“This call may be monitored for quality assurance purposes” I was told while on hold with a major corporation the other day. I began thinking about the implications of this message as it was repeated over and over interspersed with several upbeat Beatles songs. Sigh. Poor John and George. What the corporation is really trying to tell me is “we are protecting ourselves by recording you”, or more simply put “we are watching our backs”. Which then got me to thinking: Who’s watching our backs? How about our client’s backs?
Almost everyone now carries with them a handheld recording device that can be used surreptitiously with ease. With the upswing of the use of personal devices in workplaces, organizations now more than ever before, need to step up to protect their clients, their staff, and themselves in regards to confidentiality and protection of personal information. How do we really know who is recording/downloading what and when, and what might be done with that data?
Crafting a “Bring Your Own Device” policy is now a burgeoning reality of the government, business and NGO sectors. There are many ethical considerations and questions to grapple with due to the vast implications of new technologies and their potential impact on the workplace. Here is a short list of a few to consider:
- Should staff be allowed to access client records remotely on personal devices?
- How about record conversations with their supervisor?
- Record a member of the public being rude or kind to their clients?
- Take pictures or videos at work and then post it to personal social media?
- Store client records on personal devices?
Each workplace may take a different approach depending on their work culture. Developing a strong B.Y.O.D. policy may be a good place to start.
While crafting new policy however, also consider the following excerpt from this great read at Fortune.com entitled: “Employees really want to use their personal devices at work”
“A new 20-country survey by network security firm Fortinet shows that among employees aged 21-31, more than half would circumvent any company policy banning the use of personal devices at work or for work purposes.
Younger employees are unaware of the potential hazards associated with their behavior, but that they are so wed to their personal technology that they are going to use it anyhow. “It’s a given,” Richard Henderson, a security strategist and threat researcher at Fortinet, says “It doesn’t matter how tight of a network you run, someone will always find a way to connect a device.”
So if you do implement a policy on workplace devices and state who can do what and when, you may also need to be thinking hard about how it will be enforced, and by whom. Speaking of enforcement, what do our laws state on this issue?
In Canada simply put, our laws allow us to record conversations that we are included in, but not those that others are having. In 38 U.S. states there are “single-party” consent laws, where anyone with an iPhone can push a button and record without another’s consent. In the other 12 states, all parties are required to know if a recording is being made.
As far as client records and the law are concerned it is all about consent. To quote the Canadian “Personal Information Protection and Electronic Documents Act” “Organizations covered by the Act must obtain an individual's consent when they collect, use or disclose the individual's personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards”
Perhaps we should first be asking our clients about how they feel about the use of personal devices in the workplace, and what and how much of their personal data they feel comfortable having accessed on mobile devices. We could also be letting them know about both the risks and how we will protect their data. Now that would be some quality assurance.