Privacy, Please

Arizona has had the dubious distinction of leading the nation in
per-capita complaints concerning identity theft for the last two
years.

Yet managers in the city of Tucson’s General Services Department
didn’t foresee a problem in mandating the use of a biometric time clock
by employees.

“I just didn’t anticipate the controversy,” says Ron Lewis, the
director of the department. “If I had, we would most likely have
pursued other alternatives.”

In May, administrators in the department’s communications division
introduced the biometric time clock as a “test.” This device uses
finger recognition to identify the time an employee arrives and departs
from work, replacing the typical signed time card.

In a May 12 e-mail, 911 operators and public-safety dispatchers were
informed that the system would be used to “improve our timekeeping
records.” The e-mail also mentioned that the system could prevent
“buddy punching,” where one employee clocks in for another.

“Buddy punching got some attention,” Lewis recalls now, “but it was
never a driver (of the change).”

Instead, he says, meeting federal labor requirements were a driver
behind the new time clock.

Because of the nature of the emergency-communications jobs,
projections of weekend work had to sometimes be made before time cards
were submitted early on Monday. Some last-minute changes to these
projections, Lewis notes, were not signed off by the affected
employees—and as a result, city auditors were not pleased.

“They wanted us to ensure we got the actual moment (of employee
arrival and departure) instead of rounding off,” he says.

Thus, the biometric time clock went into use a few months
ago—without employee input.

“We could have done that better,” Lewis admits. “Supervisors were
involved, but the employees weren’t consulted.”

Some employees immediately objected to the new device. One prevalent
question: How would the finger-recognition information be secured,
since the data could potentially be easily disseminated?

This security issue was especially germane, since the user manual
for the device states that it “generates, uses and can radiate radio
frequency energy”—meaning that, at least theoretically, outside
devices could pick up those frequencies.

Lewis acknowledges that he wasn’t even aware of this feature of the
biometric time clock until informed of it by the Tucson
Weekly.

After some employees expressed misgivings, division management
stated in a May 20 memo that the information would be secure. The memo
also says the City Attorney’s Office had approved the device’s use. The
memo decreed: “Effective immediately, all personnel are required to
register with and begin using the new system.”

That didn’t stop the employee protest. As one wrote: “I have no
confidence in the city’s ability to protect my personal data.”

Despite those red flags, on June 9, employees were told in writing
that they would either use the system or be sent to a “counseling
session.” If they still refused to use the biometric time clock,
“disciplinary action up to and including termination” would be
considered.

Lewis later informed employees in a June 23 memo that the system
would soon be operational and that anyone who didn’t use it would be
sent home without pay. Continued refusal could result in termination,
he added.

By then, 24 employees of the division—out of the 65 affected
by the decision—had signed a petition against the program.
Listing concerns with data security and invasion of privacy, and
pointing out the existence of reasonable alternatives, the employees
stated: “We respectfully request that the city cease and desist in
coercing employees to relinquish their privacy.”

One of those who signed the petition was Michael LaFond. He also
spoke at a City Council meeting in July. Standing in front of several
other 911 operators and public-safety dispatchers, LaFond asked the
council to stop what he called an intrusive and illegal search of
employees’ personal identification marks.

“This puts us in some danger,” LaFond commented, stating that the
information couldn’t be kept “completely secure.” He cited potential
problems from hackers and identity thieves, and pointed out that there
was no way to know where this invasion of privacy would stop. He
requested: “Don’t spy on me.”

Councilman Rodney Glassman asked for a response from the city staff
that addressed the issues raised by LaFond.

The reply from Lewis came three days later—when he scrapped
the biometric time clock program.

“We’ll use the employee’s number combined with a password,” Lewis
says.

Even though Lewis had earlier said that he didn’t think this option
would satisfy city auditors, he now sees things differently. “Within a
couple of weeks, I hope to hear from the auditors that this complies
(with federal law),” he comments.

Meanwhile, Lewis admits that he’s learned some hard lessons from
this experience.

“As department director,” he says, “I should have asked a few more
questions about an initiative that sounded too good to be true. We
should also have had a well-thought-out plan to introduce (the system)
and ensured employees understood it before implementing it.”

Finally, Lewis observes: “Sometimes, new technology looks like a
good, quick fix, but it may not be.”

This article appears in Jul 30 – Aug 5, 2009.