How can I prevent employee browsing?

Organisations have an obligation to prevent their employees from inappropriately accessing customer information – a practice called employee browsing.

Have clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.

Take steps to make sure your staff follow your policies, such as:

• regularly reminding staff that access to information is for official work purposes only
• only giving staff access to the information they need for their work
• requiring staff to justify their access, either at the time of seeking access or retrospectively
• regularly checking how often staff access information and following up on any unusual activity
• conducting random audits comparing a staff member’s database access with the customers they’ve worked with in a given timeframe.

Whatever systems you have in place, make sure your staff know about them; they won’t access information inappropriately if they know you’ll catch them.

Note, the Privacy Commissioner can investigate whether the storage and care of personal information complies with the Privacy Act. This could include systemic issues, such as inadequate security measures or a lack of effective workplace policies to protect personal information.