LogoBar-Finish2 LogoBar-Finish1 LogoBar-Finish3

            When we think of data security and privacy of our data at work, information access protection is what we are typically thinking about as it deals with the control and access to our data by others.  Information access protection deals with control and limitation theories that deal with access and control over personal information (Tavani, 2007, p. 7).  One example of information access protection is evident from the Privacy Act of 1974, which restricts the collection, use, and distribution of information by federal agencies.

 

            How many of you reading this blog post now have cellular devices provided by your company with installed mobile device management software (MDM) or require installing software on your device?  The use of MDM is common practice; one that often comes without any indication as to what your company is doing with your data.  So, the first recommendation is to review mobile device management policies and procedures proactively.  One study by Parham (2015) indicates that employees have grave concerns over employer access to personal email, texts, personal contacts, photos, videos, voicemails, and so forth (p. 25).  Your company can install an MDM solution that protects your data and containerizes corporate data allowing them to erase corporate data without impacting or viewing your information.  Providing features like a mandatory pin, for instance, instilling greater sense privacy (Parham et al., 2015, p. 26).  It seems simple; what else can your organization do?

            The second recommendation resulting from my research is to weigh the costs and benefits of security controls.  Security controls, while typically in place to protect an organization, often cause stress, health problems, and the sense that privacy has been invaded (Leclercq & Vandelannoitte, 2017, p. 141).  Taking the simple step of making sure controls have a value from an employee and employer perspective reduces those feelings of privacy invasion while providing greater protection for your organization (Lee, Lee, & Kim 2016, p. 68).  So how can we weigh the costs and benefits of security controls?

            One method is to weigh asynchronous vs. synchronous security controls.  Realtime internet monitoring and keystroke logging by organizations create a feeling of privacy invasion.  Doing things asynchronously like passive email monitoring and examining internet or phone records upon HR requests significantly reduce that feeling of privacy invasion (Tomczak, Lanzo, & Aguinis, 2018, p. 254).  Another helpful step is to roll out monitoring software selectively based on system authority or access to essential information assets, which also reduces the sense of privacy invasion (Lee et al., 2016, p. 68).  Some employees appreciate security and notifications when well designed.  Potoglou, Dunkerley, Patil, and Robinson (2017), found an appreciation amongst employees for items like warnings on websites that contain security concerns like phishing or other security and privacy attacks (p. 820).  All of these tools generate data on employees, which brings me to my next recommendation.

            Organizations should limit data collection where it lacks value, and where it contains value data should be anonymized or obfuscated and erased when finished with use.  Excessive accumulation of data is directly linked to an employee’s feeling of privacy invasion (Carpenter, McLeod, Hicks, & Maasberg, 2018, p. 95).  Many organizations think that anonymizing data is an uphill battle.  However, ethical use of data requires anonymizing and protecting that data (Herschel & Miori, 2017, p. 33).  What if you are a believer that big data can’t be anonymized? 

            There are several other options from removing employee personal information from your organization’s data sets.  Obfuscating data is one step an organization can take to produce misleading, false, or ambiguous data to make it less valuable to malicious actors.  Systems should be designed not to collect personal information where it isn’t necessary, and employers can purchase anti-tracking systems for employee systems to protect further their web activity (Pascalev, 2017, p. 42).  So, let us suppose an organization has taken steps to protect employee data but, you have a bad actor in the organization?

            How many of you work in an organization that turns a blind eye to information security misbehavior?  Misbehavior being anything against a policy, ethics, or the law.  Organizations need to create sanctions for information security misbehavior and enforce those sanctions.  Insider threats are one of the greatest risks to employee data today.  Utilizing Human Resources to enforce sanctions and increase the severity of sanctions with employee misbehavior increase the effort, risk, and reduce rewards for an employee to misbehave. 

            This is the end of the road for this series in protecting employee privacy.  As a recap, here are my 10 steps an organization can use to reduce the perception of employee privacy invasion:

 

References

Carpenter, D., McLeod, A., Hicks, C., & Maasberg, M. (2018). Privacy and biometrics: An empirical examination of employee concerns. Information Systems Frontiers, 20(1). 91-110. doi:10.1007/s10796-016-9667-5

Herschel, R., & Miori, V. (2017). Ethics & Big Data. Technology in Society, 49. 31-36. doi:10.1016/j.techsoc.2017.03.003

Leclercq-Vandelannoitte, A. (2017). An ethical perspective on emerging forms of ubiquitous IT-based control. Journal of Business Ethics, 142(1). 139-154. doi:10.1007/s10551-015-2708-z

Lee, C., Lee, C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59. 60-70. doi:10.1016/j.cose.2016.02.004

Parham, A., Mooney, J., & Cairney, T. (2015). When BYOD meets big data. The Journal of Corporate Accounting & Finance, 26(5). 21-27. doi:10.1002/jcaf.22059

Pascalev, M. (2017). Privacy exchanges: restoring consent in privacy self-management. Ethics and Information Technology, 19(1). 39-48. doi:10.1007/s10676-016-9410-4

Potoglou, D., Dunkerley, F., Patil, S., & Robinson, N. (2017). Public preferences for internet surveillance, data retention, and privacy enhancing services: Evidence from a pan-European study. Computers in Human Behavior, 75. 811-825. doi:10.1016/j.chb.2017.06.007

Tavani, H. (2007). Philosophical theories of privacy: Implications for an adequate online privacy policy. Metaphilosophy, 38(1), 1. doi:10.1111/j.1467-9973-2006-00474.x

Tomczak, D., Lanzo, L., & Aguinis, H. (2018). Evidence-based recommendations for employee performance monitoring. Business Horizons, 61(2). 251-259. doi:10.1016/j.bushor.2017.11.006

 

Write comment (1 Comment)

            Interference protection, much like intrusion protection, started with the non-interference view of privacy.  This view of privacy originated from the 1965 case of Griswold v. Connecticut and focused on an individual’s ability to make choices or decisions without external influence (Tavani, 2007, p. 5).  One example frequented in the workplace is forcing or enforcing policy on your employees without their participation in the development process.  So how do we decrease the feeling of being interfered with when it comes to digital privacy?

 

            One of the first things you might have heard about when watching Law and Order, Live PD, or Cops is the term consent.  There are several components or portions of informed consent, including:

  1. The competence to understand and decide
  2. Freedom of decision
  3. Disclosure of material information
  4. The recommendation of a plan
  5. Understanding the disclosure and recommendations
  6. Deciding in favor of a plan
  7. Finally, authorization of the plan (Pascalev, 2017, p. 41)

The process of gaining consent also requires individuals who are competent to consent, have consented voluntarily, a fully informed about what they are consenting too, and comprehend what they have been told (Pascalev, 2017, p. 5).   Sound familiar?   Doesn’t this feel like consent is a critical component of privacy?

            The General Data Privacy Regulation (GDPR), a regulation which many organizations are struggling to deal with, provides a unique view of consent and its role in the processing of data by employers.  The GDPR says that employee consent provides the grounds to an employer for collecting, processing, or disseminating personal data for secondary use (Politou et al., 2018, p. 5).  Much like the European standard, US organizations should require organizations to provide consent from employees and allow that consent to be revoked or modified.  So beyond gaining sign-off on policies, how does can an organization gain consent or further decrease an employee’s sense of interference by their employer?

            Employers should allow employees to participate in decisions about and exercise control of their private information!  Support exists from several contemporary researchers for allowing employees to self-control information to extend the sense of privacy (Drake, 2016, p. 439; Chory, Vela, & Avtgis, 2016, p. 38).  One study found that allowing your employees to participate in just one aspect of how and when monitoring of employees takes place enhances perceived autonomy and provides greater intrinsic motivation (Tomczak, Lanzo, & Aguinis, 2018, p. 257).  Another study by Parham, Mooney, and Cairney (2015) finds that allowing employees to participate in security solutions development reduces the risk of lost productivity from employees by nearly 50% (p. 26)!  So how do you encourage participation in the security and privacy process to increase autonomy, motivation, and productivity? 

            For starters, several ideas can be picked up from the privacy marketplace, which will assist in empowering employees to manage their privacy.  First is the concept of privacy exchanges.  Privacy exchanges are central authorities that allow individuals to set up their privacy terms, forming consent, and standardizing the process of creating and applying privacy preferences throughout organizations (Pascalev, 2017, p. 39).  The concept of a privacy exchange is similar to what we see on Facebook or LinkedIn with employee self-managed access but allows one application to provide standardized consent and allows employees to make decisions on access control.  One such example is Identos (https://identos.com/federated-privacy-exchange/).  The idea of allowing employees to participate in privacy decisions doesn’t have to be complicated if you don’t have a large IT organization.

            Another idea would be allowing employees to participate in the production of organization-wide policies.  You can create employee committees comprised of individuals throughout the organization to participate in the creation and clarification of policy.  This employee participation can then be advertised to show that as an employer, you are listening to your employees feedback and creating buy-in.  Need proof that this works?  Take a look at Chory et al. (2016), who find that employee’s that aren’t able to participate in policy and procedure development view those items as unfair and non-representative!

            See you this Thursday for the final segment on information access protection!

 

 

References

Chory, R., Vela, L., & Avtgis, T. (2016). Organizational surveillance of computer-mediated workplace communication: Employee privacy concerns and responses. Employee Responsibilities & Rights Journal, 28(1). 23-43. doi:10.1007/s10672-015-9267-4

Drake, J. (2016). Asking for Facebook logins: An egoist case for privacy. Journal of Business Ethics, 139(3). 429-441. doi:10.1007/s10551-015-2586-4

Parham, A., Mooney, J., & Cairney, T. (2015). When BYOD meets big data. The Journal of Corporate Accounting & Finance, 26(5). 21-27. doi:10.1002/jcaf.22059

Pascalev, M. (2017). Privacy exchanges: restoring consent in privacy self-management. Ethics and Information Technology, 19(1). 39-48. doi:10.1007/s10676-016-9410-4

Tomczak, D., Lanzo, L., & Aguinis, H. (2018). Evidence-based recommendations for employee performance monitoring. Business Horizons, 61(2). 251-259. doi:10.1016/j.bushor.2017.11.006

 

Write comment (1 Comment)

            Have you ever had concerns about your privacy in the workplace?  Have you ever taken the time to Google to your telephone number, name, or address to see what information is out there about you on the web?  Are you concerned, like many, about the accidental or improper exposure of confidential information by your employer?  If you answered yes to any of these questions, this video series is for you. 

            Individuals define privacy differently depending on the source and culture.  For instance, Merriam-Webster defines privacy as “the quality or state of being apart from company or observation or freedom from unauthorized intrusion” (Merriam-Webster, 2020).  In the digital era, a researcher by the name of James Moor investigated the concept of privacy in the digital age examining individual privacy in terms of being protected from intrusion, interference, and information access from others (Moor, 1997, pp. 4-5).   

            Group privacy is just as important as individual privacy.  Self-determined groups maintain the perception of autonomy due to the private nature of the communication networks (Helm, 2018, pp. 303,305).  The level of perceived digital privacy within a group is altered depending on how organizations leverage automated programs to monitor and interject themselves into the private sphere of a group (Helm, 2018, p. 310). 

            As an individual or member of a group, you likely are aware than an organization is monitoring your digital footprint.  However, the monitoring is likely contrary to your privacy wishes.  What level of expectation do you have for your employer protecting your privacy?  One set of researchers point out that most people are incredibly concerned with the loss of control, unintended disclosure, or misuse of their data.  Responsible organizations want to respect employee privacy; however, they often have a conflicting need to protect information, equipment, reputations, and investments (Chory, Vela, & Avtigis, 2016, p. 24).  There are also plenty of examples of irresponsible corporate behavior that we’ve all witnessed in the media.

            Take, for instance, the Sony cyberattack of 2014, where their organization was found negligent of not guarding against a cyberattack which resulted in personal information, work information, and personal emails posted online exposing employees to identity theft, embarrassment, and career damage (Chory et al., 2016, p. 24).  Another example is that of Facebook requesting the social media login credentials of job applicants or Intermex terminating an employee who objected and refused consent to constant location monitoring on behalf of the employer (Tomczack, Lanzo, & Aguinis, 2018, p. 252).

            You might be asking yourself, what tools would an employer be using to monitor my activities?  They vary but can include productivity software, electronic performance monitoring utilities, mobile tracking systems, and mobile device management systems.  These utilities are all used to monitor a workers documents, internet access, email, instant messaging, calendaring, social media access, wellness data, training and development, along with safety (Areheart & Roberts, 2019, pp. 757,759; Tomczak et al., 2018, p. 251-252; Chory et al., 2016, p. 25). 

            So you think you might have your employer monitoring behavior, why might they want to do so?  One benefit of monitoring is finding toxic behavior in the workplace, such as racial bias, sexual harassment, and cyberloafing.  Another frequent cause for monitoring is to investigate or prevent security misconduct, which includes breaches of trade secrets, intellectual property, and employee files.  Finally, many employees are leveraging the data to measure and improve task performance, productivity, health, and absenteeism in the workplace.

            According to Ribitzky (2007), 78% of all organizations monitor electronic performance of some type, leading to many negative impacts for employees.  These impacts include open resistance from employees, concerns about privacy rights, due process, trust, and fairness.  Employee surveillance can also increase levels of stress while decreasing levels of job satisfaction, organizational commitment, and task performance.  Employees can also feel suspicion, deceit, untrustworthiness, and have lower quality relationships with their management. 

            There are several factors that organizations can address to impact an employee’s feeling of normative privacy.  Normative privacy being privacy that is protected based upon ethical, legal, or conventional norms such as an intrusion by an IT staffer reading confidential documents without permission.  Normative privacy differs from natural privacy, which is a situation in which one is protected by natural means such as holding a private conversation in a closet, which isn’t protected by legal or ethical norms.  Moor (1997) proposed a theory of privacy in the digital age offering three types of protection that are needed to feel a sense of normative privacy, including intrusion protection, interference protection, and information access protection. 

           I’ll discuss intrusion protection, interference protection, and information access protection in-depth in the next three posts of this series on digital privacy.  As a primer, intrusion protection is the concept of being let alone or free from intrusion, interference protection is the ability to make decisions without external influence, and finally information access protection in the control and limitation of access to data by others.  I look forward to an active discussion across social media as I share my research on digital privacy from my doctoral journey.

 

References

Areheart, B., & Roberts, J. (2019). Gina, big data, and the future of employee privacy. Yale Law Journal, 128(3). 710-790.

Chory, R., Vela, L., & Avtgis, T. (2016). Organizational surveillance of computer-mediated workplace communication: Employee privacy concerns and responses. Employee Responsibilities & Rights Journal, 28(1). 23-43. doi:10.1007/s10672-015-9267-4

Helm, P. (2018). Treating sensitive topics online: A privacy dilemma. Ethics and Information Technology, 20(4). 303-313. doi:10.1007/s10676-018-9482-4

Merriam-Webster. (2020). Privacy. Retrieved from https://www.merriam-webster.com/dictionary/privacy.

Moor, J. (1997). Towards a theory of privacy in the information age. Computers and Society, 27(3): 27-32.  doi:10.1145/270858.270866

Ribitzky, R. (2007). Active monitoring of employees rises to 78%. ABC News. Retrieved from http://abcnews.go.com/Business/story?id=88319&page=1

Tomczak, D., Lanzo, L., & Aguinis, H. (2018). Evidence-based recommendations for employee performance monitoring. Business Horizons, 61(2). 251-259. doi:10.1016/j.bushor.2017.11.006

 

 

 

Write comment (3 Comments)

            Intrusion protection comes from the non-intrusion view of privacy and is the concept of being free from intrusion or being let alone.  The theory was initially proposed in 1890 by Samuel Warren and Louis Brandeis (Tavani, 2007, p. 5).  An example of non-intrusion would be the fourth amendment of the U.S. Constitution, which limits unreasonable search and seizure. 

            Four themes emerged from my research on things your employer could be doing right now to ensure that we are free from intrusion as viewed in the figure below: 

            In terms of suggestion one, there is quite a bit of existing legislation that exists in the United States, providing varying levels of privacy protection.  Some states, like California and their CCPA initiative, are working hard to get up to speed with privacy legislation.  From a constitutional perspective, there is a weak right to privacy (Blair, 2018).  Several federal laws on the books already offer limited privacy protection for employees, including:

  • Genetic Information Nondiscrimination Act (GINA)
  • Privacy Act of 1974
  • Electronic Communications Privacy Act (ECPA)
  • Americans with Disabilities Act (ADA)
  • Stored Communications Act (SCA)
  • National Labor Relations Act

Three states, Illinois, Texas, and Washington, have laws prohibiting the interception of any personal communications without obtaining consent (Areheart & Roberts, 2019, pp. 762–762).

            Next up, is the creation of revisiting of written information technology policies.  How many of you work for a company which provides transparent policies to employees?   Research shows supplying clear policies not only mitigates legal threats for companies but leads to acceptance of those employees and a perception of fairness to employees (Tomczak et al., 2018, p. 254).  How many of you work for organizations that might have policies, although might be as clear as mud?  Policies need to be clear and unambiguous, written from a pro-employee perspective, while explaining what expectations employees should have to privacy (Chory et al., 2016, p. 39; Cortini & Fantinelli, 2018, p. 165; Katasabian, 2019, p. 248).  

            Policy for employees needs to be clear in purpose, stating any intent to monitor, applications that may be monitored, and how the corporation deals with the data.  Employers should have a few specific policies with special provisions, including:

  1. BYOD Policy – Including assurances that employers will avoid viewing personal content on devices
  2. Social Network Policies – Allow employees to use their voices and decrease feelings of privacy invasion by specifying what social networking sites are work only, let employees know what behavior is off-limits, let employees know what social media access is acceptable while at work
  3. Email Management Policies – Specify what rules apply to personal email sent from work accounts, rules on accessing private email accounts from work, or what activities are regulated in terms of communications from work devices

            Topic three is changing the way that training is provided to employees.  Does your organization provide awareness training concerning security policy, threats, or safeguards in use at the organization?  Training allows employees to ask questions about these topics in the workplace and should be extended regularly (Blair, 2018, p. 167).  Research by Lee, Lee, and Kim (2016) indicates that trained employees are more willing to participate in an organization’s information sharing and security activities (p. 63).   What if your opinion matches the research of Baxter, Holderness, and Wood (2016) that employees often dislike IT security and privacy training (p. 119)?  You change it up!

            Implementing gamification to training by employing gaming principles to training can improve learning!  Add stories or themes with point training, leaderboards, and achievements, making the experience fun, informative, and less tedious for employees (Baxter et al., 2016, p. 120).  Baxter (2016) demonstrated that gamification of training leads to higher employee satisfaction levels while introducing marginal improvements in overall learning!

            Finally, employers need to exhibit more transparency for employees.  If an employer has a problem with perceptions of organizational fairness, they should be transparent about employee monitoring and explain reasons as to why employers find monitoring necessary.  Employees are not unreasonable!  One idea is to extend a written promise to employees that your staff will not view personal content on employee devices where possible.  Gain consent for monitoring and collecting someone’s personally identifiable information, provide transparency to employees about how their data is being used and reused.

            Next week we will discuss interference protection along with its tie into policy and personal control over information. 

 

References

Areheart, B., & Roberts, J. (2019). Gina, big data, and the future of employee privacy. Yale Law Journal, 128(3). 710-790.

Baxter, R., Holderness, D., & Wood, D. (2016). Applying basic gamification techniques to IT compliance training: Evidence from lab and field. Journal of Information Systems, 30(3). 119-133. doi:10.2308/isys-51341

Blair, L. (2018). Contextualizing bring your own device policies. Journal of Corporation Law, 44(1). 151-170.

Chory, R., Vela, L., & Avtgis, T. (2016). Organizational surveillance of computer-mediated workplace communication: Employee privacy concerns and responses. Employee Responsibilities & Rights Journal, 28(1). 23-43. doi:10.1007/s10672-015-9267-4

Cortini, M., & Fantinelli, S. (2018). Fear for doocing and digital privacy in the workplace: A dual pathway model. Management Revue, 29(2). 162-178. doi:10.5771/0935-9915-2018-2-162

Katsabian, T. (2019). Employees' privacy in the internet age. Berkeley Journal of Employment and Labor Law, 40(2). 203-255 doi:10.15779/Z38NG4GS3G

Lee, C., Lee, C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59. 60-70. doi:10.1016/j.cose.2016.02.004

Tavani, H. (2007). Philosophical theories of privacy: Implications for an adequate online privacy policy. Metaphilosophy, 38(1), 1. doi:10.1111/j.1467-9973-2006-00474.x

 

Write comment (1 Comment)

Please publish modules in offcanvas position.