Skip to main content

Who owns the data?

Firstly, let me make it clear I am not a lawyer - IANAL. So naturally I was left stressed and scratching my head at a recent and very difficult situation.

A client of mine was having a shake up at the top end of the company. I don't know why and I didn't ask. The boss was on leave, directed in some way by the Board of Directors and I was being given conflicted requirements - one boss saying "Don't do anything - stuff is happening in the background" while the boss appointed by the Board was asking me to do various things to essentially keep the business running.

The way I've dealt with it, and I think it's probably the way to remember for the future is to request, in writing and signed by a large number of the Board members a document to give you permission to do as requested by the Board appointed Boss. I asked for the Board chairman, two other board members and the CEO or Boss to sign the document - thus ensuring a majority of high level stakeholders were involved in this process.

The key thing about this to remember is that my organisation was working with their organisation not individuals working with other individuals. As much as I might have a relationship with a member of that organisation, the important thing is that it's a relationship between two businesses. The Board is the controlling entity of that other business and the document you get from them means that if they aren't behaving there is a limitation to liability for me - I have been directed in a manner that I can reasonably indicate was from a legitimate controlling entity.

At the highest level too, the business's data all belongs to that business - not to the people working there. This can be tricky of course if there is some intellectual property involved but that's what the courts are for. At any rate, in this particular instance, once I had that paper shield (as it were) I went ahead and performed the tasks as requested. If I'm ever challenged on that, I can simply say - here is the document signed and presented to me by the Board of Directors. There isn't a higher power in the organisation so as far as I'm concerned as an IT Professional then I have to do as they ask, or we lose a client. I think as long as what I'm asked to do isn't in contravention of any ethical or moral strictures then this can work well.

I hope you, gentle reader, don't get caught in the middle like this. It's very uncomfortable and must be handled with some care. Good luck and have a good lawyer - like I do (thanks AP!)

Comments

Popular posts from this blog

Plone - the open source Content Management System - a review

One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin

elementary OS 5.1 Hera - a review and a revisit

 It's been ages since I used a desktop Linux distribution - being up to my ears in the horror of implementing ISO 27001 doesn't leave you much time to play around with computers - too busy writing policies, auditing and generally trying to improve security to a formally acceptable and risk managed level. I need a quick, small OS though to do the occasional network scan, view the contents of a dodgy file on and for general, low impact activities. I remembered reviewing elementary OS ( elementary.io ) some time ago ( see  https://www.ryv.id.au/2015/01/elementary-os-review.html ) from 2015 so I thought it was worth a revisit.  I downloaded the ISO from their website, forgoing to donation for the moment while I review it. If it turns out I'm going to keep using it, I'll send them some love. The ISO is 1.38GB in size and I booted it in a VMware Player instance. From go to whoa (I won't include the install photos here) it took about 10 minutes with a dual vCPU and 4GB of

Musings on System Administration

I was reading an article discussing forensic preparation for computer systems. Some of the stuff in there I knew the general theory of, but not the specifics of how to perform. As I thought about it, it occurred to me that Systems Administration is such a vast field. There is no way I can know all of this stuff. I made a list of the software and operating systems I currently manage. They include: - Windows Server 2003, Standard and Enterprise - Exchange 2003 - Windows XP - Windows Vista - Windows 2000 - Ubuntu Linux - OpenSuSE Linux - Mac OSX (10.3 and 10.4) - Solaris 8 - SQL 2005 - Various specialised software for the transport industry I have specific knowledge on some of this, broad knowledge on all of it, and always think "There's so much I *don't* know". It gets a bit down heartening sometimes. For one thing - I have no clue about SQL 2005 and I need to make it work with another bit of software. All complicated and nothing straightforward. Irritating doesn&