‘It’s actually a fairly common problem’: privacy lawyer explains when ‘just looking’ at records becomes legal, reputational minefield for employers
The recent finding by British Columbia’s information and privacy commissioner that 36 healthcare workers improperly accessed the records of Lapu Lapu Day patients – with 71 separate “snooping” incidents across four health authorities – shows how quickly curiosity can turn into a serious breach.
According to Lyndsay Wasser, partner and cochair of privacy and data protection at McMillan, employee snooping is not a niche issue confined to high-profile scandals. It is, in her words, “actually a fairly common problem.”
For employers, the case highlights that both tribunals and courts will distinguish between legitimate access for patient or employee care and illegitimate access for curiosity, personal disputes or other unauthorized purposes.
As Wasser explains, the same core legal and reputational risks arise whether the affected records are banking transactions, medical charts or HR files – and remedies will be applied regardless of employee intent.
Authorized access, unauthorized purpose
Wasser explains that a core issue is that organizations still are not clear enough about when employees may access personal information, even in environments where privacy is a core aspect of work. In many workplaces, the same systems that let staff do their jobs also make it easy to look into files that have nothing to do with their role, “when employees, for example, want to understand why someone's out of the office, or people look at each other's compensation information,” Wasser says.
“Sometimes it's really innocuous, like ‘I want to send this person a birthday card or a present. I'm just going to look up their home address’.”
She notes that, while healthcare workers should already know the rules because of the sensitivity of health information and specific health privacy legislation, that is not always true elsewhere; employers often rely on common sense instead of spelling out limits on access, and that leaves room for employees to make their own judgment calls.
Discipline, trust and cause for termination
When snooping is uncovered, employers face difficult decisions about discipline, including whether the conduct justifies termination for cause. Wasser says there is no one-size-fits-all answer and employers need to look at the specifics in each case.
Whenever you're talking about the level of discipline, you have to look at the facts of the situation, all of the surrounding factors, Wasser says, pointing to knowledge, sensitivity of the data and position of trust as key variables that HR should consider and document.
“That's where policies and trainings can come into play, because if you've got the policies and you've brought them to people's attention and you've given training, then they do know that what they're doing is wrong,” she explains.
“And if the conduct is very serious, if they're accessing very sensitive information for a purpose that's clearly not why they are provided with access … especially if they're in a position of trust, the seriousness of that misconduct could justify termination or a more serious level of discipline.”
Policies, training and monitoring
For employers, preventing snooping starts with clarity, Wasser says, explaining that a recurring employee misunderstanding is that innocent intentions will shield them from serious consequences for digging into their colleagues’ files.
That means reviewing privacy and confidentiality policies, to ensure they spell out limits, give examples of breaches and clearly connect violations to discipline.
“Employees may believe that their motivation is relevant, so they may say, ‘Well, I wasn't planning to harm the individual’ or ‘I wasn't planning to disclose the information to third parties,’” she says.
“If you've not been clear about the fact that employees should not access personal information for any purpose other than to perform their job duties, then it may be harder to justify discipline, especially severe discipline. … you'll want to have language in your policy, saying that breach of this policy can or will result in discipline, up to and including termination of employment.”
Monitoring tools can also play a role in detecting and deterring snooping, she adds, but they carry their own privacy risks and compliance requirements.
“There are privacy laws in some jurisdictions that do have requirements and rules around electronic monitoring, that they should take into account when they're deciding what tools to deploy,” she says.
“Constant invasive surveillance is something that can give rise to privacy issues, but on the other hand, there is a recognized need and legitimacy to monitoring for breaches of policy or unlawful behavior. So there's a line there that employers should make sure they understand.”
