For every organization, the data in its possession is one of its most valuable assets. The ever-increasing number of class action lawsuits and media attention due to data breaches have made organizations more vigilant. Organizations today are highly focused on data security and privacy. They dedicate lots of resources to protect their data against external threats. However, most organizations often overlook insider threats, which can be the most dangerous of all. One of the biggest internal threats manifests in the form of employee snooping.
Every organization collects a huge amount of information about its customers, employees, and suppliers. It can be quite tempting for employees to access this information regardless of their purpose.
In a number of cases, employee snooping made it to the headlines in the news. Employee snooping is often witnessed in hospitals, where employees can be seen snooping on celebrities. For example, a health care professional was caught snooping on Ontario’s mayor, Rob Ford.
What is Employee Snooping?
Employee snooping refers to the act of employees gaining unauthorized access to the data or information that is irrelevant to them. Most of the time, such snooping cases involve employees seeking access to confidential business information belonging to the organization or the personal information of other employees. If the employees are even ‘just looking’ at any personal information, it is considered a privacy breach.
Is Employee Snooping Legal?
From the legal perspective, employee snooping can be divided into two categories. The first is when an employee snoops on other employees and the second is when the employer snoops on the employees.
Snooping done by an employer is regulated and authorized under the Electronic Communications Privacy Act of 1986. This act authorizes organizations to monitor their employees’ communication or activities under certain circumstances.
On the other hand, the act of an employee snooping on other employees is illegal and is considered a breach of privacy. Based on the extent of the actions, several laws and regulations can convict the employee in question and sentence appropriate punishment.
Laws and Regulations to Prevent Employee Snooping
Different countries have different laws and regulations associated with employee snooping and data privacy. These laws ensure that employees don’t attempt to access any private or sensitive information without authorization. Many laws and regulations also enforce a regulatory framework for organizations and employers to store personal information and monitor their employees. Some of the major laws, regulations and frameworks related to this issue include:
Data Protection Law
It is a legal framework that defines the mechanism to protect the personal information of an individual to ensure his/her autonomy. The main objective of this law is to inculcate a level of trust between organizations and their employees by portraying necessary obligations for processing personal data.
Duty of Trust of Confidence
It is a regulatory framework in Australia that inculcates mutual trust and confidence in organizations and their employees. The notion of this framework is to ensure that the employers or organizations do not carry out any snooping or monitoring activities unless necessarily required. They must monitor their activities in such a way that instills confidence among employees.
ICO Employment Practices Code
The set of codes is defined by the Information Commissioner’s Office (ICO) in the United Kingdom in accordance with the Data Protection Act, 2018. This code is designed to enforce the data protection act in organizations. It makes sure that there is a legitimate reason for acquiring every piece of information from the employees.
Personal Information Protection and Electronic Documents Act (PIPEDA)
According to this act, every Canadian organization must enforce and implement physical, technological, and organizational tools to safeguard personal information. These organizational safeguards restrict access to personal information and implement privacy training for employees.
Healthcare Information Act (HIA)
It is a legislated framework in Canada that ensures that all the information associated with the healthcare domain must be strictly protected and kept confidential. Section 107(2)(b) of the act defines the punishment for unauthorized access by employees. Upon conviction, the guilty employee can get probation, a fine, and community service.
Framework for Addressing Employee Snooping
To prevent employee snooping, an organization should certainly adopt an effective privacy and security framework. Here is an example of an effective framework you can enforce.
Educate
- An organization must nurture the environment of privacy as a culture.
- It must carry out regular training and guidance on policies related to snooping.
- Every employee must be well-informed about the consequences of snooping.
Protect
- An organization should have a written policy and sanctions to prevent snooping and a response mechanism if it occurs.
- Every organization must be careful about managing the access restrictions to the information about employees. It must ensure the relevance of that information to the particular employee.
- Senior management executives and higher-ranking officials of the organization must be empowered to restrict access or block particular information whenever necessary.
- Every organization must make sure that the personal information of employees is secured and inaccessible to other employees.
- An organization must maintain an access log to keep a record of every piece of information or file accessed by each employee.
Monitor
- An organization should proactively employ monitoring tools. They should audit the access logs and other services that are involved in oversight.
- The organization can employ a unique user ID for every employee and its digital signature on every file that is accessed.
- They must define ‘normal’ access and create a distinction for detecting unauthorized access.
Respond
- Organizations must carry out investigations into reports that indicate the occurrence of employee snooping.
- When a proactive approach doesn’t work, the organization must choose other alternatives appropriately.
Workplace Monitoring is Essential!
Employee snooping is a rising issue that can be catastrophic not only for an organization but also for everyone associated with it. An organization must cautiously implement some tools and services apart from traditional methods like CCTVs to prevent snooping. There are tools available that can help you manage access to sensitive information and keep an eye on what information is being accessed by whom.
Every organization can conduct security awareness training for employees to make sure they have the knowledge they need to secure their personal information. You can make use of security awareness tools like TSAT to generate awareness amongst employees and train them in the basics of data security and privacy.
Originally published at https://www.kratikal.com on January 27, 2022.