Municipal employees often have access to large volumes of sensitive personal information. In some circumstances, employees may be tempted to “snoop” through that information for reasons unrelated to their jobs. Here’s what you can do to mitigate the risk of that happening.
You have a duty to protect the personal information of residents from unauthorized access and misuse. Some of your employees may be tempted to snoop for a variety of reasons – it could be mere curiosity, the potential to profit from someone’s personal information or to cause harm to that person.
You should have clear privacy policies, regular training for staff and enforcement measures in place to discourage snooping. The following provides an overview of recent guidance published by the Office of the Information and Privacy Commissioner for Nova Scotia, which offers tips for municipalities to combat snooping.
Privacy policies and procedures
Comprehensive privacy policies and procedures will help ensure your employees understand the consequences for snooping – but these documents can only do so much if you don’t have a privacy officer with adequate resources to educate staff and monitor for compliance.
Regularly reminding employees of their privacy obligations can help reduce the likelihood of snooping. If you don’t have a privacy officer or you lack internal resources to educate your staff on snooping, external counsel can help develop your privacy management program.
Regular reminders
Privacy training is typically part of the onboarding process for new employees – but a one-off training session may not be enough to keep snooping at bay. Consider implementing annual training sessions.
You may also consider “just-in-time” reminders, such as pop-up warnings on a computer screen, to discourage snooping. If an employee is about to access personal information they don’t need to perform their job, these reminders may make them think twice.
Consequences for snooping
Employees need to know that you’re monitoring them and there will be repercussions for snooping, including possible discipline, which should be reviewed and carried out in consultation with your labour and employment counsel. Having your staff sign confidentiality agreements that explain the consequences of snooping can help reduce unauthorized access to personal information.
Restrict access to personal information
Employees should only have access to the personal information they need to do their jobs. If an employee doesn’t require highly sensitive personal information to perform their day-to-day duties, they shouldn’t have the ability to access it.
You should have documented processes for granting and revoking access to personal information, as well as physical, administrative and technological safeguards in place to protect personal information. For example, lock physical records in cabinets and use restricted access permissions for digital records.
Block access when necessary
Individuals may request that you block specific employees from accessing their personal information. This may happen if the individual is a former partner, family member or colleague of the employee in question. You should have policies in place to accommodate these requests.
Maintain access logs
You may not be aware of snooping incidents when they occur. That’s why you need access logs that tell you when your employees accessed personal information. These logs should be monitored regularly. You should also regularly audit employees’ access to personal information. To discourage snooping, employees should be made aware of these measures.
Investigate reports of snooping
If one of your employees is accused of snooping, their access to personal information should be suspended while you conduct a thorough and timely investigation.
If you find that the employee was snooping, they should face consequences, including possible discipline, in accordance with your privacy management program and in consultation with counsel. You should take steps to mitigate current or future harm to the individual(s) whose information was accessed. You should consider measures to reduce the likelihood of snooping in the future, such as revising your privacy policy, increasing your monitoring of access logs and/or strengthening your safeguards.
You may also be required to notify individual whose information was accessed, giving them enough details to allow them to take the necessary steps to mitigate potential harm, as well as your privacy commissioner. You may wish to consult with legal counsel to determine your obligations.
If you need assistance with your privacy management program – whether it be drafting privacy policies, training staff or monitoring for and responding to cases of snooping – the MLT Aikins Privacy, Data Protection & Cybersecurity team has wide-ranging experience advising municipalities on their privacy law obligations. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.