Now more than ever, organizations in both the public and private sector hold a vast amounts of data on their personnel as well as customers.
Technology has allowed many businesses and offices to monitor the whereabouts and behaviours of their staff and clients. However, just because a workplace owns the devices used by employees, this doesn’t mean that workers have lost the right to privacy when using employee-provided equipment.
“Employee snooping poses a serious privacy risk that if left unchecked can cause significant and lasting financial and reputational damage to both your customers and your organization,” according to the Office of the Privacy Commissioner of Canada.
Here are 10 ways workplaces can avoid employee snooping:
- Foster a culture of privacy
Perhaps the most important element in the prevention of employee snooping is an organization’s culture of privacy, as it supports the effectiveness of all other measures. This starts with the establishment of clear expectations and requirements for employees. Develop a set of comprehensive privacy policies and procedures, and reflect and operationalize them in concrete practices, to ensure that employees: (i) understand that privacy is a core organizational value, and (ii) know what this means for their day-to-day activities. Further, give your organization’s privacy officer (or a similar role) a clear mandate to educate, monitor compliance, and investigate and address violations. When the importance of, and practices associated with, respecting privacy are front-of-mind, employees are less likely to snoop without thinking — helping to avoid incidents based on impulsiveness, misunderstanding or curiosity.
- Have periodic and/or “just-in-time” training and reminders of policies around snooping
Quite often, an employee is presented with his or her privacy obligations as just one part of the voluminous orientation package received upon hiring. While this is a good practice, it should not be the only time such policies are presented to employees. Regular reminders and proper training will ensure knowledge remains fresh. Further, where possible, an organization can use a “just-in-time” reminder — which can range from a sticker on a cabinet to a computer pop-up — to present key information about employees’ privacy obligations at precisely the time it may be needed.
- Ensure employees know that consequences will be enforced.
Whether it is curiosity, a request from another person, or even the lure of financial gain, some employees may have an incentive to snoop. It is up to organizations to ensure their employees are aware that there are serious repercussions for doing so. Employees should understand that: (i) there are significant consequences to, and damages that can arise from, snooping; (ii) the organization takes steps to detect and dissuade violators; and, (iii) consequences will be enforced. The absence of any of those three factors will negatively impact the effectiveness of an organization’s snooping prevention measures. Having employees sign (upon hiring and at regular intervals) confidentiality agreements that speak to both unauthorized access to, and disclosure of, personal information can be a strong mechanism in creating this awareness.
- Ensure access is restricted to information required to perform the job
An employee’s access to information should be matched to his or her role. This might mean, where feasible, that he or she can access only less sensitive portions of the information held about an individual and/or only information about a limited number of individuals, that access is time- or geography-limited, and/or other restrictions. Organizations should also have documented processes in place for granting and revoking access to information, as required (such as when an employee changes roles). Particularly where information is sensitive, organizations should use physical (e.g., locked cabinets), organizational (e.g., appropriate policies and consequences) and/or technological (e.g., restricted access permissions) safeguards to prevent ‘unintentional’ inappropriate access to customer information.
- Allow individuals to block specific employees from accessing their personal information
Situations may occur in which an individual has a bona fide reason to desire that one or more employees of an organization (e.g., family members or ex-partners with whom a contentious relationship exists) be prevented from accessing his or her personal information. Organizations should thus have systems in place to accommodate such requests. Needless to say, to ensure adequacy, the blocked employee should not be able to circumvent this measure.
- Have access logs and/or other oversight tools in place
In general, inappropriate access may not be immediately visible. Incidents may come to light over time, or as the result of a complaint from an individual. Having access logs or other oversight tools in place allow an organization to investigate allegations of employee snooping by reactively reviewing such logs in order to confirm/deny employee snooping allegations made against an employee. Making employees aware that these oversight measures exist also plays a key role in deterrence. If employees realize that there is a high likelihood of being caught, the likelihood that they engage in snooping practices in the first place is dramatically reduced.
- Proactively monitor and/or audit your access logs and other oversight tools
Beyond using access logs to reactively investigate alleged incidents, it is important that organizations have proactive measures in place to monitor and/or audit for undetected employee snooping. Such measures are essential safeguards to detect and deter unauthorized access by employees, and are particularly crucial for organizations that, for customer service or other reasons, must permit employees broad access to customer/client information. This can take the form of regular audits of all employees or random ones, where an organization is quite large. Further, as described prior, to maximise deterrence employees should be made aware that these proactive steps will take place. Without the potential for proactive detection, incidents of employee snooping could continue indefinitely without the knowledge of the affected individual, or even the organization.
- Understand “normal” access, to better detect inappropriate access
An employee has accessed the personal information of a particular person 10 times in one week, or once a week for a year. Another has accessed 900 different files once each, over a two-year period. Are either of these behaviours indicative of a problem? Organizations should understand baseline access patterns for various roles, in order to better detect anomalies of access. Alerts can then be set up to notify the organization of potential problematic behaviour.
- Investigate all reports of employee snooping
Due to their potential seriousness, allegations of employee snooping must be taken seriously. When our Office becomes aware of a snooping incident, we will expect a respondent organization to be able to demonstrate that it has undertaken a thorough and timely investigation of any substantive allegations and, where warranted, taken appropriate steps to address the unauthorized access by an employee, mitigate current or future harms to the individual, and reduce the likelihood of recurrence (potentially including revising policies, strengthening safeguards, increasing monitoring, or similar measures).
- Where proactive measures fail, respond appropriately
There are circumstances in which no reasonable proactive measures would have been able to prevent or detect an employee snooping incident. In those instances, it is important that the organization respond appropriately. This can include, but is not limited to, appropriate consequences for the snooper (which may include disciplinary action), notification to the OPC, and notification to the affected individual (including sufficient information, such as duration and scope of access, to allow an individual to take appropriate steps to mitigate any potential impacts of the incident).
“By taking the appropriate steps to address this risk, including the adoption of the practices outlined above, organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted,” the report from the OPC said.