You’ve finally decided on a new password manager, you’ve come to an agreement with the manufacturer, the contract has been signed, specifications have been drawn up. But then comes the question: “Have you actually talked to the works council?” No problem, you think. After all, IT security is important, they’ll understand. But after a short presentation to the works council, their decision follows immediately: a veto! In this blog post we will tell you how you can avoid such an outcome and win over the works council as soon as possible.
The works council and its right of co-determination in IT projects
As an employee representative body in German companies, the works council has important tasks: it stands up for the interests of all employees and is allowed to have a say in important issues that affect the employees. This includes, for example, issues such as vacation and working hours, as well as the introduction of tools that can monitor the behavior or performance of employees. This is regulated in Section 87, Paragraph 1, No. 6 of the German Works Constitution.
“The works council shall have a say in the following matters, insofar as there is no statutory or collectively agreed regulation: (…)
6. introduction and use of technical equipment intended to monitor the behavior or performance of employees;”
In a ruling in November 2006, the Federal Labor Court reaffirmed that this also includes a data-processing system that “collects and records individualized or individualizable behavioral or performance data itself, regardless of whether the employer also intends to evaluate the collected and recorded behavioral or performance data or use it to respond to observed behavioral or performance data. Monitoring in this sense is both the collection of information and the evaluation of information already available.” (BAG November 14, 2006 – 1 ABR 4/06).
Does the works council have to be informed about the introduction of Password Safe?
The short answer is yes. Password Safe only stores the information that is needed for data protection-complaint password and identity management. However, since all actions in Password Safe must be traceable in the event of an attack, all status changes are recorded in the logbook in an audit-proof manner. Behavioral or performance data can be derived from this – for example, it is possible to see how many password resets an administrator has performed. This information could then be used to monitor and evaluate the performance of a particular employee. So, a password management tool like Password Safe inevitably falls under the works council’s right of co-determination. It therefore makes sense to involve the council as early as possible when considering the introduction of a password manager.
How to get the works council on board
When you first start thinking about introducing a password manager, you should inform the works council immediately. Many of your colleagues on the works council may not be that familiar with IT and need time to get to grips with the issue. And you should allow them this time. In the meantime, you can start looking at different providers. What is important to you and what features does your company need? A good tool to generate and store complex passwords so you and your colleagues don’t have to remember countless credentials? A secure way to share passwords between colleagues? An on-premise solution so you keep control of your data at all times? A provider from Germany with whom you can work securely and in compliance with GDPR?
Which features are important for the works council?
For the works council, other features may be relevant. For example, a binding rights concept that can be used to regulate exactly who accesses log data and when. In this way, all employees and also managers who do not need the log information can be excluded from it and arbitrary monitoring can be avoided. In addition, log data can be deleted at regular intervals in accordance with data protection regulations. You should keep such features in mind when looking at different tools. Then you can present your favorites to the works council and also to the data protection officer, and together you can decide which product is best suited for your company.
The works agreement: more security for everyone
Even if you have agreed on an application with the works council, your colleagues probably have other conditions for its use. To set these down, you draw up a works agreement. Most companies already have framework works agreements for topics such as time recording, vacation or e-mail systems. For IT security tools, there are usually other aspects that need to be taken into account, such as the log data collected. Usually, a works agreement for such a project stipulates that the stored data may not be used to evaluate employee performance.
A final tip: Cooperation on equal footing
Cooperation between the IT department and the works council can sometimes be quite tense, as both parties pursue different goals. While the IT department has data and information security in mind, the works council wants to represent the interests of the employees. Ultimately, however, both are committed to advancing the company as a whole and creating a secure and efficient working environment for everyone. The more openly and honestly you communicate with each other, the more successful this exchange will be. This is how cooperation with the works council can also work in the long term.
* Disclaimer: This article is for informational purposes only and is in no way a substitute for legal advice. The information presented is to be understood without claim of correctness and completeness.