Manitoba Ombudsman has released Ten Tips for Addressing Employee Snooping, a guidance document for public bodies and trustees subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA).
Organizations have obligations under FIPPA and PHIA to protect personal and personal health information from unauthorized use or disclosure. Access to, or viewing of, such information is considered a “use” of the information, and should only occur when employees need to access the information for legitimate work-related purposes. Access for personal reasons is generally referred to as employee snooping.
The guidance document provides the following tips to prevent, detect and respond to snooping:
- Foster a culture of privacy
- Have periodic and/or “just-in-time” training and reminders of policies around snooping
- Ensure employees know that consequences will be enforced
- Ensure access is restricted to information required to perform the job
- Develop measures to enable blocking of employee access to a specific individual’s information
- Have access logs and/or other oversight tools in place
- Proactively monitor and/or audit access logs and other oversight tools
- Understand “normal” access, to better detect inappropriate access
- Investigate all reports of employee snooping
- Where proactive measures fail, respond appropriately
Source: Manitoba Ombudsman, Canada.