Source: New Zealand Privacy Commissioner – Blog
Originally published on the New Zealand Herald 3 October 2024.
Beware the risk within
By Michael Webster, Privacy Commissioner
One of the greatest risks to privacy in the workplace could be sitting next to you – or it could even be you.
Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches. I also believe it’s one of the least understood or reported on, as required by the Privacy Act.
New Zealand is a small place and there’s a good chance a familiar name will crop up in a database or on a file at work and it can prove very tempting to have a look.
However, a sneaky peek isn’t a harmless case of nosiness; it’s inappropriate and can be a breach of the principles underpinning the Privacy Act. In the cases I see it can have potentially serious consequences such as harassment and blackmail.
In one example, a person in a position of power looked up the details of a colleague’s partner then used their position to repeatedly sexually harass them via text message. The victim felt intimidated, scared, and fearful in their own home so contacted our Office.
In some circumstances employees look up information and then pass it on for the explicit purpose of causing harm – for example, finding the address of someone who owns expensive assets to be targeted for a burglary.
In other examples they do it because they think they’re helping a friend when they’re acting illegally. Like the employee working for a counsellor who had a friend in a custody dispute with their ex-partner. The employee looked up information about the wellbeing of their friend’s ex-partner and shared it with their friend who then used it in their custody dispute hearing.
Sometimes the temptation to ‘just have a quick look’ is a powerful force but employees need to be stronger. One story I’ve see was from a clinic doing STI and HIV testing. A new employee was being trained and decided to look up their own records while their trainer was in the room with them. That’s fine, it’s their information. However, when the trainer left the room, the new employee took the opportunity to look up the names of their ex-partner, current partner, and best friend – all in breach of the Privacy Act.
The Privacy Act protects the personal information of all New Zealanders, which means that as well as employees not snooping, we need managers and owners to be informing their staff that it’s wrong to snoop, and to act when it’s found out.
There’s a lot of information about us held in various databases, including contact details, bank accounts and financial records, and copies of identity documents. This material needs to be protected from internal threats from staff as well as external threats from third parties.
Employers have a responsibility to secure databases and to limit access only to the staff that need that information to do their job. Employers also have a responsibility to recognise the potential for serious harm if staff are misusing their access privileges.
The bottom line is organisations have an obligation to prevent their employees from inappropriately accessing and/or disclosing customer information.
Building privacy safeguards into your databases enables you to have access controls in place to protect personal information, ideally supported by audit logs so you can monitor who’s doing what and follow up on any unusual activity.
Significant personal information is held in various databases across New Zealand. A good example is around driver licences and car registration details. Businesses and organisations like insurance providers, vehicle importers, or sellers can be granted access to the motor vehicle register for lawful purposes. However, when staff at those types of agencies access the database for their own reasons or interests then it’s a problem, which often leads to employee dismissal as well as the agency needing to report a privacy breach.
Businesses have an obligation to ensure their staff have privacy training and a general awareness about the risks of employee browsing. They also need to take steps to make sure staff know they can only access information for work purposes.
This can be reinforced by having clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.
Staff access to personal information comes with serious accountabilities about appropriate and lawful behaviour. We all need to treat it with respect. Organisations need to ensure there are consequences for employee browsing and treat any breaches of trust as serious compliance incidents.
