In the path of temptation: curtailing employee browsing
“Employee browsing” has been in the news again recently with Immigration NZ staff using a client database almost like a dating site to check out applicants. Such browsing is wrong, on so many levels – including that it’s a serious breach of clients’ trust. And it does real damage to the organisation’s reputation when it comes to light, as several government departments and hospitals have found out to their cost.
But it’s not only government that has to deal with employees who go fishing through the increasingly large reservoirs of personal information at their finger-tips. Businesses need to think about it too.
Employee browsing takes a variety of forms. It can include idly scanning the hospital database for a well-known name, or checking on a former partner’s bank balance or credit record. It could be checking out the tax details or police record of your neighbour or cousin or daughter’s new boyfriend. Sifting through someone’s purchase history. Or looking through their call records.
It’s so easy to meander off and browse the database for non-work purposes. A few exploratory taps in the search field and you’ve probably hit a rich vein of information – it’s the information-driven equivalent of skiing off-piste.
Employers need staff to be able to access information efficiently for work purposes. Also, employees who are checked up on all the time may feel untrusted, and their productivity may suffer. So how can employers allow legitimate access, but also manage their business risk?
First, check your organisational culture. If it is silent when it comes to protecting personal information, then some employees will fill in the gaps with their own version. Chances are, it’s not the version you want – and exposes you to risk in its interpretation of the law. And if the organisational culture sends a message that the agency doesn’t care about protecting personal information, you’re in even worse trouble.
Second, control who can access files and when. Access should be on a ‘need to know’ basis. Principle 5 of the Privacy Act requires all agencies to protect personal information by security safeguards that are reasonable in the circumstances, including protecting the information against loss, access, use, or other misuse. If you don’t have safeguards, it’ll cost you a great deal more if things go wrong.
One important control is to have policies that your staff know about, understand, and can follow. Also, if your organisation deals with sensitive information, or has large data-holdings, then the level of controls that it would be “reasonable” to have will almost certainly be higher.
Third, train your staff so they know how to behave with client information. They should understand what trust your clients and your organisation are placing in them. Most people will know that trawling through client records isn’t on – so give them confidence to do the right thing.
Next, have monitoring systems in place to detect misuse. For example, in one complaint we received, a bank discovered that a teller had accessed a couple’s joint bank account 58 times over 2 months, without authorisation. The teller had then gone on to share that account information with a third party – who happened to be a former partner of one of the couple (See: Case note 203856  NZPrivCmr 12). The bank’s systems detected the misuse, and it did the right thing when it found out about the rogue employee. The only thing we had to do was to help the people affected to reach an appropriate settlement with the bank.
There are plenty of tools to help identify and curtail inappropriate “data-diving”. NZ Police, for instance, introduced a random audit of police employees’ use of the National Intelligence Application database, to target exactly that sort of wayward accessing of information. And there are access controls, alerts, electronic footprinting and break-glass technologies of other sorts too. What can be done will depend on the type of business involved – and developing practical and affordable tools is a useful development field for IT specialists to think about.
Finally, deal with employee browsing appropriately. Check your HR policies are up to scratch. Also think about what you’ll say to clients whose information has been accessed. It’s a bit like having a disaster management plan. (Unlike with natural disasters, though, if staff know you have these policies, it’s less likely that disaster will occur at all). Serious and deliberate browsing incidents should be labelled as what they are – serious misconduct that can, and often should, result in dismissal. Less serious incidents may attract lesser penalties, though even this will depend on the damage done to business reputation, clients’ trust in the business, and trust between employer and employee. Figure out what will work for you.
Of course everyone recognises that occasional incidents will still happen – whether deliberately or not. The law recognises that no system can be fool proof. For instance you might not be able to eliminate “bad eggs” from your staff altogether, but have safeguards that are robust and reasonable in the circumstances.
If this all sounds a bit alarming, we’ve got an online guide to help get people started (see: http://privacy.org.nz/privacy-at-work-a-guide-to-the-privacy-act-for-employers-and-employees/ at p27). The main thing, though, is to recognise just what a temptation access to personal information can be – and to figure out an appropriate way that your business can manage that risk.