Teaching employees about the ethics of data management is part of the daily routine for Sandy Hofmann, CIO of an Atlanta IT firm. One day, Hofmann discovered that a marketing employee had just given a 700-name customer list to a vendor. Hofmann chased down the vendor to retrieve the list. Then she gave the marketing associate a basic lesson in data management ethics: Don’t share customer information without the customers’ permission.

“It’s sort of like treating your family as well as your friends,” said Hofmann, who works at MAPICS, a global IT firm focusing on manufacturing. “You have to operate under the assumption that you don’t know how the information should be handled unless you know how the owner feels about their information.”

Hofmann is one of a growing number of CIOs who are dealing with the responsibilities that come with being the chief steward of a company’s data. CIOs, who are increasingly part of the top management team, are enacting strict controls over customer and employee data. They’re also educating their employees about the responsibilities of ethical data management.

Hofmann and several other CIOs helped TechRepublic compile this code of ethics for managing electronic data.

Customer data is sacrosanct
Hofmann said CIOs are responsible for more than setting the rules. They also must be vigilant about making sure employees understand the rules and their nuances. CIOs and their marketing counterparts are often at loggerheads over using customer data, Hofmann said. That’s why MAPICS’ customers are routinely asked whether they want their information shared with vendors. Most customers say yes, Hofmann said.

The marketing employee Hofmann had to counsel about the privacy of customer data had worked for a smaller “free-spirited” company that MAPICS had recently acquired. Hofmann said the incident was an object lesson about her duty to educate the new employees about MAPICS’ customer information policies.

Protecting customer data is a hot topic at Worldspan, an online travel agency. Company officials are so intent on hammering this point home that they’re creating an online privacy course for employees who will be tested, said Sue Powers, CIO and senior vice president.

Powers discussed the idea at the last meeting of Worldspan’s Privacy Council, a group she helped create after Worldspan officials noticed that the United States had few laws regarding privacy compared to other countries, particularly in the European Union.

Powers said the course will be about 30 minutes long. “It will give employees situations to help them figure out when they should and shouldn’t share customer data. We’ll test them to see if they can demonstrate their understanding of the policy.” Employees will be allowed to repeat the test until they pass it, said Powers, who is responsible for the data handling of 1,050 people.

The security of customer data is a critical issue at Worldspan because customers give the company’s employees their travel plans and credit information every day. In an effort to make her responsibility clear, Powers said, she’s even been dubbed the company’s chief privacy officer.

Make sure information gets to the top
The trend of CIOs becoming part of top management means they have a duty to help mold an organization’s values, said Stephen M. Paskoff, founder and president of Employment Learning Innovations, Inc., an Atlanta firm that trains companies on workplace ethics and fair employment practice issues.

That means CIOs should create systems that enable employees to give information to the top bosses and then make sure that information is dealt with. For example, Paskoff said that could involve creating a way for employees to anonymously e-mail concerns to top management along with a system to follow up on the complaints.

“CIOs should be thinking about internal complaints and issues with the same degree of rigor that they are thinking about customer management. Is there a way to report a problem? Is there a way to make sure complaints get into the right person’s hands? Is there a way under our system to make sure there is the proper follow-up?” said Paskoff, who was a trial attorney with the Equal Employment Opportunity Commission and represented management when he was in private practice with a law firm in Atlanta.

Report accurate information, even if it’s bad news
Brian Oldham, CTO at Appriss in Louisville, KY, said he’s worked hard to create an environment in which his employees feel comfortable reporting accurate and complete information to the bosses—even when they’re pretty sure the bosses aren’t going to like what they hear. Oldham said it’s often too easy to take a report and color it a certain way when you’re dealing with internal information.

At Appriss, which makes IT products for criminal justice systems, “We’ve adopted a culture that says share good news quick and bad news quicker,” said Oldham, who as part of the senior management team is responsible for more than 90 employees. “We want our employees to know they can be safe presenting accurate information.”

Data must be protected over its lifecycle
Every record has a lifetime, and CIOs are responsible for creating clear rules about what to do with electronic information from its birth to its death. That’s particularly true at MAPICS, which has a large virtual workforce, Hofmann said. “Their file cabinets are in their homes, briefcases, or laptops, so you really have to have a policy in place that’s clear and doesn’t require hands-on monitoring,” Hofmann said.

Hofmann said she’s also tried to make it as easy as possible for employees to retain files. She’s given them instructions on how to archive documents electronically and provided CD burners so they can download their material and send it back for off-site storage.

Employee info deserves the same protection as customer info
Because identity fraud is a threat to everyone, many employees have become more sensitive about the confidentiality of their personnel information. MAPICS learned that customers are sensitive about their information last summer when it asked its 800 employees to update their emergency contact information. Some employees asked why they had to add their home addresses to a database to which all managers had access.

MAPICS officials decided to limit access to the information to human resources and each employee’s immediate manager, Hofmann said.

Give the right access to the right roles
CIOs often have to mediate battles between software engineers and IT professionals over access. The software engineers say they need more access to operate efficiently. The IT folks say limits help keep data more secure.

Oldham said his company errs on the safe side, even when that caution annoys the software engineers. “It does cause some frustration among software engineers who say if they have full access, they can get their jobs done quicker. But when access and security are in conflict, we err on the side of security,” he said.

Reward responsibility with trust
At MAPICS, which was spun off of IBM in 1993, Hofmann took a different tack. Hofmann said her company’s lineage meant that many MAPICS managers were well trained in the ethics of data management.

The data management team was unanimous when Hofmann asked it to set a goal for the coming year. “It was easy; we said we need to liberate information because we spend so much time playing traffic cop.”

The result was named information liberation. Essentially, MAPICS gave managers more decision-making responsibilities about who should have access to their data. They also used portal technology to provide secure access to managers. In many cases, employees were given access to view information but were not able to modify it.

Hofmann is convinced that the initiative resulted in greater access to information but only for the people who really needed it. The idea wouldn’t have worked if she hadn’t trusted managers to make the right decisions. In other words, she had to give up some control over the information she’s responsible for. She said that’s a difficult bridge for a lot of CIOs to cross.

“I’m sort of like the Department of Transportation, in that I’ve got to provide the best quality roads and I’ve got to provide signage,” she said. “But I can’t drive every car up and down the roads to make sure they’re all working effectively.”