Employee Snooping: Your Employees' Temptations = Your Liability
Most organizations have vast collections of personal information about employees, customers and suppliers, and it's easy to see why an employee might be tempted to access information for reasons other than legitimate business purposes.
- Maybe the employee wants to spy 174 times on their colleague who is in a common-law relationship with the employee's ex-husband
- Maybe the employee wants access to confidential information of mothers who have just given birth at the hospital she works at, so that the employee can sell their personal information to people who peddle Registered Education Savings Plans (RESPs)
- Maybe the employee wants to snoop on the health status of a high-profile politician who has been hospitalized
Many employers may not be aware that the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) require that organizations protect personal information against unauthorized access, use and disclosure, and that these safeguards should include technological measures.
Although employees who snoop may be liable for their actions, organizations that fail to take appropriate safeguards may also be found to be in violation of PIPEDA (or other privacy legislation to which they are subject). Organizations may also be found liable for the tort of 'intrusion on seclusion' or the brand-new tort of 'public disclosure of private fact.'
To minimize employee snooping, the Office of the Privacy Commissioner of Canada recently released the following tips for organizations to address employee snooping:
I) Educate
- Foster a culture of privacy
- Have periodic and/or "just-in-time" training and reminders of policies around snooping
- Ensure employees know that consequences will be enforced
II) Protect
- Ensure access is restricted to information required to perform the job
- Allow individuals to block specific employees from accessing their personal information
- Have access logs and/or other oversight tools in place
III) Monitor
- Proactively monitor and/or audit your access logs and other oversight tools
- Understand "normal" access, to better detect inappropriate access
IV) Respond
- Investigate all reports of employee snooping
- Where proactive measures fail, respond appropriately
The complete fact sheet on Ten Tips for Addressing Employee Snooping can be found on the Office of the Privacy Commissioner of Canada's website.