Imagine a company offers a parking lot to all its employees, but in order for employees to use this parking lot, they must affix a large vinyl graphic with their full legal name on the rear window of the car, on the sides of the car, and on the hood of the car.
Anyone somewhat close to the car can easily see the name of the car's owner from practically any angle.
So too can traffic monitoring cameras, toll booth cameras, security cameras in commercial parking lots, etc.
Now, imagine that cars, while in this lot, are in superposition on every road in front of every camera, and thus literally visible from anywhere, by any person and any robot at any time, so long as they glance in a specific direction.
Because internet.
Lastly, imagine that the use of the parking lot is (somehow) mandatory for all engineers at this company. Would you take a job as an engineer?
Personally-identifiable information (PII) is everywhere, and the handling of PII by various entities is the aim of many state and federal statutes. While California's likely tend to be more protective of PII than the rest of the US, there are many countries that make even California's protections seem lax (the GDPR comes to mind).
Nearly a month ago, an email alerted me with an "Action Required" subject, informing me (and seventeen other Company employees) that I should update my GitHub profile to include my "HR First and Last Name". It is important to note here that the name on any GitHub profile is inherently public, visible to all internet-connected people, and all internet-connected robots (think crawlers/scrapers/mining software).
As an Operations Engineer at The Company, GitHub is essential to carrying out the functions of my role. I'd estimate that 90% of my work relies on its use. It is therefore my belief that use of GitHub is a requirement for employment as an Operations Engineer (and likely any engineer) within The Company.
As such, my questions are these:
- Does The Company's definition of PII align with NIST's, either completely, or at least with regard to an uncommon name's inclusion in PII?
- Does The Company General Counsel view this "required action" correspondence as a request for consent to voluntarily disclose PII, or a mandate to disclose PII?
- If this is a mandate, is it one that The Company can confirm is in accordance
with:
- US federal employee privacy statutes?
- OR employee privacy statutes?
- CA employee privacy statutes?
- the statutes of other jurisdictions in which GitHub-using The Company engineers reside?