Snooping: When Will People Learn?
Before being appointed Commissioner, my reading, studying and listening to the media caused me to really be concerned about staff snooping into personal information (PI) or personal health information (PHI) when there was no need to be looking. Before being appointed, I attended a conference where a speaker on security said the greatest problem for organizations is from within. Reviewing cases since and looking at media reports from across Canada and North America, I have come to the conclusion that we have a problem that just does not seem to go away. I am asked what the reasons are; and they can be curiosity, boredom, checking on an ex-spouse or girlfriend, or family member. All of these reasons are unacceptable. There is only one reason for accessing my PI or PHI; that is, you need to in order to do your job and to provide the client with service or the patient with care.
I am asked what should be the consequences for snooping. Because of the frequency of such events, I believe CEO’s should consider thinking about making the consequences more serious. Firing should be an option but I accept that it is not applicable in all circumstances. A suspension for a period of time should definitely be considered. If the snooping involved an electronic system, suspension of access to that system for a period of time is essential. Once the snooper is allowed back on the system, there should be monitoring for one or two years.
I am also asked what employers should do when they discover a case of snooping. First, CEO’s should be angry that an employee has breached a very basic rule of their corporate culture. Second, they need to launch an internal investigation quickly, sometimes done by someone outside of the organization. They should authorize, as soon as possible, a letter being sent to each client/patient, indicating that their PI or PHI has been accessed and that an investigation has begun. Later, they should advise those affected that disciplinary action has been taken, indicating the exact discipline. There are sections in the acts and regulations which will support the release of the details of the discipline.
Further, employers should insist on annual access and privacy training for all staff. This training can be as simple as a 15 or 20 minute online course. Employees should be asked to sign confidentiality agreements at the beginning of employment and possibly periodically.
In the past, there may have been a culture that it was okay to look up someone’s PI or PHI, but since 1992 and 1993, the legislation changed that. It is necessary for the culture in public bodies to catch up to the legislation. I hope that happens sooner rather than later.