Most organisations have an Acceptable Use Policy, IT Security Policy, Data Protection Guidelines etc. in order to provide a framework around specific areas of concern. These may also link to an organisations’ disciplinary policies.
Should these organisations also have an Employee Data Agreement? What could this cover and how should it be enforced?
Most Acceptable Use Policies (AUP’s) have a primary focus of ensuring that staff are aware that:
- They should not visit inappropriate web sites including pornography or other offensive material
- They should not use inappropriate language or tone in electronic communications (internally or externally)
- They should not share commercially sensitive material outside the organisation
- They should comply with the organisations data protection policies
Arguably, the motivation for such policies is to prevent/minimise the risk of legal action by employees or outside bodies for inappropriate or offensive behaviour.
It could also be argued that the financial impact to an organisation of poor data behaviours (see our Data Zoo series) could be far higher than the financial impact of such legal action. This could arise from incorrect business decisions, failed systems based projects and/or a need to recreate a data asset that is no longer usable. Yet in most cases, there will not be a clear statement to employees of how they are expected to use data.
So what should be included in an Employee Data Agreement? Here are a few suggestions:
- Usage – Use data as required for an employee’s role and not access data not required for an employee’s role
- Storage – Store data in corporate data systems and do not keep local stores of data that should be in corporate systems
- Provision – Provide all required updates and give notification of any data errors identified as part of an employee’s role
- Analysis – Use appropriate levels of analysis that take account of actual data quality to inform decision making. Employees should not create ‘local systems’ without approval from the Data Steward and/or IS
- Legislation – Comply with all relevant data legislation and policies (e.g. AUP)
- Standards – Notify relevant staff if internal standards and documented processes appear to require changes or improvement
- Attitude – Data should be treated as a corporate asset and nurtured by staff who should take reasonable care to ensure that they do not create data errors. Staff should maintain and update their skills to utilise processes and systems.
- Escalation – They should also notify their manager of any targets, processes or activities which prevent them complying with the above clauses.
Whilst there may be variations in the clauses that may be applied in an organisation, it is unlikely that many people would disagree with the sentiments of the above areas.
What penalties for inappropriate activity should be applied? Arguably, most organisations currently have few sanctions that could easily be applied for staff who do not treat data correctly, particularly the provision of new/updated data. Gross misdemeanours could be addressed through disciplinary policies, but the staff concerned may argue that “no-one ever told them how to look after data”!
If staff have to strike a balance between achieving their productivity target (which affects take home pay) and the need to supply appropriate data (which has no direct personal impact) you can guess which option people will choose. If a failure to supply data may possibly lead to action under an organisations disciplinary policy, the decision above may result in a different outcome. Therefore, the Employee Data Agreement should be linked to the disciplinary policies of an organisation, so could possibly be implemented as an extension of their Acceptable Use Policy.
Do any organisations that you are aware of use such policies?
How much employee resistance would you foresee through introducing such a policy?