I am concerned that employees are accessing personal information inappropriately.

Agencies which hold personal information have a responsibility to make sure the information they hold is kept safe and secure. This also means protecting it against unauthorised or inappropriate access.

The agency also needs to set out clear policies and guidelines around acceptable staff behaviour.

Depending on how sensitive the information is, it may be necessary to set up the system so that only the staff who need information can access it. For example information about an agency’s payroll services should only be accessible by appropriate administrative staff and managers – not all staff.

As an alternative, or in addition, the agency could implement a system that keeps a record of any access which can be audited and traced back to the staff member.

If employee browsing leads to serious harm to an individual, the agency will generally be held responsible unless it can show it had taken reasonable measures to prevent this from occurring (in which case the employee who accessed the information may be held directly responsible).