IT heads said in this week's CIO Jury they are coming under increasing pressure from HR and other parts of the business to be the "corporate police force" when it comes to enforcing internal ethics and codes of conduct policies for staff.
The fact that IT bosses sit at the heart of a company's 'nerve centre' overseeing email, phone and internet use by all employees - from the CEO to the receptionist - seems to be putting them in something of an uncomfortable position as the gatekeeper to employee behaviour policies.
Just this week airline manufacturer Boeing fired its CEO after what appears to be the leak of one of his emails to the board. The email revealed his relationship with a female co-worker, which was in breach of the company's ethics code. There's no suggestion the email was spotted or leaked by Boeing's IT department but it raises an important question of where the dividing line lies between HR and IT.
While the IT department undoubtedly has all the technological tools to ensure internal communications are adequately monitored, recorded and stored, CIOs are less than comfortable having to dig into their already squeezed resources to be the proactive corporate ethics police - and deal with the HR and data protection minefield that comes with it.
As one CIO in our jury pointed out, IT should be there to respond to genuine concerns raised by HR or line managers about a particular employee's behaviour - not to proactively police and alert the business of potential problem areas.
Corporate IT departments are already overworked by the heavy burden that regulatory compliance legislation such as Sarbanes Oxley and Basel II has placed on them and don't need the pressure of spying on staff to add to that.
As another CIO put it: "Just because technology is increasingly important in flagging and ensuring compliance, don't pass the buck to IT."
We agree.
Comments
There are 2 comments. Join the discussion
1. Simon Allen
The end of the line is that, if the company ask the CIO to do this, then it will be done! The CIO can ask for more funds and can plan to channel the information into HR, rather than have it assesed in the IT department but just saying that it is not their job, is not an option.
Whilst I agree that being pro-active is not nice - there may be no choice. The options then are to ensure that the work is carefully specified and ring-fenced so as to protect all staff. If this is not an option, then leave.
2. Cassandra
This is an important issue in Govt. The impression is all is well as we have legislation for Human Rights and Freedom of Information and Data Protection.
While the Govt finance handbook sets out clear management principles for financial transactons. Business and IT systems cost accounting has clear and transparent rules and audits to ensure compliance.
Govt. claim to take Data Protection and Freedom of Information seriously but only give good practice guidance
- http://www.dca.gov.uk/index.htm.
No audit, management or controls are prescribed. Govt IT avoids policing role as we have no teeth, penalties or resource to support it. IT does report activity - but all we can do is advise and support - we cannot insist on what to report or how to manage what we think are breaches. To request legal advice or refer a case to the Info Commission can be career suicide. Management decisions can work on the perception of risk. Ambitious senior civil servants might ask not what is good practice or meets the spirit or intentions of the law but - how likely is this to be brought before the European Court and after getting that far attract substantial damages?