Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years.
With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting.
On Thursday the federal privacy commissioner, who has dealt with several privacy complaints, suggested 10 ways employers can prevent staff spying on personal data.
“Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns.
“By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.”
Just as cybersecurity experts advise that awareness training is vital for stopping online attacks, the privacy commission makes it clear education is important to stop employee snooping.
See also Staff have privacy rights
Similarly, access control is important to fight cyber attacks and snooping. The commission also says CISOs should proactively monitor and/or audit access logs and other oversight tools.
The tips are:
- Foster a culture of privacy.
Perhaps the most important element in the prevention of employee snooping is an organization’s culture of privacy, says the report, as it supports the effectiveness of all other measures. This starts with the establishment of clear expectations and requirements for employees.
The organization’s privacy officer (or a similar role) should have a clear mandate to educate, monitor compliance, and investigate and address violations.
- Have periodic and/or “just-in-time” training and reminders of policies around snooping.
- Ensure employees know that consequences will be enforced.
That includes having employees sign (upon hiring and at regular intervals) confidentiality agreements.
- Ensure access is restricted to information required to perform the job.
Organizations should also have documented processes in place for granting and revoking access to information, as required (such as when an employee changes roles).
- Allow individuals to block specific employees from accessing their personal information.
A staffer may not want colleagues (family members or ex-partners with whom a contentious relationship exists) be prevented from accessing his or her personal information. Organizations should have systems in place to accommodate such requests.
- Have access logs and/or other oversight tools to confirm or deny employee snooping allegations.
Making employees aware that these oversight measures exist also plays a key role in deterrence, the report says.
- Proactively monitor and/or audit access logs and other oversight tools, not have them sitting for allegations to arise.
- Understand “normal” access, to better detect inappropriate access.
An employee has accessed the personal information of a particular person 10 times in one week, or once a week for a year. Another has accessed 900 different files once each, over a two year period. Are either of these behaviours indicative of a problem? Organizations should understand baseline access patterns for various roles, in order to better detect anomalies of access. Alerts can then be set up to notify the organization of potential problematic behaviour.
- Investigate all reports of employee snooping.
- Where proactive measures fail, respond appropriately.
There are circumstances in which no reasonable proactive measures would have been able to prevent or detect an employee snooping incident, says the report. In those instances, it is important that the organization respond appropriately.
This can include disciplinary action, notification to the Office of the Privacy Commissioner of a possible violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), and notification to the affected individual (including sufficient information, such as duration and scope of access, to allow an individual to take appropriate steps to mitigate any potential impacts of the incident).