Privacy Obligations for Organizations and Employee Snooping

Under PIPEDA, organizations are accountable for the actions of its employees who access personal information without authorization.

The issue of "employee snooping," which is when employees access personal information without authorization and without a legitimate purpose, is currently top of mind with the Office of the Privacy Commissioner of Canada (the OPC). Recent employee snooping incidents at Canadian banks in which customer account information was inappropriately accessed by employees have compelled the OPC to issue a guidance document on how organizations can prevent and address employee snooping.1

What You Need To Know

While employee snooping may represent the actions of an employee for his or her own purposes, the OPC considers the organization to be accountable to protect personal information from unauthorized use or disclosure. In the recent incidents referenced above, the OPC found the banks to be in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Therefore, organizations should be mindful of their responsibilities under PIPEDA to protect personal information from unauthorized use or disclosure. In addition, employee snooping could potentially expose organizations to the expanding scope of privacy-related common-law torts (see our bulletin, "Ontario Court Recognizes Another New Privacy Tort").

The OPC suggests that organizations follow the following tips to prevent and address employee snooping:

  1. Educate: Organizations should integrate privacy as part of their corporate culture by developing comprehensive privacy policies, conducting periodic training of employees, and empowering privacy officers with a mandate to educate, monitor and enforce both privacy policy compliance and the consequences arising from any snooping incidents.
  2. Protect: Employee access to personal information should be restricted to information that is required to perform one's duties. Organizations should also put in place oversight tools in order to easily investigate any allegations of employee snooping.
  3. Monitor: A proactive approach should be taken in monitoring an organization's oversight tools, which may include the use of software applications that will trigger an alert when an electronic record of a customer's personal information is being viewed by an employee. Another possible option is a periodic spot-check of video surveillance recordings of those areas in which personal information is stored. Periodic audits may also be carried out to identify any undetected incidents of employee snooping.
  4. Respond: The OPC expects organizations to have the capacity to respond appropriately to all incidents of employee snooping, including undertaking a thorough and timely investigation into any substantive employee snooping allegations, and notifying the affected individual and the OPC. In combination with a thorough monitoring program, consistent employee disciplinary action in response to a snooping incident will help deter future incidents from occurring, as employees may realize that there is a high likelihood of being caught.
  5. _________________________

    1 Available at: https://www.priv.gc.ca/resource/fs-fi/02_05_d_65_tips_e.asp.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2017 by Torys LLP.
All rights reserved.