Source: Privacy Commissioner
When people provide personal information to an agency, they trust that their information will be used only for legitimate purposes. However, there are cases where employees misuse this information, breaching both the organisation’s code of conduct and the Privacy Act.
Our office saw one such case where an enforcement officer collected contact details of an individual who was lawfully being questioned. The officer copied this information into their personal phone and made unsolicited calls and messages of a bullying, sexual preference and harassment nature. The individual was left highly distressed by this behaviour which prompted them to place a complaint with the agency concerned.
The agency undertook appropriate steps to ensure the safety of the affected individual and reported the incident as a notifiable privacy breach to OPC. The agency conducted an internal investigation and undertook to prevent future incidents of this nature by updating its internal policies and procedures. While dealing with the agency that reported this incident, valuable insights came light that are relevant to all agencies, and especially those undertaking an enforcement role in our society.
Breach of the Privacy Act
Using personal information collected by an agency for personal reasons, especially in a harassing or inappropriate manner, raises concerns under the Privacy Act 2020.
Our office considered the agency’s actions breached principle 10 of the Privacy Act 2020.
Principle 10 states agencies must not use personal information for purposes other than for which it was collected. There are certain situations when an exception to principle 10 applies – but using an individual’s contact details to ask inappropriate questions while being in a position of power is not one of them. The agency had an obligation to ensure the information collected from the individual was only used for lawful enforcement purposes. As the enforcement officer collected the contact details while carrying out work for the agency, the agency was ultimately responsible for their actions.
In this situation, the officer took advantage of their position of power being in an enforcement role, making it harder for the affected person to stand up for their rights. That power imbalance makes it especially critical for agencies working in this space to make extra effort to ensure staff understand and follow all code of conduct and privacy policy requirements.
Agencies must take proactive steps to prevent such incidents, including:
- Limiting employee access to customer data based on job necessity
- Having regular training on data privacy and privacy laws and ethical conduct
- Establishing confidential channels for people and employees to report misuse of personal information
- Ensuring internal policies align with the Privacy Act 2020 and taking immediate steps when breaches of this nature happen.
- And most importantly, having assurance checks in place as standard practice to ensure these requirements are met by staff.
We do note, most enforcement agencies have strict data handling policies and codes of conduct that prohibit employees accessing or using the personal information they collect for anything other than their lawful purposes. We recommend agencies ensure employees are aware of the policies through ongoing training and communication.
What people can do when facing this type of situation
Enforcement officers are in a position of authority. The inherent power imbalance between enforcement officers and individuals can lead to situations where officers entrusted with authority may abuse their position. This is why individuals have privacy rights around interactions they might have with enforcement agencies.
It is important individuals understand their rights; you can find guidance about privacy rights here. Individuals should query behaviour if it is perceived to be outside the scope of the interaction e.g., an enforcement officer should not ask personal questions about whether you are dating someone or your sexual preference, which is what happened in this case.
Below are some tips you could consider:
- Ask questions – agencies are required to take steps when collecting your personal information, including why they are collecting it and whether you must share it with them. If you are unsure, you should ask the agency to clarify why they need information from you.
- Limit information sharing – only provide the necessary details required for the lawful activity and be cautious about where the personal information is stored
- Monitor communications – if an employee contacts you inappropriately, keep records of the messages as evidence
- Seek legal advice if you are concerned an agency has acted inappropriately or unlawfully.
- Report misuse – immediately notify the agency concerned of the misbehaviour, if necessary, report the incident to OPC.
Employees who engage in this type of behaviour can face consequences
Misuse of personal information by employees is a serious breach of privacy that can result in legal, professional and reputational consequences. Employees engaging in this type of behaviour create risk to the agency they work for but also can face professional damage and harm their own career prospects, making it difficult to secure future employment.
Sending inappropriate messages to an individual in your employment capacity can be considered harassment. It could also result in criminal prosecution, civil litigation, or complaints to regulatory authorities. It can also lead to termination of employment, as it breaks trust and exposes the organisation to legal risk.
Conclusion
OPC expects organisations to have strict privacy and information policies outlining how personal information is collected, used, stored and disclosed. These policies are critical for ensuring transparency, as well as for informing individuals about their rights regarding their personal information and how agencies handle it. Privacy is a fundamental right and violating it has a real-world repercussion.
