Saturday, October 3, 2015

Just say “no” to requests for confidentiality.

When eliciting requirements you may sometimes be asked if you can be told something in confidence. There’s a great temptation to say “yes”. After all, you are a professional business analyst who can be trusted, right? But “yes’ is the wrong answer. Let’s see why.
You are in a somewhat privileged position when you are meeting with a stakeholder. It’s not often that an employee has a chance to provide facts, details and opinions about their work, and you are enabling that to happen. It will sometimes be the case that an employee will have something in mind that has never been shared, and perhaps they want to, but are fearful of doing so to their colleagues or managers. That fear may be real or not.
We want to avoid the observer effect; that is, where we measure something and measuring changes it. The professional business analyst wants facts, and also opinions, providing they are understood to be such. By taking on confidential information, whether accurate or inaccurate, real or perceived, we are in danger of allowing our elicitation process to change the environment. What expectation are we creating in the confider by allowing them to confide? And more important, what are we expected to do with the confidential information? We certainly can’t pass it on: it’s confidential!
A derivative of this is when you are told “this is confidential. You can pass it on but don’t attribute it to me”. All findings from elicitation must be reviewed and signed off by the providers of the information. This has to be done in writing. So you have to make a written record for validation, which thus becomes attributable (unless you try to keep everything anonymous. But anonymity betrays the value of the information elicited. And you can be sure it won’t stay anonymous for long!)
The bottom line: if asked if you can be told something in confidence say no. Otherwise you can end up making yourself the office gossip.
But can we do more than say no?
Of course! Encourage the would-have-been confider to bring the issue up to a supervisor or manager. A person in this role is the best person to deal with any confidential issues, and their reality (or otherwise). And get to know the current state of your domain well. Observe what really happens, and incorporate your observations in to your findings. These observations will mention situations and individuals. And that’s OK. You are not breaching any confidentialities.
So, do you agree? Are there any circumstances you have encountered where you have accepted confidential information? If so, what happened?