherwise inappropriate.

Therefore, if you tape telephone conversations, disclose it. If you have a policy on email usage and tracking, outline it. If you do have the ability to read each and every email sent from your servers, include that fact in your policy and go the extra mile to attach a signature on all outbound email so that even the recipient knows your guidelines. And what about the information stored on the employee's computer? Does the company own or have access to all of that data, too?

Where is personal employee information stored? Consider who can access these sensitive files. The best policy is to store the files in locked filing cabinets in a room with restricted access. For digital files, keep the information as safe as you do your customer information—put it on a secure server with restricted physical and log-in access.

What about data aggregation? Can you trace the data you're collecting back to a single individual, or are you simply compiling information for use in trend analysis? Just because you can track information to an individual doesn't mean you should. You need to determine why you're collecting the information and then decide how you'll store it, how long you'll keep it, and who has access to it.

In your policy, outline your storage and aggregation procedures. Include some specifics on who has access to the information and why. You'll want to provide instructions on how your employees can access their complete files.

And finally, include details about your policy on sharing employee information with partner companies. Will your employees' names and addresses ever be provided for any reason? Does your partner need the information for security reasons? If so, do individual employees have the right to opt out of this arrangement? Whatever the policy, notify your employees whenever a change is made.

Once you've drafted your employee privacy policy, you should distribute it to each and every employee and have each one sign it to acknowledge receipt and understanding of the document. Educate your supervisors about the policy so they can communicate it to their staff members. Building trust between you and your employees begins with helping them understand why you collect the information you do.

Building Trust

Remember, the information that's being collected on your employees is also being collected on you. As a manager, you implement policies to protect yourself and your company from litigation. Make sure your employees' interests aren't lost in the process.

You've already done the work with your customer privacy policy. Use it as the foundation to draft an employee privacy policy with your management staff and lawyers that protects both you and your employees. Then, incorporate the policy into your employment contracts. Publish it on your intranet and in your employee handbook, and discuss it during orientation sessions.

An employee privacy policy fulfills the same goals as your customer policy—increasing the trust between you and your employees and retaining them over the long term.

Mimi is a marketing manager at Rational Software and a comic book publisher. You can reach her at

Copyright © 2003 CMP Media LLC