Sunday, May 3, 2009

Clean desk policy

Query from a reader:

Should the HR implement a ‘Clean Desk Policy’? Recently, we had a case of confidential information which got compromised from an employee’s desk. What’s your take?

Ok. A clean desk policy is nice to have, especially if you work for a company dealing with financial records or high confidential data. In this case, since you haven’t mentioned the work area, I presume the data got compromised because of one person’s negligence rather than the entire organization (like a system that got hacked). So would you need to reprimand that one person or everyone in the organization? Is your intent to implement a clean desk policy so that everyone should know that confidential papers shouldn’t be left on their desks when they leave for the day? Then an email would suffice.

Else, you get into the next level of policy implementation which involves identifying who would be responsible for: tracking compliance, effectively run the program, documenting non-compliance and more paperwork.

A clean desk policy is more a common sense policy. Really. Think about it, your HR rep left Joe’s latest performance appraisal letter (don’t know why, we still print them!) on the desk and stepped out for a while. Jane comes by to the desk to get a query answered. The point is Jane didn’t come looking for info on Joe’s appraisal; the info she got was incidental. Right? Not sure why she had to read something that wasn’t meant for her. That’s another issue. A bigger one. Sorry, I digress. But the person at fault should be the one who left the appraisal letter on the desk, completely aware that people drop-by frequently.

Clean desk policy needs active participation from employees and you can be sure of encountering stiff resistance. They could cite breach in individuality over a clean desk! Does a clean desk mean more productivity? Arguments may vary. Forceful implementation could make employees feel like robots: file this, shred that, hide this, secure that – get the point? That’s a challenge you have to deal with. Another one is deciding the frequency of cleaning one’s desk. Just how many times a week will you need employees to clean their desk. Daily? That’s a logistic nightmare. Once a week? That’s too long a period of time to wait.

Here’s what I would do as a pro-active measure. Prepare a basic clean desk policy, one that informs employees that they are required to ensure confidential data should not be left on their desk. Explain the ‘why’ in it and ‘when/frequency’ to clean up. Initially, have some incentives for people who clean up their desks. And compliance isn’t an option, means violations will be tracked (by managers) and reported for stringent action. Talk about the importance through forums, mails, company meetings and to every new hire. This policy will have employee resisting it, you can’t rule them out. They’ll come around once they start seeing the benefits. Focus your energies on people who buy your idea of having a secure desk. They’ll make this policy a success.

You may want to watch out for a few things. This policy needs a buy-in from the management. It needs to be part of a company culture, like if you have given employees a free rein to manage to their own work area (typically start-up atmosphere), then implementing such a policy over-night will back-fire. Set it up as one that will ensure security and trust in the company.