Arizona has had the dubious distinction of leading the nation in per-capita complaints concerning identity theft for the last two years.
Yet managers in the city of Tucson's General Services Department didn't foresee a problem in mandating the use of a biometric time clock by employees.
"I just didn't anticipate the controversy," says Ron Lewis, the director of the department. "If I had, we would most likely have pursued other alternatives."
In May, administrators in the department's communications division introduced the biometric time clock as a "test." This device uses finger recognition to identify the time an employee arrives and departs from work, replacing the typical signed time card.
In a May 12 e-mail, 911 operators and public-safety dispatchers were informed that the system would be used to "improve our timekeeping records." The e-mail also mentioned that the system could prevent "buddy punching," where one employee clocks in for another.
"Buddy punching got some attention," Lewis recalls now, "but it was never a driver (of the change)."
Instead, he says, meeting federal labor requirements were a driver behind the new time clock.
Because of the nature of the emergency-communications jobs, projections of weekend work had to sometimes be made before time cards were submitted early on Monday. Some last-minute changes to these projections, Lewis notes, were not signed off by the affected employees—and as a result, city auditors were not pleased.
"They wanted us to ensure we got the actual moment (of employee arrival and departure) instead of rounding off," he says.
Thus, the biometric time clock went into use a few months ago—without employee input.
"We could have done that better," Lewis admits. "Supervisors were involved, but the employees weren't consulted."
Some employees immediately objected to the new device. One prevalent question: How would the finger-recognition information be secured, since the data could potentially be easily disseminated?
This security issue was especially germane, since the user manual for the device states that it "generates, uses and can radiate radio frequency energy"—meaning that, at least theoretically, outside devices could pick up those frequencies.
Lewis acknowledges that he wasn't even aware of this feature of the biometric time clock until informed of it by the Tucson Weekly.
After some employees expressed misgivings, division management stated in a May 20 memo that the information would be secure. The memo also says the City Attorney's Office had approved the device's use. The memo decreed: "Effective immediately, all personnel are required to register with and begin using the new system."
That didn't stop the employee protest. As one wrote: "I have no confidence in the city's ability to protect my personal data."
Despite those red flags, on June 9, employees were told in writing that they would either use the system or be sent to a "counseling session." If they still refused to use the biometric time clock, "disciplinary action up to and including termination" would be considered.
Lewis later informed employees in a June 23 memo that the system would soon be operational and that anyone who didn't use it would be sent home without pay. Continued refusal could result in termination, he added.
By then, 24 employees of the division—out of the 65 affected by the decision—had signed a petition against the program. Listing concerns with data security and invasion of privacy, and pointing out the existence of reasonable alternatives, the employees stated: "We respectfully request that the city cease and desist in coercing employees to relinquish their privacy."
One of those who signed the petition was Michael LaFond. He also spoke at a City Council meeting in July. Standing in front of several other 911 operators and public-safety dispatchers, LaFond asked the council to stop what he called an intrusive and illegal search of employees' personal identification marks.
"This puts us in some danger," LaFond commented, stating that the information couldn't be kept "completely secure." He cited potential problems from hackers and identity thieves, and pointed out that there was no way to know where this invasion of privacy would stop. He requested: "Don't spy on me."
Councilman Rodney Glassman asked for a response from the city staff that addressed the issues raised by LaFond.
The reply from Lewis came three days later—when he scrapped the biometric time clock program.
"We'll use the employee's number combined with a password," Lewis says.
Even though Lewis had earlier said that he didn't think this option would satisfy city auditors, he now sees things differently. "Within a couple of weeks, I hope to hear from the auditors that this complies (with federal law)," he comments.
Meanwhile, Lewis admits that he's learned some hard lessons from this experience.
"As department director," he says, "I should have asked a few more questions about an initiative that sounded too good to be true. We should also have had a well-thought-out plan to introduce (the system) and ensured employees understood it before implementing it."
Finally, Lewis observes: "Sometimes, new technology looks like a good, quick fix, but it may not be."