Balancing bathroom safety and employee privacy

One place I worked had an interesting physical security problem. In their rented office space, the bathrooms were attached to the public elevator lobby, outside the secure area. To make the women’s bathrooms a little safer, particularly after hours, they put a digital combination lock on the doors. For the first few weeks after they moved into the facility, they had Post-It notes on the doors with the combination. This setup had the same problems as shared passwords: the combination can never be changed, because they would have to notify everybody who uses the bathroom, and since the combination never changes, it is known to all current and former female employees, anyone they have told the combination to, as well as anyone who read the Post-It notes during the first few weeks.

The company had a perfectly good badge system for the secured area, so why didn’t they use it for the bathroom? I suspect it was because it seemed too creepy having the company log any time someone went to the bathroom. Even if they said they didn’t check the logs, the employees would not necessarily believe it, and also, there would be the possibility of some creepy security guy stalking women by finding out when they went to the bathroom.

I was not in charge of the doors, but here is how I would deal with the problem:

  • Have a separate card access system for the bathrooms.
  • Put it on its own isolated network.
  • Send any updates to the primary card access database to the bathroom access system, using a one-way link.
  • Destroy successful bathroom log entries after 72 hours. This makes sure that if something happens Friday evening, it has not rolled off the log before the Monday crew shows up.
  • Save failed access entries and report them to security, as they probably indicate that someone is using a lost or expired access card. The will probably need to be done out of band, as described in the post on one-way links, in order to keep the system isolated.
  • If an incident occurs, save the successful entry logs for some prior period of time. If there are panic buttons in the bathrooms, when one is received, a message could be sent over the one-way link to tell the bathroom access system to preserve the logs.
  • Put the bathroom access machine in its own room (which may just be a closet) with card access, so the main system will record who is dealing with the bathroom-access machine. This helps protect against creepy security people.
  • Put posters on bathroom doors explaining the system (in layman’s terms), how it is isolated from the normal access control system, and how logs are destroyed except in the case of incidents. This should help people feel secure that the company is protecting them from intruders, but not spying on them.

One other thing, put the card access on the men’s bathrooms, too. Men might frequently be in a better position to beat back an intruder, but it is really not what they signed up for when they decided to go to the bathroom.

If you restrict access to the women’s room to women, and the men’s room to men, make sure that there is an easy mechanism for employees to correct the gender that is on file with the company. At one company, it took me a year to get the company to stop sending me mail with a courtesy title of “Ms”, because my first name is Lynn. Although people named Lyn or Lynne are almost invariably female, and most people named Lynn are, too, there is a small, but significant, number of men named Lynn, including the American football player, Lynn Swan, and the former CEO of Chrysler Corporation, Lynn Townsend. But the people in the HR department at headquarters did not know this, and every time I got it corrected, someone would “fix” it so it was wrong again. There are several names that do not clearly indicate gender, such as Kim, Robin, and Dana. The best bet is to ask the employees when they hire on, and then believe them.

Similarly, if you have trans employees who transition, you need to make it easy to update their gender on file, so they can use the right bathroom.

Now, putting card access on the bathroom doors is almost a no-brainer from the security standpoint: the combination lock where everyone knows the combination has little security and no accountability. But all this stuff to keep the logs separate; is it worth it?

Yes, if you care about your employees. There have been several stories in the news about men using their access to restricted databases to help them stalk ex-girlfriends, or women they hope might be future girlfriends. If their bathroom breaks all go into the log, they don’t know who is going to have access to the logs. And if you tell them that nobody will look at the logs, they may not believe you, or that the next management with hold to that promise. At one place I worked (actually the same one), the CEO suddenly announced that he was going to start reviewing access door logs, to see if people were in the office enough. This was really scary to people who were on the road a lot, or who worked from home part of the time. (Please don’t ask why the CEO feels his time is best spent looking at door logs.)

Publicly displaying your commitment to both the security and the privacy of your employees will be a morale booster.


Leave a Reply

Your email address will not be published. Required fields are marked *