Unauthorised employee browsing, or snooping on private personal information of the public is a growing problem in New Zealand workplaces, according to the Privacy Commissioner.
Cyber hacks involving personal health information have hit the headlines this year, but Privacy Commissioner Michael Webster told Nine to Noon, 25 percent of reported privacy breaches now related to employee snooping and he believed the actual incidence was under-reported.
Webster said the reports he heard ranged from "pretty creepy" to even criminal unauthorised access to information.
In the past he said he had been informed of a customer in a department store who gave her address for delivery being contacted by the delivery person asking if she was single and a health professional sending inappropriate messages to a young female patient, after she came in for treatment, asking about the clothes she had been wearing.
"This is just not on behaviour - it's creepy, it's serious, it's harassment and it's not what people want to see happening from the organisations they deal with."
He told Nine to Noon, he had also seen an increase in people being encouraged, coerced, bribed, blackmailed or threatened to access and misuse personal information an organisation holds.
"So an insurance company or bank for example, holds a lot of information about people's assets... and you can guarantee increasingly in New Zealand that your employees and your databases will one day become a target for organised crime and the pressure will come on your employees who do have access to those databases."
Many larger organisations had their own guidelines about the misuse of databases. Webster said for example, there was a recent case within the police of an officer accessing its database for dishonest purposes, which Webster said had led to police issuing their own additional guidance to staff around unauthorised access and employee browsing.
When a breach was found by a company it was reported to his office, but not every organisation had systems in place around unauthorised browsing and it was likely he did not know the true extent of what was going on.
Organisations should have steps in place, he said, including staff induction and training, systems to stop unauthorised access and to sense it happening along with audit systems that could go back and check for any.
"I can see that we're getting an increase in reporting and while that is not good in one sense, it shows organisations are identifying this sort of browsing taking place."
Webster said a serious privacy breach must be reported by an organisation to his office within 72 hours of discovery. Organisations also had an obligation to tell those affected by the breach.
It was beneficial for businesses to have systems in place to stop breaches, Webster said as they did not want to lose the trust and confidence of customers.



