Businesses Need Explicit Policies for Using Data from Access Control Cards

By Edward Balkovich

Ed Balkovich is a senior engineer at RAND. His colleagues Tora Bikson and Gordon Bitko contributed to this article.

Edward Balkovich

Swiping access cards in the workplace is common-place. Millions of us do it everyday without thinking about it. But what actually happens when we do it? When the card is swiped, a tag inside it is “interrogated,” a determination is made about whether to lock or unlock a door, and a record of the transaction is captured in a database. The process raises the question: What do companies do with the data?

One way to find out is to ask employers. We did just that on a small scale, using a sample of six private-sector companies each with 1,500 employees or more. It turns out that such cards are used for far more than just opening doors. Five of the six companies said they used the data to examine the movements of a specific employee (such as investigating alleged work rule violations) and to perform broader safety and security functions, such as refining building evacuation plans.

Despite these uses, only one of the six companies has an explicit policy governing how the access cards (and the data from them) are used. Moreover, all the companies opt to keep the records indefinitely; only one obtains an external audit of system records; and none felt the policy should be managed and overseen by a corporate officer. Also, in all cases, records are linked to other company databases, mostly to human resources, but also, in one case, to medical records. Finally, none of the companies tells its employees that the data collected are used for more than simply opening doors.

While the policies are troubling, businesses seem to be well within their rights to do what they do. In fact, such policies probably fall within the same domain as email or phone monitoring, which firms are also doing to check up on employees. The difference is visibility. For email or phone monitoring, evidence indicates that firms tend to have explicit policies and that those policies are communicated to employees. For access control records, policies are de facto and pretty much invisible.

Why is this the case? Unlike email or phone monitoring, where the primary intent is to monitor employees’ workplace behavior, access control cards are used to provide security by controlling access to, and egress from, buildings. Given this primary intent, businesses may feel they don’t need to have explicit policies and to tell their employees about them. After all, access cards replaced keys and guards, which never required explicit policies for data use. Unfortunately, though, the cards are used for far more than just controlling access.

As is the case for email and phone monitoring, companies should have explicit data-use policies for access control cards and should communicate those policies to their employees. Without an explicit plan, a business runs the risk of making policy “on the fly” and under pressure — like when a police officer requests access to records as part of an investigation that may or may not be initiated by the company. Moreover, having an explicit policy provides an opportunity to establish limits on the use of data, such as a request for their use as evidence in a divorce proceeding that might seek to establish that a spouse was not where he or she had claimed to be.

Access cards, like email and phone monitoring, represent the continuing loss of “practical obscurity” in the workplace — where anonymous behavior and movements were once nearly guaranteed. While access cards may be here to stay, employers have an obligation to make their de facto policies explicit, and employees have a right to know what those policies are. square