A recently published article in the IAPPs from our Privacy Adviser Michelle Amick Prikhodko, Esq., CIPP/G

team collobration

The workforce of today in America looks very different from the one that existed even 20 years ago. Perhaps not gone, but certainly altered, is the image of the harried office worker stuck in traffic, delayed by weather or family concerns, and otherwise desperate to be present in their office between 9 a.m. and 5 p.m. Today, the rise of flexible work schedules, job shares and teleworking, has created much desired flexibility for many workers. In released statistics from a few years ago, more than 4 million employed adults telework. Between 2005 and 2015, the number of U.S. workers who do at least 50 percent of their work in a location that is not a traditional office rose 115 percent.

In order to accommodate this growing trend, employers are investing in online collaboration tools in which employees who are separated by time or space are able to efficiently work together. New technologies provide virtual workspaces for groups and are increasingly used to share files, work collectively on documents, or store material relevant to large amounts of individuals in one location. The utility and efficiency of this online shared workspace is undeniable. However, also undeniable is the inherent privacy risk that these collaboration tools create. Think no further than the ability of users to freely upload documents that are shared with a wide audience, group calendars pinpointing where an individual will be and when, to speak nothing of virtual meetings that record and archive voice and video.

But how does an employer remediate these privacy risks without compromising the convenience and efficiency of these products?

To start, when choosing a tool, the employer must take careful note of the terms of service, and in particular, the tool’s corporate policy for data sharing, data retention and security. While most tools will state that the customer owns their own data, they often still maintain metadata, or certain pieces of data for legal purposes. What do the terms of service say about sharing data? Is your data sold or shared with others? Can you opt out of such sharing? How long is data archived and how is it deleted? Additionally, do the terms of service explicitly provide what kind of security and encryptions are in place to protect the data? Is there a possibility that financial or sensitive personally identifiable information could be held in the tool? If so, are there elevated protections?

Once you have chosen your tool, determine whether customizations, workflows or processes exist that could help mitigate or remediate privacy risk. Consider for example, the Fair Information Practice Principle of collection limitation. The danger with shared workspaces is that an individual with access to the shared space is generally free to upload or add any document or type of information that they wish, regardless of appropriateness or privacy concerns. For example, a human resources shared workspace or collaboration tool could include sensitive HR data about employees, or electronic copies of HR forms.

To remediate this risk of unnecessary and excessive collection, users should be provided sufficient training and guidance as to be knowledgeable about what is to be included in the tool, and what purposes the tool is used for. For example, employers should consider developing user guides specific to their expectation of how the tool will be used. Employers should not rely on a tool-provided user guide. The employer-specific user guide should be definitive and explicit as to what information is appropriate to the shared space. For example, a clear and definitive statement of what, if any, type of PII can be added or uploaded. Each user should also be required to read and sign an employer-specific rules of behavior acknowledging their responsibilities when using the tool.

For even stronger protection, consider a modification to the tool that provides warning banners advising users at the point of collection of information, or at the point of upload, what type of information is allowed. Even the most diligent employee may err in following these practices, therefore each employer should also designate a senior level employee to regularly review the tool or workspace and remove or redact any unnecessary documents or PII.

Consider also the privacy risks inherent with user profiles. Profiles are necessary to ensure that users know with whom they are interacting and specific details about their position and qualifications. But some profiles request and share vastly more information than what is called for in the specific business situation. For example, profiles could include options to upload pictures of the individual user, provide fields for birthdays, or home addresses. Where possible, fields should be locked down or modified so that individuals cannot add information that is not necessary and has clear business utility.

Another FIPP, data quality, asks the employer to consider what safeguards are in place to ensure that data maintained in the tool is timely, relevant and accurate. Because of the nature of a collaboration tool and shared workspace, the more users, the more chances for inaccurate data, or data that is years old and has simply been forgotten about. To mitigate some of these risks, an employee should be assigned to routinely review the entire tool to remove inaccurate or old information. That user should also be responsible for removing profiles for departed employees; or in the case of HR, removing any files stored in the shared space that relate to departed employees.

As “Watchmen” creator, Alan Moore, said “Technology is always a two edged sword. It will bring in many benefits, and also many disasters.

Michelle Prikhodko, CIPP/G, CIPM