The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets without Compromising Employee Privacy or Trust

By a curious coincidence, a few days after getting this book to review I found myself on the 4.54 London Bridge train, sitting next to a couple of suits who were clearly NHS managers going up to Guys Hospital, and were taking the opportunity to talk over the performance inadequacies of a member of staff. The name was sufficiently distinctive, and one of them obligingly held a file with a staff list on it open on his lap for me, so in the interests of scholarly research for this review I was able to make a note of it and look her up on Facebook that night. I am 95 per cent sure that I have identified her. Should I give her a poke and tell her what her line manager thinks of her? Should I perhaps even offer to sell her his opinion – “send a fiver to my PayPal account and I will spill the beans”? I did not catch his surname, but knowing where she works and his first name I could probably track him down, and try something similar on him, could not I? There all sorts of possibilities.

As librarians, we have been brought up to believe that information is something that people ought to have access to. Our job is improving methods of letting people get at knowledge, not hiding knowledge away from them. Even within libraries however, there are stores of information which should not be accessible except to authorized staff. My old library used to keep records of inter‐library loan requests filed on bits of 5  ×  3 card. As part of King's College now, with the full use of the college's up‐to‐date knowledge management system, all document supply records are kept online. Although it is a year and a half since I retired, I was interested to note during a recent visit that my password still works. Anyone want a list of all the scientists in King's who have recently requested documents relating to animal experiments? A few quid to my PayPal account might do the trick.

Every organization has information which should not be made public, but which has got to be available to a variety of members of staff. Every organization with paid staff has got to give its staff access to information sources of one sort or another, but has to stop them from using work time for private purposes. A workman reading TitBits when he should be digging holes in the road is in exactly the same position as a library assistant playing solitaire, or even, as in one case I heard of, running a private online sales business during slack moments at a public library counter. Finally, of course, all organizations are at risk of getting misinformation into their systems.

There are highly skilled obsessive individuals working non‐stop to try to hack their way into even the most advanced computer systems. Much of the risk however comes to most organizations through simple carelessness of the sort I have mentioned. Most employees of most organizations are reasonably loyal. They will steal computer time in the same way that they will steal paper‐clips, but they will not normally go out of their ways to sabotage the organization. In fact the authors of this book argue that the more transparent the organization's security governance is, the more supportive its staff will be. People who feel spied on will become more hostile. People who feel protected and supported, who are clearly informed about limitations to their use of information systems and are clearly informed about the types of monitoring taking place are likely to be more loyal. Employee behaviour is at least as important for security as technological measures.

Much of this book is given over to the results of a rather vague and anecdotal research project carried out by the authors. The answers of the 460 self‐selected respondents who bothered to reply to 20,000 distributed copies of a journal survey are not really a good enough sample to be worth analysing or publishing, and extracts of transcribed interviews full of hesitations and repetitions are only of limited interest. The two final chapters – “Overall analysis and interpretation” and “Recommendations for managers, employees and information security professionals” contain the bulk of the material of general interest. The draft information security policies in the two final appendices are potentially useful. As is so often the case, I feel that there is a good small booklet lurking within a much larger book here. Nevertheless this discusses a subject of considerable topical importance which all information professionals should take an interest in. Librarians should at least be aware of the sort of problems looked at here. The book is therefore worth considering.