It’s not your information
While this blog entry refers to Novartis policy, the reality is that this policy and perspective is in place at the vast majority of companies. This one hit a nerve in Novartis when I posted it - it was forwarded all over - so I’m putting it on this blog for reference elsewhere when I need to mention it.
I’ll note that, as mentioned in my description about these Novartis-related blog entries, I had permission to take the blogs I wrote while at Novartis with me when I left, so in some weird meta way, these blogs are an example of explicitly handling this kind of information ownership situation.
For the last few weeks, quite a few people in IT have been consumed with helping the legal department prepare for a complex legal case.
I can’t go into the details, obviously. But in essence, it’s what happens in any court case like this: we, Novartis, need to be able to demonstrate that, at some point in the past, we knew (or perhaps didn’t know) something about something.
Maybe we need to show that we were the first with the critical idea for a patent. Maybe we need to show that we had no idea something was going on. Maybe we need to show that we acted correctly in a certain kind of situation. Whatever the exact situation, we need to be able to use our documented history to demonstrate our position.
Of course, that history is nearly all in the form of electronic records - both formal records and informal. And they are complicated. And they are big. And, even in our company, which has a fairly strong sense of centralization, they are distributed all over the place. On servers. On the intranet. On laptops. On backups. On your phone. In email archives.
It turns out that our ability to search through all this to answer these legal questions is… well… not as good as we would like. Given the likely future of the world (more electronic, more distributed, and more litigious), we’ll probably have to improve that. (We ALWAYS need to improve our tools. :-)
But, for those of us involved in this work, the most starkly clear thing coming through during this search is this: when the rubber hits the road… when the company is really serious… when it really matters… there is no question: that data, those laptops, that email - THAT IS NOT YOURS. That stuff is owned by Novartis, and we WILL use it for the benefit of the company.
We all know this, intellectually. It’s company property. The laptops and devices are tools provided by Novartis for us to do the work. The information we generate at work is company stuff. Novartis has the right to access anything on that computer. (In fact, Novartis is RESPONSIBLE for what is on that computer.)
And yet, I think most of us - especially the digital generation - live in a world where we tend to think of all these devices as personal communication tools and productivity augmentation devices. Because that’s what they are. Sure, my Mac is a Novartis Mac. But I also use it as my place for everything else digital… editing family pictures, planning bike trips, handling personal email.
Why? Because I can do it securely, I can do it without harming Novartis interests or misusing Novartis property, and it’s MUCH more efficient for me if I do so. I used to carry two laptops around - one for work, one for personal. That was just insane. Heavy. Complicated. Prone to errors.
I do have my own personally-owned Mac at home, which is the place I keep the official “real version” of all this info, but the reality is that most of the time I spend handling my personal Gmail happens on my Novartis Mac, because that’s the computer I have with me – when I’m at work, when I’m at coffee shops, when I’m on airplanes, when I’m on travel.
The same is true for my iPhone. And while many people may keep their personal stuff off of their Novartis PC, I’ll bet that the majority of people with a useful Novartis mobile device merge work and personal stuff onto that device without really even thinking about it. Hauling two phones around is also really annoying. I know that SOME people have two phones, specifically for this purpose.
But most people don’t… And even then, those worlds tend to bleed together. Which device has which contacts? Which device did you use to take that quick snapshot? Which one did you read the morning news on, and save a link to a useful article? Which one does your spouse text you on when it’s an emergency?
This is an interesting and complicated situation. In the old world, when computers were heavy and clouds were white things in the sky, the separation between work and personal technology was pretty obvious… but these days, with mobile systems, data everywhere, working on the road, bring-your-own-device… it’s really hard to keep them separate.
I’m prepared to argue that Novartis should promote this kind of merging of systems in a secure and compliant way, because it’s more productive for our associates at the end of the day, both at work and at home. I’m really interested in figuring out ways we can do this more effectively.
Here’s the deal: even if our policies and systems continue to make this easier, do not forget that, at any time, Novartis has the right to seize any Novartis-provided device and do anything with it. Search everything. Copy everything. Delete everything. And, just to reiterate: we are doing exactly that kind of copying and searching on the devices of a number of NIBR associates quite literally right now. Not because we want to, but because we need to for the good of the company.
As someone who does use a work computer for personal purposes, watching this search play out is a stark reminder to me of the underlying reality of who owns what and who has access to what. Sorry, we’re really not interested in your family reunion pictures… but they were on there, and we had to run that search across everything on the hard drive.
So… if you do happen to use your Novartis system for personal purposes:
- Make sure you’re doing so in a way that meets company security and system usage policies.
- Make sure you don’t put anything on it, EVER, that you wouldn’t want the company reading.
- Make sure you have a strategy for recovering whatever personal information you have on there should it be nuked.
I’m curious how many people think about this and have a strategy for making this situation work in their lives. If you have specific suggestions, or strategies, let me know or leave a comment.
[And, as a side comment: thanks to the many folks in IT who have been buried with this particular search… and for carrying out this work with as much respect for personal stuff we’ve run into as possible.]