On Wed, 30 Mar 2005, Chris Wolf wrote:
> At 03:27 PM 3/30/2005, Bosman, Don wrote:
> >After those who have to keep the machines running, citing the AUP as the
> >reason of course, refuse to work on those machines they don't have
> >permission to look at. Maybe systems people need "HIPPA" forms from every
> >patient?
>
> You've hit on an aspect of this that seems just plain wrong. Let me see
> if I can explain it.
>
> Let's forget about students and faculty for the moment and consider only
> the case of department-owned computers that are assigned to staff to carry
> out work for their department. Let's focus on a secretary and his or her
> workspace. Among other things, there's a desk with drawers, a file
> cabinet and a computer.
>
> My understanding of workplace rules (even at the University) is that the
> secretary's supervisor has complete rights to look at material in the
> secretary's desk or file cabinet without getting permission. The desk and
> file cabinet themselves, as well as the records and materials that the
> employee works with and stores within them, are the property of the
> department, not of the employee.
>
> To cite a specific example, suppose the secretary is out of the office
> (for fifteen minutes or two weeks, it doesn't matter) and the department
> needs a document that is stored in the employee's desk. My understanding
> is that the supervisor can go get it from the desk without asking anyone
> for permission. (As a side note, if the employee has personal things
> stored in the desk and the supervisor happens to see them while looking
> for the needed document, that's the employee's problem, not the
> supervisor's.)
My understanding is that this is a "workplace rule", and one's rights to
one's own desk and its contents are set out as part of the set of workplace
rules, which may vary from unit to unit, some allowing 'private space',
and some perhaps not. Of course, if there is 'private space' allowed,
documents which may need to be seen/used by someone else should not be
put there. In any case, there is some fundamental set of rules known to
both employee and supervisor. The SAU simply extends this to the
electronic realm. As long as both employee and supervisor know what
policy applies to what directories on the computer, there is no problem.
It would be best if private space is allowed on a computer, it be clearly
labelled as such, and work documents not be put there. All common operating
systems (assuming plain old DOS and old versions of MacOS are at least on
the way out, if not already gone) provide technical means for setting up
explicitly private and explicitly shared directories. Then it's just a
"work rules" issue to make sure everyone knows which place which document
should go into.
>
> Or let's take a more extreme example--The supervisor says she needs a
> certain document that is in the employee's desk and the employee refuses
> to provide it. Again, my understanding is that the supervisor has the
> right to open the desk over the employee's objection and get this piece of
> department property. (Let's assume there's no physical force required.)
My understanding of this non-computing situation is that the supervisor
has the right to kick the situation up the "authority ladder" as a
disciplinary issue and the employee gets whatever rights are granted by
the University's due process policies. Thus, it depends on where the
supervisor is on the "authority ladder" as to whether or not there is
an automatic right to open the desk over an objection. The employee
may have some sort of appeal procedure in the case of such a physical
intrusion.
>
> On the other hand, the discussion here seems to be saying that the rules
> for the computer in the employee's workspace are totally different than
> for the desk or the file cabinet, i.e. that the supervisor cannot get a
> department file from the employee's computer without his permission.
The supervisor can give the employee bad performance ratings if he/she
consistently fails to put work documents in the right folder/directory
instead of the one marked 'private'. If workplace rules are set up
to explicitly disallow private subdirectories on a particular system,
and the employee knows this, then there should be no "expectation of
privacy" for that system. Obviously, the current SAU (AKA AUP) was not
quite worded right (to put it mildly), as it refers to "files ... belonging
to ... Users" in IV.1.1 (where work documents can be said not to "belong"
to a given user) but only to "User files" in the critical section V.1.4.
Under the current SAU, it may still be best to route the case through
the Vice Provost's office anyway and trust that the side with reason
behind it will prevail. The in-the-works SAU should have more of a
distinction between authorized and unauthorized use of facilities, as
well as a more precise description of user privacy rights.
> This makes no sense to me at all. The computer is owned by MSU, is
> provided to the employee specifically to do the job for which she is paid,
> and the files in question are the result of that work. To put this kind
> of block between an employee and the employing department, in the name of
> privacy, is ridiculous. And keep in mind that I am an MSU employee and
> I'm applying this to myself, so I'm saying that my supervisor (the
> department chair) should have full rights to get any kind of file or log
> from my computer or even to delegate to someone else the authority to do
> that.
They should have unlimited rights to your web browser's cache and the
pages displaying your mail.msu.edu messages in it?
>
> This is why we need the provision for local AUPs. I fully agree that at
> the university level MSU should have a tight AUP, to protect the privacy
> of university email, the privacy of AFS space, to prevent users from
> snooping on each other, etc. But a department (or other unit) should be
> able to make different rules for certain computers or groups of computers
> that, in the most extreme case, might even say that users of a particular
> system have no guarantee of privacy at all. The relationship of a student
> to the university is very different than that of an employee to the
> university. It seems impossible to me to try to apply a single AUP to both
> relationships.
Overall, I agree, again with proviso of user notification.
>
> (I would also point out a very interesting sentence in the draft SAU:
> "Users have the right to expect that the information content created,
> stored, and transported within information technologies will be granted
> the same degree of privacy as communications and written and graphic
> content using traditional paper and telephonic media." Doesn't that say
> that if the department has the right to look at things in the employee's
> filing cabinet that they also have the right to look at things on the
> employee's computer? Does this mean the proposed SAU is looser than the
> current one, with less guarantee of privacy?)
In some respects the proposed SAU works out to be looser, but mainly
because it is more specific.
In your example, if the file is in a directory of the user's computer
corresponding to the open filing cabinet, I agree that it should be
accessible under any sane SAU. If it's in a directory corresponding
to the "traditional paper" sealed in a stamped-and-addressed envelope,
then, no, it should not be accessible. "Traditional paper media" is
not an alias for "always and everywhere readable".
>
>
> --Chris
> ==============================================
> Chris Wolf Computer Service Manager
> Agricultural Economics [log in to unmask]
> Michigan State University 517 353-5017
>
--
George
-------------------------------------------------------------------------
George J Perkins http://www.pa.msu.edu/people/perkins/
1209B BPS Bldg, MSU Phone: 517-355-9200 ext 2567
East Lansing, MI 48824-2320 FAX: 517-353-4500
