Sometimes employees just can’t resist the temptation to snoop through customer files.
Hospitals and doctors’ offices, which have detailed medical records of patients are one prime sector with potential for prolems. Canada Revenue Agency, with years of tax information about citizens and residents is another.
CBC has already reported that eight CRA staffers were fired during the fiscal year that ended March 31 for mproperly accessing taxpayer data. Now comes news that another person was fired just before that for committing the the biggest privacy breach in the department’s history.
The broadcaster said sometime before March 23, 2016 the unnamed employeee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes.
In that case, a CRA spokesman told the broadcaster, no taxpayer data was changed. The spokesperson also stressed that of the 1,264 accounts briefly accesseed files were viewed for approximately two seconds per account.
The spokesperson also noted that on March 31 the CRA completed a $10.2-million IT system that “will monitor employee accesses to taxpayer information and will flag accesses that appear inconsistent with the employees’ assigned workloads or duties.”
So this is time for another reminder that the federal privacy commissioner’s office has issued guidance on ways to cut down on employee snooping. Suggestion number one is foster a culture of privacy.
“Perhaps the most important element in the prevention of employee snooping is an organization’s culture of privacy,” says the document, “as it supports the effectiveness of all other measures. This starts with the establishment of clear expectations and requirements for employees. Develop a set of comprehensive privacy policies and procedures, and reflect and operationalize them in concrete practices, to ensure that employees: (i) understand that privacy is a core organizational value, and (ii) know what this means for their day-to-day activities. Further, give your organization’s privacy officer (or a similar role) a clear mandate to educate, monitor compliance, and investigate and address violations. When the importance of, and practices associated with, respecting privacy are front-of-mind, employees are less likely to snoop without thinking — helping to avoid incidents based on impulsiveness, misunderstanding or curiosity.”