1

As a system administrator, if you were asked to facilitate access to your users' file store so that a director could look at what types of files are being stored, what would your response be?

The director is argueing that the data stored on the network belongs to the company, but I argue that this file store (i.e. "My Documents") has previously been declared as "not for business use", and we do have a policy allowing personal use of computers, subject to a number of restrictions of course.

There are concerns that business data may be being stored under "My Documents", but does this justify allowing a director to go looking? It has been stressed by the director that this is for nothing more than identifying business data being stored in the wrong location, however I'm just a little uneasy about allowing access to what I think should really be "personal file store".

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
Bryan
  • 7,628
  • 15
  • 69
  • 94
  • To those voting to close, please could you explain why? I thought this was a legitimate question to ask here, sure it's not a technical question, but it's a question relating to a scenario that other systems administrators may find themselves in. If there is a better stack exchange site, please let me know and i'll ask there instead? – Bryan Oct 27 '11 at 20:09
  • 3
    At the end of the day I don't think it matters what the policy is, in my opinion the computing components and the data therein are the property of the company and that's my approach (I'm not making a legal argument here). Furthermore I believe the director has every right to access the employee's data under the purview of their duties as a director. Finally, your job is not to be a policeman or an arbitrator, your job is to facilitate the means by which the appropriate party can be the policeman or arbitrator. Continued... – joeqwerty Oct 27 '11 at 20:09
  • 1
    Your job is to provide information, when requested, regarding the breaching of the AUP and to bring to the attention of the appropriate party the breaching of the AUP if and when you discover it. In addition, if your company policy allows for the storage of personal data then it's a misguided policy in my opinion. – joeqwerty Oct 27 '11 at 20:13
  • Thanks Joe, the policy doesn't specifically allow personal storage in "My Documents", but it does state business data should not be stored here. We happen to have a policy allowing limited personal use of company computers, so it is probably more implied that "My Documents" is for personal storage. – Bryan Oct 27 '11 at 20:19
  • 1
    Thanks for the clarification. It's a slightly sticky situation for you but I always err on the side of the company (unless the situation is especially egregious, immoral or illegal). – joeqwerty Oct 27 '11 at 20:29

5 Answers5

4

"we do have a policy allowing personal use of computers, subject to a number of restrictions of course."

Have a meeting with the requester, your boss, HR, and Legal (if you have it.) That would be my response, especially in light of the fact that you have a policy allowing users to do this.

mfinni
  • 36,144
  • 4
  • 53
  • 86
4

If the data stored on the company computers, then it is company data unless the company policies specifically says that the employee can store data on the machines which the company won't be looking at.

This is probably going to end up being one of those things that you have to do, even if you don't like it.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
3

This entirely relies on your company's policy. If you have a policy that says that certain data won't be poked but your boss is asking you to, check one rung above him.

If his boss doesn't agree with you then you have two choices:
1) Go along with it.
2) Elevate it up the chain even more.

It really depends on how clearly your written policy is and what it expressly allows and disallows. No matter what, you have to be cautious of pissing your boss off.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
2

This all goes back to your acceptable use policy, specifically the expectation of privacy. If you organization is like most I've worked with even if private use is allowed it isn't guaranteed to remain private.

That said be sure to follow whatever established chain of command you have for these kind of requests and be sure to document what you have done and why. You are bound to follow the ACU just as much as the next person.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
1

As others have said, the exact approach you should take to this depends on exactly how your AUP is written. It's a matter of how strongly your policies imply My Docs will be private.

However, one thing that hasn't been mentioned is that if the goal is to check that there's no company data in My Docs, silently giving someone else access isn't necessarily the best way to meet that goal. And unless you have a very small number of My Docs directories to check, having one person poke around probably isn't a good way to do it. It might make more sense for the IT group to do some sort of auditing - search for files with names that indicate they're work-related, see how many files there are in the first place, whatever.

In our policies, there are clear statements to the effect that if IT need to at something to track down or fix a problem, that's allowed. And since we don't have tons of free time, we'd probably find better tools to do this than having someone randomly looking in people's directories.

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59