Employee Browsing: Curiosity Isn’t Always Harmless

Written By Caroline carver

Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches according to the Privacy Commissioner. Whether it’s curiosity, misplaced helpfulness, or something more malicious, unauthorised access to personal information continues to crop up in headlines. But what’s surprising? Despite how often it happens, the Privacy Commissioner says it’s “one of the least understood or reported on” under the Privacy Act.

In order to be a notifiable privacy breach simple unauthorised access e.g. without a business purpose is enough. The employee doesn’t have to of gone on further to use or share the information they have seen. When considering the harm to the individual concerned it is therefore important to consider not only what the employee has or will do with the information they have seen, but also the impact on the individual when they know someone has looked at their account without a business reason.

Management of employee browsing requires a multi-pronged approach to controls as you can’t simply remove access for all employees as they will be unable to do their job. A strong employee browsing strategy uses a mix of tech, policy, and culture. Tech solutions alone will not adequately manage employee browsing.

  • Regularly reminding employees that access to information is for official work purposes only.

  • Only giving employees access to the information they need for their work. For example, can you automatically open the record for the customer who is calling and remove the ability to search for records.

  • Requiring employees to justify their access at the time of access. For example, requiring them to put a note in about why they accessed a file or selecting from a drop down.

  • Regularly checking how often employees access information and following up on any unusual activity. For example, checking access to customers with the same surname as the employee.

  • Flagging high risk customer files and auditing access to the file regularly.

  • Identifying employees who are accessing more customer files than their peers with a similar role and reviewing the access.

  • Conducting random audits comparing an employee’s database access with the customers they’ve worked with in a given timeframe.

Employee browsing isn’t just a privacy issue. It’s a people and culture one. Let’s treat it that way.

Caroline carver
Previous

Are You Tracking Your Website Users?
Next

Do You Know What Information You’re Collecting Indirectly?