What Is A Fair Privacy Policy? 83
"From the employee's position, it's easy to scoff at the fascist-sounding stuff we read on here regularly ('We can and will see and hear everything you do when and if we want to.') but as a 'responsible' member of the management team, I have to take into consideration the legal ramifications of NOT reserving such rights. If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise).
I'd like to come up with a healthy compromise -- We want to create a policy that shows our 'user friendliness', yet we must please the big VCs and protect ourselves as a corporation. We want to say 'We respect your privacy and will make every effort not to monitor you, but we reserve the right to do so.' Is such a compromise possible? What should a reasonable privacy policy say (and how should it be said?) Where does the line between 'employer covering its ass' and 'fascist bastards' get drawn?"
Re:two words; (Score:1)
It's about being barely tolerable (Score:1)
You sound like you want to hire an "expert" to construct a work environment that will be just barely tolerable enough that people won't refuse to leave.
Well that sucks! Let's see... I'll take a job wher the commute irritates me just slightly less than the amount than would cause me to go elsewhere. The pay will be just barely tolerable for me to live on, and the company policies will make me unhappy, but not so unhappy that i'll actually get up and leave. What a way to live. Ugh.
-Dean
Re:UK Data Protection Model (Score:1)
The Data Protection Act 1998 does apply to paper based records. This was one of the changes over the 1984 Act.
employees shouldn't get much privacy (Score:1)
Ask for user input (Score:1)
One of the best elements to our process was the fact that employees were asked their opinions as the policy was written. This sort of iterative feedback not only created awareness and buy-in, but it also created a more rational set of policies.
What I learned: It might be useful to import some of the old software development techniques into the creation of corporate documents.
Well... (Score:1)
;-)
What about Bruce Perens GNU "employee handbook" (Score:1)
Re:Only in the case of complaints (Score:1)
"It is our policy to NOT read email or monitor network traffic unless there is suspicoun of wrongdoing"
I have seen other policies like this. My own employers Drug Testing policy is like that "We test if we have reason to suspect that a person is using drugs during work hours" or some similar wording (too lazy to get the specific wording)
(if it were a policy of random or manditory testing I would have never come work here)
Unless there are legitimate complaints of wrongdoing... then its all good isn't it?
I would also encourage people to have and allow them to easily access personal email accouns from work machines... that way they can more easily keep personal and professional email seprate
-Steve
Re:Timing of usage searches important (Score:1)
Re:MOD THIS GUY UP (Score:1)
Moderation Totals:Offtopic=1, Troll=1, Redundant=1, Funny=5, Overrated=4, Total=12.
i don't see the redundantcy though.
-Jon
Privacy like Porn (Score:1)
Rough Policies (Score:1)
Re:Sample of one I have recently implemented (Score:1)
If those were decided in favor of releasing histories, caches and other logs, you might throw something about that into your policy as well.
-- fencepost
Limits (Score:1)
The same idea hold for emails too. Unless someone tells management that they're being harassed or threatened, there isn't any reason to read through them.
I would also suggest some statue of limitations (nothing after 60 days, for example). This prevents the situation where someone gets mad because somebody else got the promotion and suddenly decides that the off-color joke they sent last year was harassment.
irresponsible screed (Score:1)
Question: What is a fair privacy policy?
Deliberation: Hmmmmmm.
Answer: If it successfully protects privacy, then it's fair. Otherwise, it's not.
God, I love the bourgeoisie. You just don't get it, do you?
Re:4 Separate Issuses (Score:1)
Make it easy to read (Score:1)
What a company I used to work for did - (Score:1)
Re:You forgot the most important part... (ot, spam (Score:1)
Like this one any better? My
----------
do { Work(); PayTaxes(); Eat(); Sleep(); } while (alive)
Re:I'm thinking that this isn't the major issue he (Score:1)
Re:Thats a tough call! (Score:1)
You company is liable because you sending email to other people within the company might be construed as company business and therefore their legal responsibility. If my ISP can send me bills only by email, it can change it's terms and conditions by email then it can certainly be held responsible for the email it sends. I can't refuse to pay the bill just because it was emailed to me instead of posted.
A fair privacy policy (Score:1)
But I digress. I should be pontificating on that wonderous subject of privacy in the office. Well, do your employees have something to hide? Has John been asking about 'when the privacy policy will be in'?. If so, maybe you should do a cavity search before Section II.445 says 'NO cavity searches without a warrant'. I watch Law & Order you know. It's sickening what they get away with, all beause they 'need a warrant', or they 'beat out the confession', or they 'didn't adhere to proper corpse handling procedures.'. Just sick.
And you know where a fine programme such as Law & Order gets its ideas, right? Real life. So let's have an upstanding privacy policy. In fact the employees should assume they're being monitored anyways. After all, anything they keep private could be degrading the company service. Do you really want to sacrifice $$$$$ for 'employee privacy' and funny tasting Lattes? I certainly wouldn't. But that's me, I'd put profits befopre my employees, after all, they're a dime a dozen, especially if I'm not running a business that requires thought, such as a sweat shop.
You know, I don't want to go off on a tagent here, but, have you considered modelling your workplace after a sweatshop? I'm sure there are many fine corporations that can attest to their power and efficiency... And no icky crap about 'employee privacy' to worry about...
Or you could just employee trained monkeys, rendering the whole thing moot...
How About This? (Score:1)
Re:Fairness (Score:1)
Well, your statement is rather diametral to just about everything I said. The model you propose is based on distrust and fear and knowing how and when you might get spanked and why can absolutely be openly communicated without missing out on the deterring effect, examples ?
You have a lot of permanently installed traffic cameras in Europe (red lights, speed). The installation is a grey box which might or might not contain an actual camera. Although every driver knows how and where he might get caught, the system has an extremely preventive effect. 90% of all boxes are empty at all times, but would you gamble your license even if the mathematics (1:10 chance of getting caught) are on your side ?
Privacy policy (Score:1)
I work for an organization that monitors everything all the time. I think lots of companies scan attachments in email for viruses.
If I were working for your company, I would like to see a policy that provide a guarantee of due process. Here are the things that I think would be good:
Re:If you phrase it like that, NO (Score:1)
Keep them in line with fear!
We reserve the right to check your possesions, mail, and court records, for any damn reason we choose. Including but not limited to, our own damn amusment for christmas parties.
It's not about fairness (Score:1)
The researchers and experts exist, you just have to be willing to pay for their time. It's the exact same situation as hiring an ergonomics expert to decrease the probability of a permanent disability claim.
-- ShadyG
Re:Can't be done (Score:1)
Do you really think it works that way? You can't relieve yourself of liability just by saying so in some sort of Bart Simpson "I'm just waving my arms and walking forward and if my hand happens to hit your face then it's not my fault" kind of deal. Hell, if you could I'd just get a "Look Out -- Scary Driver" sign and drop my car insurance.
Re:Be HONEST (Score:1)
I agree with you, and really wish that I could work for a company that had such a relaxed tone with it's employees. I used to, and yes, they got my loyalty that way.
My concern is, in today's lawyer-driven world, would such language stand up in court? Couldn't an attacker (euphamism for plantiff's attorney, seemed appropriate with all of the security talk these days) argue that the instruction was overly vague?
Privacy at Work??? (Score:1)
No Expectation of Privacy (Score:1)
The most enlightened policies will combine this with a specific list of cases where monitoring may occur (e.g., where suspicion of illegal activity exists, etc.) AND specify what authorization is required to snoop. Perhaps require two separate executive individuals to authorize, say the head of IS and HR together.
You want to assure your employee that they will be monitored only for good cause, not because some e-mail admin is really bored or some manager is paranoid.
Re:Timing of usage searches important (Score:1)
-----
Re:Timing of usage searches important (Score:1)
Setting specific times/dates for auditing effectively renders audits useless.
By doing that, you are permitting people that have malicious intent in using the computer "outside the rules", because they can cover up their trails very very easily. The only people you're ever going to find "abusing" the system are the poor fellows who were doing things inadverdetly and weren't really paying attention to whether they were inside or outside the rules...
In other words, Joe Smith that is sending confidential info outside the company will cover up his tracks easily by only sending/receving funny email from 9:00 to 12:00 and always deleting whatever he gets, while Jane Doe will get busted because she viewed one-too-many GAP catalog pages (the limit was 50 and she forgot...) between 4 and 6...
-----
You forgot the most important part... (ot, spam) (Score:1)
do { Work(); PayTaxes(); Eat(); Sleep(); } while (alive)
You forgot to add a call for HaveFun(); in that Do statement. Without calling HaveFun() then there is no point in being (alive), and so the Do statement should immediately exit and call Die().
Come to think of it, you should rewrite as a nested loop with HaveFun() executing 3 or 4 times per execution of the above Do loop. Just a thought.
-Kasreyn
P.S. you might want to throw in HaveSex() in there too. You wouldn't want to exit that statement without calling THAT function at least once... would you? =P
P.P.S. to moderators, yes this is ot but it's for bool to read and he left no email address.
Re:How About This? (Score:1)
Mutually exclusive (Score:1)
--Blob
Just tell me what you're looking at! (Score:1)
1. Trust. Employees work better when uncertainty is at a minimum.
2. Self-policing. If you have a filter which logs every url I hit on the web, and flags inappropriate ones, I'm simply not going to go to those sites, which is the whole point in the first place.
3. Voluntary removal. Employees who can't/won't live with the restrictions may simply quit once they see the handwriting on the wall.
4. Early correction. If you don't disclose that you are logging all web activity, and you approach an employee who goes to an xxx site, suddenly everyone feels violated (it will get out quickly), starts worrying about what they were doing when they thought they were alone and you have a real morale and maybe legal problem. If you disclose what you are doing, then you can have the guy's boss say "hey, you know this stuff is logged, knock it off" and it isn't a huge deal.
-----------
Don't Write to many if then clauses (Score:1)
You're looking for a document that is a guide, not a straitjacket, one that can be interpeted and reinterpeted as your company culture grows and changes.
MrF
Business isn't about the good guy (Score:1)
Your employees will respect you because you treat them well, and you prove yourself through actions. Not because of some silly handbook. Most the time it doesn't get read anyway.
You have to cover yourself. If you write the hand book to be a nice guy, and someone violates a law where you have not covered the company, the company is the one that is liable for it. The person that wrote the handbook gets fired, the company gets sued, and the employee doesn't really get what he deserves for violating a law on company time.
Like I said before, it's not what's in the book that counts day to day, it's how you actually treat the people who work for you.
The real key is mutual respect, for employees... (Score:1)
some thoughts (Score:1)
The Company... (Score:1)
Any way, I see
.
Too vague? (Score:1)
Plain English, well-written, is often more precise than tortured legal constructions -- and no one can reasonably argue that they did not understand it. And virtually any written regulation will include some vague areas; just don't go tromping on employee's rights when one of those vague areas is involved, and you'll never wind up in court about vagueness.
Honesty = Respect = Trust (Score:1)
Speak softly and carry a big stick (Score:2)
Have a good policy that covers who all needs to agree to read an employee's email (notification? consent? HR notification? approval? Corporate Counsel notification? approval?) before you start doing it, and stick to it.
My actions have helped get people fired who deserved to be fired for cause. My actions have defended innocent employees against unfounded accusations. Distasteful? Yeah, it still is. But each instance is reviewed by HR before I go forward with it. They don't ask me to touch employee email unless there's a good reason to expect that key information will be found there--and it usually is.
The rub is, of course, that according to the policies as outlined ("the rights" the coporation reserves), I can read anyone's mail for any reason at any time. One of the reasons I don't quit is that I'd rather not have someone who enjoyed this facet of the job doing it... With apologies to Douglas Adams "On no account should anyone who manages to intentionally worm their way into a position where they can read email actually be allowed to do it."
Re:Sample of one I have recently implemented (Score:2)
Just state that personal printing from the web should be limited to a few pages, with no *color* printing, abuses will be handled on a case by case basis as necessary.
two words; (Score:2)
If you store or use your customer's data for ANY purpose other than the basic requirements of supplying logistics for THE TRANSACTION (provision of goods in exchange for money) - then you must keep that data private, and never use it for ANY other purpose.
Unless the customer specifically opts in to other programs like marketing research or whatever.
If you create a program where you sell an address list to another party, then the customer should be entitled to a share of the profits, be it
Shouldn't be too hard (Score:2)
Perens Employee Handbook (Score:2)
http://linuxvc.com/Free_Software/Employee_Handboo
-Waldo
Keep in mind... (Score:2)
As to an internal policy, I like the idea of limiting all intrusions to suspicion of illegal activity. Certainly, you should explicitly *exclude* from company interest anything people do on their own time. e.g., don't have a "drug policy". If someone's drug habit interferes with work, fire him for being a bad worker. If it doesn't interfere, what do you care?
Re:Thats a tough call! (Score:2)
It's interesting that you would say that. But I have to tell you that because of the way the law is structured, it is very difficult to allow employees total privacy. For example, in the instance of e-mail security. If you tell employees that e-mail is totally private and we don't do any monitoring bad things can happen.
For instance, yesterday on Slashdot I read about some people who got busted for spamming people with an old newspaper ad scam that makes people beleive that they will be paid for stuffing envelopes in exchange for a, in their case a fee of 24 pounds. If they had used, say, your companies e-mail system to do the scam, then that would make *THE COMPANY* liable for damages (in their case it was something like 65,000 pounds they had to pay back). (Sorry, to lazy to insert a link)
The only way to avoid such things is to actually reserve the right to monitor. A reasonable company would only monitor when there was reason to believe that a problem existed (for example, when system logs point out that one user sent 6 million e-mails from his account. Ya gotta be just a LITTLE suspicious their
How about asking the employees? (Score:2)
Say everyone likes to listen to music, but they want a more personal selection. You may not want to allow streaming audio (or video) from the outside, due to security or bandwidth considerations. Maybe you could set up some kind of MP3 server, then (you must have a junk box somewhere, that you could outfit with a large drive). Everybody could place their MP3s on it, and share them around (rather than duplicating them on each desktop).
To CYA yourself legally, don't allow porn or warez. Codify it in the manual, but in practice don't actively look for it - but if it comes up (like say you're looking at a firewall log and you notice a reference to a porn site), privately speak to the individual - make it known that it won't be tolerated. If it is found again, let the person go. Even if it is the "higher ups" (esp. here - why should they get special treatment? - if you have someone on staff with enough skills he/she might be checking up internally without your knowledge of what managment is up to, as their own form of CYA - heh, heh).
One thing to codify in the manual - add a line that says that the policy will only change with written changes, to be signed by the employee (ie, updates), and finally - add a line the says something along the lines of "any rights/rules/actions/etc not explicitly described herein falls to the discretion/right of the employee" - kinda like how the Bill of Rights state the same falling to the States, and not the US Government (not that it is followed much today).
Worldcom [worldcom.com] - Generation Duh!
Re:Thats a tough call! (Score:2)
By what reasoning? If I use my personal account to commit fraud, is my ISP responsible? If I use my phone, is Verizon responsible? If I make a threatening phone call from the payphone at the 7-11 down the street, is 7-11 responsible? If I send a harassing postal letter, is the USPS responsible?
The "standard disclaimer" - that opinions expressed in e-mail or USENET postings were not those of the employer who often provided internet services - used to be understood to be implied on all messages. When did that change?
Tom Swiss | the infamous tms | http://www.infamous.net/
UK Data Protection Model (Score:2)
A pretty good model is the UK Data Protection one [dataprotection.gov.uk]:
This is so much more stringent than US models that until the recent 'Safe Harbour' agreement, it was not possible to transfer personal data from the UK to the US. Obeying this will enable you to gain 'Safe Harbour' status, yet it's not hard.
And you must, must, must give people an opportunity to opt out of any data uses which are not absolutely central to the operation of your service. Actually, an opt-in is better - Seth Godin explains why [amazon.co.uk] (fair warning - Amazon Associates apply; circumvent if you feel the need).
Re:Be HONEST (Score:2)
I can't count the times I've run into "documented" code, where the documentation completely misdescribes what the code is doing.
If you can't generally trust your employees (Score:2)
How's this for a polciY? Actually its more of a pledge.
(1) We will not read your mail.
(2) We will not examine your directories beyond that which is put back to the group workspace.
(3) We will not monitor your phone calls.
We WILL expect you to produce results, and to stick to company polcies regarding what you say about our work and our industry to the media or others of influecne outside the company.
We WILL cooperate with law enforcement agencies where they approahc us and have established the legal right to inspect our systems or records.
Only in the case of complaints (Score:2)
Basically, we won't do anything unless we have a good reason, but given a reason, we can do what we want. I like the suggestion I saw, about 2 managers having to sign off on the action, and at least 1 witness being present for all searches.
Re:Timing of usage searches important (Score:2)
Re:I'm thinking that this isn't the major issue he (Score:2)
The other hidden result is Senior Management tends not to like to play around and will get annoyed if a supervisor is asking every other day to read someone's email.
Re:Ambiguity (Score:2)
Best of all, though, is inform the employee the search is being made. None of this 9:00pm, all the workers have gone home, lets rustle through his stuff tactics. If there is an issue, then inform the employee and take care of it then and there. Again, I'm not saying give the employee enough notice to hide his tracks, but treat the employee like a human being who has rights and feelings.
Re:some thoughts (Score:2)
I like an earlier suggestion on making sure the employee has access to his/her personal email account from work (sort of like allowing the employee to access his/her personal voicemail from a work phone.)
If you phrase it like that, NO (Score:2)
All this says is that you will do whatever you want to do. When it comes down to it though, privacy policies are all just words, and they only exist to appease the ignorant.
My advice: just save some time and "borrow" somebody elses. Of course in this day and age that's probably a copyright violation. So instead, take somebody elses, read it, get the basic ideas, and rewrite it in your own words (cleanroom implementation). Or to save time, just let the VC's write it. If there's something really horrible in it, it'll end up on
No matter what the case, they aren't read by most people, and they aren't adhered to by the companies that write them, so does it really matter? It's not like you're going to get some revolutionary that you'll be applauded for if VCs are involved.
4 Separate Issuses (Score:2)
Re:Be Honest (Score:2)
Awww, come on. Now, if you're wanting to enter some annual "Obfuscated Privacy Policy" contest, that's fine. But why do that? -g-
Lawyuhs...the original obfuscators of clarity.
--
Re:Thats a tough call! (Score:2)
(i.e. the same idiots that grant patents are probably the ones that sit on jury's and preside in courts.)
Re:Thats a tough call! (Score:2)
When I was growing up, my parents never snooped through my bedroom, even though they had every "right" to, according to the law, but they had no right to according to our personal law. They knew that if they invaded my privacy so grossly as that, then our relationship would be drastically affected, and in a company I think things are much similar.
If the employees are continually and openly monitored without provocation, you'll see the trust level drop immediately. But if they feel safe, important, trusted, I think you'll gain their loyalty and their good behavior, if not exceptional.
Side note: I should point out that there are levels of who and how much to trust. The less experienced and responsible and employee is, then there should be more monitoring of them. If the rules are set out, though, and the employees know there is a "chance" of being released for bad behavior, anybody that's being paid a decent amount, particularly in profit sharing, then they won't risk it. (I'm rambling, I'll quit while I'm ahead)
Reasonable Communications Policies (Score:2)
Just lie to the VC people (Score:2)
WELL you have a choice (Score:2)
Screw-em or give in to the employee's wishes.
You have a basic right to protect yourself, investors, and employees. By having the "handbook" you will cover yourself. I don't think that anybody's going to care if you read there e-mail, as long as you tell them that your filtering software will look for certain things. Also you should advise top management that certain departments e-mails will be reviewed for insider information and or non-public information.
I think, I would be a bit stern/harsh with my own rules. I would want to protect my firms assets at all cost. My co-works are to important to me, and if somebody is trying to take something away with them that could ruin our firm I will put a stop to it.
Also you should increase the company benifits, Try having counseling ( mental ) and family benifits. everyone will notice that you do realy care and they will look at the handbook as there bible to protect the firm.
Michael
I'm thinking that this isn't the major issue here (Score:3)
I've found that what separates most companies in terms of their privacy is how well _they_ follow it. The policy might look nice on paper, but is meaningless if you don't make an effort to actually follow it.
Its there for a reason (Score:3)
Ambiguity (Score:3)
----------
do { Work(); PayTaxes(); Eat(); Sleep(); } while (alive)
Timing of usage searches important (Score:3)
I would recommend setting boundaries of when the company can look at the private emails of their users, what sites they visit, etc., instead of just setting what. All too often a business or school will be croning files randomly and pick up on a disturbing usage they wouldn't pick up on normally.
They should have set rules as to when these searches should be permissable, given just cause (like a search warrant). Despite the fact that they own the network, employees shouldn't feel comfortable with a privacy policy that allows usage searches 24/7.
Fairness (Score:3)
I truely believe that honesty in all dealing between employer and employee is of paramount concern, this affects all policies regulating employee (and employer) conduct.
If you can lay your hand on a Digital Equipment employee handbook from the beginning of the nineties, that can provide you with good ideas about - what I believe - fair and open communication. Of course it requires adaption in the age of downloading pr0n and filling 60% of the disk capacity with MP3s.
The tricky issue is that you guys have to cover your backs, because if you grow and there's money floating around, somebody will sue.
I'd recommend a top-down approach. I.e.
Set the ground rules in employees dealing with each other and communicating with outside entities. Emphasize an environment of common sense and trust
Go into the tools. Mail, web, phone, company letterheads, public statements. The focus should be on self responsibility
Detail the dos and dont's for each form of communication. Try to keep it liberal. I.e: we don't really care if you fire of a private e-mail or surf /. while munching a sandwich. Make it clear however, that you expect that performance doesn't suffer. Explain why certain control measures are not to be avoided (protection of trademarks, company secrets, legal threats)
If you monitor, be very explicit about the tools you use and the data which is monitored and why. Explain what data is stored for how long and how it will be analyzed.
Make consequences for abuse crystal clear
Grant certain rights to the employees. I.e. open door policy (and stick to it), escalation pathes in case of management abuse, the right to browse /. while munching a sandwich (ok, maybe in more general terms)
Emphasize mutual respect and personal responsibilty
Be very specific and unambigeous regarding the wording, and
unfortunately, have it tripple checked by legal and lawyers
Again, be fair in treating your employees and vice versea. This should be reflected by the manual.
Good look with your venture
Can't be done (Score:3)
Wow, it's like you specifically crafted these three sentences to be one of those "famous last words" things.
You can't BOTH have the power to search anyone's desk/computer at any time AND claim they have any privacy. Especially since your two examples already lead us very far down a very slippery slope. "Might be planning murder" to "might be sending nastygrams" leads very easily to "might be looking for another job" and "might be about to blow the whistle".
Here's a privacy policy: We keep the hell out of your stuff. If you break the law, on your own head be it, we assume no responsibility.
Alternatively, you could have an extremely draconian policy--for people who choose to work in the building. Then have an anything-goes policy if you work from home.
BTW, to people who side with the suits and say "but this stuff belongs to company"--shut up, already. The food in the cafeteria belongs to them too, but I'm allowed to bring the waste products home. More to the point, if I am a net drain on the company's resources, the solution is to fire me and hire someone who is a net producer. It's a lot simpler AND fairer.
--
MailOne [openone.com]
Not Easy (Score:3)
A privacy policy can be:
Choose any two.
Thats a tough call! (Score:3)
1) The legal risk mentioned above
2) Potential loss of regulation, therefor output
3) Drop in customer or employee satisfaction
One way to increase privacy and not affect company stature is to be more performance based rather than methods based. If your employees are meeting their expected goals and deadlines, than they most likely need little, if any, watching from your managers.
There will always, of course, be certain issues that will need direct management control, such as porn, illegal activities, or bad customer service, but I believe there are many ways to combat these issues without jeapordizing the loyalty of your employees.
Privacy Policies (Score:4)
Fight the lawyers over the wording - they want it in their vernacular, you need to ensure it's simple & clear.
Accept that you're going to have to reserve all rights as broadly as possible. Yes you'll likely never spy on someone or snoop their email but you might have to someday & you need to make this possibility clear up front.
Spend an hour with your buddies dreaming up scenarios where you might need to do these actions and plan for them now. Again, you'll likely (hopefully) never need to do any of these but you have to make provisions for the possibility now.
The most basic rule is if it is done on company property or on company time or with company resources the company reserves all rights it can to viewing, recording, and using such.
Lots of /.'ers will recoil at this but I bet if they're employed by a publicly-listed company most will find the same basic tenants in their own employee handbook (please don't post your own unique circumstances - I said "most" & "publicly-listed". Yes there is the option of self-employment and there are unusual circumstances etc. but that's not really the topic.)
Bring the existing employees in on the planning. Don't surprise folks. Keep key figures involved in the evolution so it won't be a surprise. If folks learn along the way the why's of the policies and have their input sought, repected & used then they'll respect the policies and the company and share this confidence with others.
Strongly consider getting in an expert on this sort of thing - not just a lawyer who's first instinct is to cover your ass as much as possible but a seasoned HR-type who you folks like & respect and get their input. Listen to them about what is really important to you, to your employees, and presumably to the VC's who are mandating this.
Finally, look at the nearly-final product and decide if you'd want to work for the company you're creating. If not then start editing.
Re:Warrants (Score:4)
Employer (former) was concerned an executive was getting ready to jump ship - and was going to walk with a lot of our propriatary information.
A few weeks previously I'd shocked the VP's when they asked about recovering a piece of email when I pointed out it was all backed-up on tape and that I had full access to *everything* (current and archived.) Apparently they'd never put together the implications of my being Sr. Net Admin & being a backup Postmaster, etc.
I'd then pulled some old tapes and gone (with permission) into the execs old email then run a few keyword searches for the password he'd forgotten (don't get me started - they really were a clueless lot... Brilliant in their fields but just sooo out of their depth with the technology in front of them.)
Anyway, I got them to put the snoop request in writing (cover my ass) then got the CEO to countersign it (yes a multi-billion-dollar corperation and he was a great guy; approachable and sharp.)
Duped the subjects email account (don't want to break anything by both of us being in it) and then, with a couple VP's looking over my shoulder, ran a few searches.
Not going to tell the results (irrelevant) but yes, we had authority to do what we did and yes, it was necc. How'd we have authority - cause the employee's handbook said we did (and heavily vetted by Legal) & regular memos reminded folks.
Did we publicize any of this? No. No no no. If the person had been not playing nice (again, not telling) then he'd have been locked out of all accounts ASAP, everything sequestered, and the next day the CEO would have met him at the door, accepted his resignation (form happening to be handy along with the head of HR and a few lawyers) and handed him his last (fat) check.
Word around the company: none. Gone - no comment, wish the best in future endeavors. Why? Well, one he could sue for word getting out (yeah yeah yeah the truth but that's a lot of legal bills later...) Two we didn't need to spook everyone and make them so paranoid that folks just couldn't work. Three - less problem. Most places operate on the path of least resistance and my former no less. If they could get away with just having stuff happen in the background so much the better.
So, the short of it is that no, I don't agree with your 'open' policy. Folks knew ('bout everyone but the VP's it seems) that stuff was an open book and just assumed that my staff had better things to do then read their email. They were of course right, but yeah, there were times where we did go into email and web logs, etc. under direction. Would have publicizing any of this served any purpose? Not really. Few would have understood it, most would have assumed we weren't telling all, and it would have been problematic to implement.
Re:Be HONEST (Score:4)
Well they could, but it probably wouldn't be terribly effective. As technical as lawyers are portrayed, in reality judges and juries are pretty unforgiving of people who fail the "reasonable person" standard. If a resonable person would understand that the contract said such-and-such, then that's the standard you'll be held to (even in some cases where it turns out the contract wasn't even valid, it was the belief of both parties that it WAS valid that made a contract).
Recent cases have, in fact, been leaning the other way -- people getting out of contracts because they were too complicated and impossible to understand, because you cannot enter into a legally binding agreement voluntarily if you don't understand it. There has to be a "meeting of the minds" and if the contract is so complex as to be impossible to understand, you can't possibly agree to it...
---------------------------------------------
Sample of one I have recently implemented (Score:4)
A reasonable number of personal e-mails
Web-browsing or other Internet activities
Writing personal letters
These acceptable uses are modified by the following restrictions:
Web browsing should be limited to sites appropriate for a business environment, particularly in view of the conduct policies listed above.
Downloads must not include copyrighted materials of any kind without the copyright holder¦s permission.
No printing of web content, letters or envelopes on Office printers.
Failure to follow these terms may result in disciplinary action.
Acceptable use may result in an employee¦s personal files, or records of personal activities, residing on the computer system. Employees should keep in mind that the Systems Administrator might need to access a particular computer for maintenance or security reasons. The Office reserves the right to access any computer or file at any time for official purposes. Every effort will be made to preserve the individuals users privacy. No files on an office desktop system should be considered secure or confidential.
While it is technologically possible to track each employee¦s personal use of the computers, it is the policy of the office not to monitor the file access or keystrokes of its employees. Review of system logs and other computer records may take place only after an allegation of misconduct has been made.
>>>>>>>>>>
The restrictions on printing, etc. are due to the fact that this policy is for a public office, the materials, paper, toner, etc. are therefore intended only for official use, and it would be irresponsible/illegal to allow private use. The same arguement might be made for your responsibility to shareholders, but I would generally allow some limited use of office materials.
Be HONEST (Score:5)
Look, we understand as employees that what you're saying is true, that you have to cover your own ass. What bugs me is the terms of service kind of legalese that is so over the top that it is literally offensive.
Why not write an employee handbook like Borland used to do software licenses? They used plain language, and explained WHY they had limitations in place, not just a bunch of legal jargon. It is no less legal because it's written in plain English.
You say yourself, "we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise)". That sounds great -- why not just flesh that out as a policy statement?
You really don't have to say "The party in the first part abrogates all claims and reservations for privacy and security of his person, belongings, personal space, and equipment". That's how lawyers write, but you can actually have a legally binding agreement that says "We pay for office equipment and have liability for your actions at work, so you need to know that we do have the right to check your computer or desk. We don't want to do it, but you know as well as we that there's always some nutball with porn on his hard drive, and we don't want to lay you off because we've gone bankrupt from a sexual harassment lawsuit".
Sincerity like that can buy you a LOT of goodwill.
---------------------------------------------
Be Honest (Score:5)
The company reserves the right to monitor or search all company property and equipment if improper or illegal conduct is suspected. However, all such monitoring or searching will be performed with at least one witness or explicit written instruction from at least two managers.
I'm not a lawyer. Run the above past one before using it.
--