Assistants, drivers, and household staff

Part 11 of 18. The people around a senior board director are, for practical purposes, part of the security boundary. The standing rules that protect everyone — the executive, the staff, the relationship — without becoming surveillance.

_Part 11 of 18 in the Digital privacy for board directors series._

For a senior board director, the people who keep day-to-day life functioning — personal or executive assistant, driver, sometimes a household manager, cleaner, gardener, nanny — are part of the security boundary whether you have framed them that way or not. They see, hear, and handle information that, if compromised through them, has the same effect as if it had been compromised directly. They also, almost always, have less attention paid to their digital security than the executive does.

This post is about the standing rules that make the relationship resilient. None of them is about distrust. All of them are about designing the relationship so that distrust is not the thing holding it together.

What an assistant or driver actually sees

Take the typical executive assistant working with a senior director.

They have access to the executive's calendar — past, present, future. They see who the meetings are with, where they are, what the agenda is, what comes up next. They can infer the firm's pipeline, the executive's travel patterns, family events, medical appointments, dental work, school open evenings.

They have access to the executive's inbox in many cases. Either delegated access, or just forward me anything that needs my attention, or check what came in overnight. The inbox includes confidential board correspondence, supplier negotiations, draft strategy documents, personal financial communications.

They book travel. They see passport details, frequent-flyer accounts, hotel preferences, the cost-centre against which it is booked, who else is on the trip.

They handle expenses. They see receipts, restaurant choices, who was at dinner, what the executive's spending patterns look like.

A driver sees a different but overlapping slice: where the executive goes, when, with whom, the home address, the school run if any, the doctor and dentist, the partner.

A household manager sees the family's calendar in the same depth that the assistant sees the work one.

Each of these views, individually, is normal and necessary. The aggregate is significant, and the aggregate sits with one or two people on the staff.

The standing rules

Six rules that, applied as the default setting of the relationship, produce a much more resilient posture without changing the trust.

One: any change to where money goes is verified. This is the same rule from the financial-hygiene post, restated for the assistant relationship. If anyone, including the executive, asks for a payment to be sent to a new account, the verification is a phone call to a known number, not the email that contained the request. Even if it looks like it came from me. Communicate this rule to the assistant the day they start. Most will be relieved that it is being explicit.

Two: calendar invitations to external parties carry the minimum useful detail. Meeting with X about Y is enough. Meeting with X about acquiring Z, at the Carlton, with the M&A team is too much, and once it has been sent it has been distributed to people you do not control. The discipline is on the assistant when scheduling; the conversation with them about it is two minutes.

Three: nobody other than the executive has the executive's full inbox access by default. Delegated access is fine for specific folders. Read my entire inbox is a higher bar and, in some firms, requires explicit registration with the company's IT or compliance team. If your assistant has full inbox access, ask whether that is necessary, and if so whether the inbox is segmented (a separate executive private folder that the assistant does not see).

Four: communications about you are not posted to social media by anyone in your household or staff. A driver tagging you in a with the boss today post on Instagram, a cleaner uploading a photograph from your home, an assistant posting busy day at the FTSE 100 on LinkedIn with locations and details — each is normal social-media behaviour and each is operationally damaging. The conversation to have, once, with each staff member when they start: please do not post identifiable detail about my movements, my home, or my family. Most are happy to agree.

Five: device hygiene applies to their devices, not just yours. If a staff member is using a personal device to access your calendar, your inbox, or your family chat groups, that personal device is part of your security boundary. The minimum: device passcode, automatic OS updates, no shared use with family members, an account that is not the household-family account. For some senior executives this extends to issuing the assistant a separate device for executive work. This is a perfectly normal arrangement, and a good one.

Six: the conversation about leaving. When a staff member moves on, the access revocation is on the same day. Calendar access, inbox delegation, shared drives, password-manager shares, the alarm code, the door fob, the loaner phone. A printed checklist, applied without exception. The most common pattern of staff-mediated compromise I see is the staff member who left twelve months ago and still has access to a calendar, because the access was never revoked. This is a procedural failure, not a malice problem; the staff member rarely notices they still have access.

The harder conversation: confidentiality

Two thoughts on confidentiality.

The NDA is necessary and not sufficient. Any staff member with material access should be on a confidentiality agreement. The agreement matters and the relationship matters more. The NDA gives you a recourse if something goes wrong; the relationship is what prevents things going wrong. Invest in both.

The information firewall conversation. Senior household and executive staff often work for households where there are several parties whose interests may diverge — the executive and their spouse, the executive and the children, the executive and a co-director who is a relative. The staff member may, over time, become aware of information that one party would not want the other to know. This is delicate, the executive cannot solve it perfectly, and the right approach is to have asked the staff member in advance: here is the principle. You work for the household. Information that flows to you flows to the household. If you find yourself in a position where you are being asked to keep information from one of us, that is the moment to escalate to me directly. Most experienced household staff have a worked version of this principle. Few are explicitly told.

Where the relationship usually breaks

In my experience, three patterns produce the staff-mediated incidents that reach the level of harm.

The assistant whose personal email is compromised. They use their personal Gmail to forward the executive's documents to themselves for backup. The personal Gmail is later compromised. The documents are in the wind. The defence is no personal forwarding, ever and the firm's IT controls actively enforcing it.

The driver whose phone is stolen at a service station. The phone has the executive's address in the navigation history, the family's school in the favourites, the spouse in the recent contacts. The defence is the driver's phone being PIN-locked, full-disk-encrypted, and having Find My iPhone or Find My Device enabled. Half an hour of help from the executive's IT support to set this up.

The household manager whose family social media is open. The household manager's own teenage children, with full social media profiles, are friends-of-friends with someone curious about the household manager's employer. The chain of indirect connections produces detailed inferences. The defence is the conversation with the household manager about their family's social media posture.

None of these is dramatic. All of these are manageable with one Saturday's worth of attention.

What this month looks like

One conversation with each of your senior household and executive staff. Three points: the standing rule about payment changes, the minimum-useful-detail rule about calendar, what to do if you find yourself in an information-firewall situation. Half an hour with each, recorded in a one-paragraph note in your own files.

The relationship is the strongest control you have. The conversation is its maintenance.

In ten weeks: the board portals themselves — Diligent, BoardEffect, the email habit, and how things actually leak.