Office of the Privacy Commissioner
Date Modified:
2016-03-31
Ten Tips for Addressing Employee Snooping
Ensuring that personal information held by an organization is accessed only by employees who need it , and only at times that information is required for legitimate business purposes, can be a challenge — but it is a challenge that needs to be addressed. Without appropriate preventative safeguards, human curiosity and other motivations (including sinister ones, such as profit and/or harm to individuals) can lead employees to access personal information without authorization and without a legitimate business purpose — also known as “employee snooping”. Footnote1
Principle 4.5 of Schedule 1 of Personal Information Protection and Electronic Documents Act (PIPEDA) requires that personal information not be used or disclosed for purposes other than those for which it was collected. Principle 4.7 requires personal information be protected by safeguards appropriate to the sensitivity of the information. Going deeper, Principle 4.7.1 states that organizations’ security safeguards must protect personal information against not just loss or theft, but also unauthorized access, disclosure, copying, use or modification. Principle 4.7.3 goes on to explain that these safeguards should include physical, organizational and technological measures.
Though unauthorized access may represent the actions of an individual for their own purposes, accountability remains with the organization that maintains the responsibility and obligation to protect personal information from unauthorized use or disclosure. Below, we provide tips, drawn from the Office of the Privacy Commissioner of Canada’s (OPC) experience in investigations in this area Footnote 2, on ways to prevent and address employee snooping.
Educate
- Foster a culture of privacy.
Perhaps the most important element in the prevention of employee snooping is an organization’s culture of privacy, as it supports the effectiveness of all other measures. This starts with the establishment of clear expectations and requirements for employees. Develop a set of comprehensive privacy policies and procedures, and reflect and operationalize them in concrete practices, to ensure that employees: (i) understand that privacy is a core organizational value, and (ii) know what this means for their day-to-day activities. Further, give your organization’s privacy officer (or a similar role) a clear mandate to educate, monitor compliance, and investigate and address violations. When the importance of, and practices associated with, respecting privacy are front-of-mind, employees are less likely to snoop without thinking — helping to avoid incidents based on impulsiveness, misunderstanding or curiosity.
- Have periodic and/or “just-in-time” training and reminders of policies around snooping.
Quite often, an employee is presented with his or her privacy obligations as just one part of the voluminous orientation package received upon hiring. While this is a good practice, it should not be the only time such policies are presented to employees. Regular reminders and proper training will ensure knowledge remains fresh. Further, where possible, an organization can use a “just-in-time” reminder — which can range from a sticker on a cabinet to a computer pop-up — to present key information about employees’ privacy obligations at precisely the time it may be needed.
- Ensure employees know that consequences will be enforced.
Whether it is curiosity, a request from another person, or even the lure of financial gain, some employees may have an incentive to snoop. It is up to organizations to ensure their employees are aware that there are serious repercussions for doing so. Employees should understand that: (i) there are significant consequences to, and damages that can arise from, snooping; (ii) the organization takes steps to detect and dissuade violators; and, (iii) consequences will be enforced. The absence of any of those three factors will negatively impact the effectiveness of an organization’s snooping prevention measures. Having employees sign (upon hiring and at regular intervals) confidentiality agreements that speak to both unauthorized access to, and disclosure of, personal information can be a strong mechanism in creating this awareness.
Protect
- Ensure access is restricted to information required to perform the job.
An employee’s access to information should be matched to his or her role. This might mean, where feasible, that he or she can access only less sensitive portions of the information held about an individual and/or only information about a limited number of individuals, that access is time- or geography-limited, and/or other restrictions. Organizations should also have documented processes in place for granting and revoking access to information, as required (such as when an employee changes roles). Particularly where information is sensitive, organizations should use physical (e.g., locked cabinets), organizational (e.g., appropriate policies and consequences) and/or technological (e.g., restricted access permissions) safeguards to prevent ‘unintentional’ inappropriate access to customer information.
- Allow individuals to block specific employees from accessing their personal information.
Situations may occur in which an individual has a bona fide reason to desire that one or more employees of an organization (e.g., family members or ex-partners with whom a contentious relationship exists) be prevented from accessing his or her personal information. Organizations should thus have systems in place to accommodate such requests. Needless to say, to ensure adequacy, the blocked employee should not be able to circumvent this measure.
- Have access logs and/or other oversight tools in place.
In general, inappropriate access may not be immediately visible. Incidents may come to light over time, or as the result of a complaint from an individual. Having access logs or other oversight tools in place allow an organization to investigate allegations of employee snooping by reactively reviewing such logs in order to confirm/deny employee snooping allegations made against an employee. Making employees aware that these oversight measures exist also plays a key role in deterrence. If employees realize that there is a high likelihood of being caught, the likelihood that they engage in snooping practices in the first place is dramatically reduced.
Monitor
- Proactively monitor and/or audit your access logs and other oversight tools.
Beyond using access logs to reactively investigate alleged incidents, it is important that organizations have proactive measures in place to monitor and/or audit for undetected employee snooping. Such measures are essential safeguards to detect and deter unauthorized access by employees, and are particularly crucial for organizations that, for customer service or other reasons, must permit employees broad access to customer/client information. This can take the form of regular audits of all employees or random ones, where an organization is quite large. Further, as described prior, to maximise deterrence employees should be made aware that these proactive steps will take place. Without the potential for proactive detection, incidents of employee snooping could continue indefinitely without the knowledge of the affected individual, or even the organization.
- Understand “normal” access, to better detect inappropriate access.
An employee has accessed the personal information of a particular person 10 times in one week, or once a week for a year. Another has accessed 900 different files once each, over a two year period. Are either of these behaviours indicative of a problem? Organizations should understand baseline access patterns for various roles, in order to better detect anomalies of access. Alerts can then be set up to notify the organization of potential problematic behaviour.
Respond
- Investigate all reports of employee snooping.
Due to their potential seriousness, allegations of employee snooping must be taken seriously. When our Office becomes aware of a snooping incident, we will expect a respondent organization to be able to demonstrate that it has undertaken a thorough and timely investigation of any substantive allegations and, where warranted, taken appropriate steps to address the unauthorized access by an employee, mitigate current or future harms to the individual, and reduce the likelihood of recurrence (potentially including revising policies, strengthening safeguards, increasing monitoring, or similar measures).
- Where proactive measures fail, respond appropriately.
There are circumstances in which no reasonable proactive measures would have been able to prevent or detect an employee snooping incident. In those instances, it is important that the organization respond appropriately. This can include, but is not limited to, appropriate consequences for the snooper (which may include disciplinary action), notification to the OPC, and notification to the affected individual (including sufficient information, such as duration and scope of access, to allow an individual to take appropriate steps to mitigate any potential impacts of the incident).
Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization. By taking the appropriate steps to address this risk, including the adoption of the practices outlined above, organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.
Footnote 1
This document is aimed at organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law. In the public sector, the Office of the Privacy Commissioner of Canada (OPC) spoke to the issue of inappropriate employee access and use of personal information in its 2013 audit of the Canadian Revenue Agency.
Return to footnote 1
Footnote 2
See, for instance, PIPEDA Report of Findings 2015-011: Bank implements significant measures to address unauthorized access of client information for non-business purposes by bank employee