I am headed off to Chicago tomorrow to learn about all types of enterprise risk management, but tonight all I can think about is privacy. I'm coming to the conclusion that privacy in the workplace is or soon will become a Solomon-sized conundrum for every risk manager in the world. Every risk manager, CIO, HR officer, legal counsel, CEO, board member -- heck, basically everybody -- will be ensnared by the proliferating problem of privacy in the workplace.
If you have any doubt, consider two cases that have made headlines in the past seven days: the Harvard email scandal, as it's come to be known, and the conviction of two Steubenville, Ohio, high school football players on charges of rape. In both cases, privacy issues were central to what occurred. And in both cases, principles associated with two different kinds of privacy butted heads, with the result that matters that should have remained private were compromised.
How does an organization balance its desire to protect individuals' privacy with an organizational mission that under certain circumstances will compromise that privacy?
In the case of Harvard, the university's IT department, at the behest of Harvard's administration, secretly accessed the email accounts of 16 resident deans last fall in an attempt to discover who leaked confidential information to the media about a student scandal involving cheating. Since The Boston Globe broke the story on March 9, news outlets worldwide have jumped on the incident. Faculty members have railed against what they perceive to be an invasion of personal privacy and violation of academic freedom: Dishonorable. Creepy. Shocked and dismayed. "This is disgraceful, even more so than the original cheating scandal, because it involves adults who should know better -- really smart, powerful adults, with complete job security," Timothy McCarthy, program director at Harvard's Kennedy School of Government, told The New York Times.
In Steubenville, a weekend drinking party became national news when videos, tweets and cell phone images documented the abuse of a nearly unconscious, 16-year-old girl at the hands of several high school football players. The publicity led to an investigation and ultimately to the conviction of two juveniles. All the media outlets, in describing the conviction, showed pictures of the juveniles and disclosed their names, even though such information usually remains private for individuals under the age of 18. The Associated Press, at least, was cognizant of the violation of its own policies. Its piece describing the conviction ended with this statement: "The Associated Press normally doesn't identify minors charged in juvenile court, but Mays and Richmond have been widely identified in news coverage, and their names have been used in open court."
Read more about privacy in the workplace issues
Five steps to data protection governance and privacy
Employee privacy rights case goes to the Supreme Court
FTC mobile privacy guidelines put CIOs on notice
The Solomon-sized conundrum looming large in both cases -- and which is of interest to all organizations that wrestle with privacy in the workplace -- is this: How does an organization balance its desire to protect individuals' privacy with an organizational mission that under certain circumstances will compromise that privacy? In the Harvard case, a policy that ordinarily respects the privacy of email correspondence came into conflict with a mandate to keep the proceedings of a student disciplinary board private. In other words, Harvard sacrificed the privacy of the 16 resident deans in order to protect the privacy of students up before the disciplinary board. In the case of the AP, its organizational mandate to deliver the news came into conflict with its organizational policy to protect the privacy of juveniles.
The conundrums don't end there. Interestingly, in both cases a breach of privacy led to a breach of privacy. The Harvard resident dean's inadvertent leak of a confidential email to students, and the students' apparent leak of that information to the media are what led to the administration's secret email search. In the Steubenville case, it was, of course, the violation of the girl's privacy that led to the investigation of the crime and ultimately the news media's dissemination of the names of juveniles. (Even the victim didn't fully know what happened to her until she saw the evidence.) As information passes at ever-quicker speeds and with almost no effort, such tangled tales, I'm afraid, will become commonplace.