9 to 5

9 to 5: Do You Know If Your Boss Knows Where You Are? Case Studies of Radio Frequency Identification Usage in the Workplace

Edward Balkovich
Tora K. Bikson
Gordon Bitko
Copyright Date: 2005
Edition: 1
Published by: RAND Corporation
Pages: 36
https://www.jstor.org/stable/10.7249/tr197rc
  • Cite this Item
  • Book Info
    9 to 5
    Book Description:

    Describes a case study of six enterprises that use Radio Frequency Identification (RFID) tags to control access in the workplace to understand their policies about personally identifiable records obtained by sensing RFID-based access cards. These policies have a number of common features, but the policies are neither documented nor shared with employees. While employees ought to be informed about uses of access control system records, implementing traditional fair information practices for such records would be impractical in some situations.

    eISBN: 978-0-8330-4112-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. i-ii)
  2. Preface
    (pp. iii-iv)
  3. Table of Contents
    (pp. v-vi)
  4. Figure and Tables
    (pp. vii-viii)
  5. CHAPTER ONE Introduction
    (pp. 1-4)

    New information technologies have created unprecedented opportunities to collect, store, and transfer information. Technology can be applied to make our lives both easier and safer, but it can also diminish our privacy and civil liberties. Effective decisionmaking about relationships among personal convenience, public safety, security, and privacy requires many kinds of knowledge. Together with Carnegie Mellon University, we outlined an empirical approach to generating such knowledge (Balkovich et al., 2004).

    As a starting point, RAND examined a commonly used information technology—Radio Frequency Identification (RFID) tags in access cards. Access cards are often used in the workplace to control entry...

  6. CHAPTER TWO Privacy In the Workplace
    (pp. 5-6)

    Privacy in the U.S. workplace has few protections. The Electronic Communications Privacy Act of 1986 (ECPA, 86) is a U.S. federal statute that establishes the privacy of employee communications in the workplace. It generally prohibits the interception of electronic communications but specifically allows employers to monitor their networks for business purposes and in particular to monitor communication networks with employee consent—actual or implicit.

    These broad exceptions enable employers to monitor all forms of electronic communications in the workplace (e.g., e-mail, instant messaging, voice calls, voice mail), so long as the results of such monitoring are not used to punish...

  7. CHAPTER THREE Methods
    (pp. 7-8)

    Our approach involves a replicated case study of six organizations. The organizations we chose all have 1,500 or more employees. All are in the private sector. Two are nonprofits, two are high-tech manufacturers, and two are media services firms (content producers).

    For each organization, we identified role incumbents responsible in some capacity for the operation of the access control system (e.g., a director of security) and asked them questions about their organization’s use of RFID. Our questions covered the following topics:

    Architecture of the RFID-based access control system

    Integration of access control with other systems

    Data collected...

  8. CHAPTER FOUR What We Found
    (pp. 9-14)

    We begin with a brief discussion of the architecture of the access control systems included in the study. Architecturally, these systems are very similar, although they differ in some technical details. We have abstracted the responses into a single description with only enough detail to understand the answers to our interview questions. We then present in more detail the answers to the remaining study questions provided by the six participating organizations.

    The conceptual elements of the access control systems used by all the organizations in our case studies are illustrated in Figure 1. Each system comprises a number of antennas...

  9. CHAPTER FIVE Results
    (pp. 15-16)

    It is quite clear from our six cases that the enterprises studied have many things in common about the way they use access control systems and the data they generate. Several principles stand out:

    Linkage of access control system records with other personally identifiable data is commonplace. Access control systems are typically integrated with other forms of surveillance, such as video cameras, and the two sources of surveillance data are routinely linked. Linkage with personnel records is also commonplace. Most surprising was the linkage (albeit in only one case) with medical records.

    Linkage with video cameras serves a security need....

  10. CHAPTER SIX Discussion
    (pp. 17-22)

    Based on our case studies, what advice would we offer to an enterprise planning to introduce RFID-based access controls? We think it is important to have an explicit policy for use of data associated with an access control system, based on conscious decisions about how they should and should not be handled.

    The advantage of an explicit policy is that the act of creating or revising it provides the impetus to think through the desired organizational response to various situations that might present themselves. Without an explicit plan, an enterprise runs the risk of making policy “on the fly” and...

  11. Appendix: Interview Questions
    (pp. 23-26)
  12. References
    (pp. 27-28)