Have you ever been tempted to search your company’s database for information about your colleagues’ pay, promotions, employment disputes or performance? Or perhaps you have access to client databases which contain juicy information about customers’ purchase history and financial situation? Humans are inherently curious beings, but be aware that browsing other people’s private information is against the law.
We regularly hear about “data breaches”. These are situations where the personal data of individuals is lost or disclosed in some inappropriate way. It could be theft of a USB stick containing personal information about patients, or personal papers left on a photocopier accidentally being bundled together and given to a third party. Another example is the recently-publicised Yahoo hack that compromised up to 500 million user accounts.
Employee browsing is different type of data breach. This is where someone who has access to others’ personal information decides to browse this information, not for lawful reasons necessary to do their job, but just out of fun, curiosity or nosiness.
Recently, a medical body made contact with OPC to alert us to such a data breach. A student practitioner was found to be accessing clinical records which weren’t part of his caseload. This was despite the employer’s very robust processes in training employees on the importance of respecting privacy and ensuring all staff signed confidentiality forms.
When the medical body became aware of the data breach, they confronted the student, questioned his colleagues and conducted an audit of his work computer use. While the student had confessed to inappropriate access of about three patients’ information, the audit revealed inappropriate access of about 70 patients’ information. The student was removed from the course.
The medical body was proactive in following its disciplinary process with the student, contacting all the patients affected and notifying our Office. But this example serves as a useful reminder to all of us.
Signing a confidentiality form doesn’t mean employees have carte blanche access to all the information held by an agency. Access to the personal information should always be on a “need to know” basis in order to carry out professional duties.
In addition to facing disciplinary action and Privacy Act complaints, looking up personal information without good reason could amount to a criminal offence. In a recent HRRT case, a person suspected that an employee at the DHB might have used her access to health information systems to find out where she and her children were now living. She made a complaint to Police, who reviewed the employee’s access logs as part of their investigation.
Principle 5 of the Privacy Act says all agencies are required to protect personal information by security safeguards that are reasonable in the circumstances, including protecting the information against loss, access, use, or other misuse.
As highlighted in a recent speech by the Privacy Commissioner, leaking personal information without consent is a potential source of harm, and “regardless of how banal or irrelevant the information might appear to one person, it might be highly sensitive to another”.
If you know someone who engages in employee browsing, confront them or tell your organisation’s privacy officer or human resources manager. Most companies have the means to verify what documents and files employees have opened. There can be serious consequences for staff found to have strayed from their role by accessing others’ personal information.
When you browse personal data, are you doing so to do your job? Or are you browsing for another reason? Think carefully before you look up, copy or share personal information.
If the risk of losing your job, being the subject of a Privacy Act complaint, or facing criminal charges is not deterrent enough, think about how you would feel if hospital staff, your co-workers or government workers were researching you in their moments of boredom.
Image credit: Royal spoonbill (Rebecca Bowater) - New Zealand Birds Online