In a digitized world, it can be all too easy for unauthorized employees to access confidential information in the workplace, as recent breaches at the Saskatchewan Cancer Agency  and some Ontario hospitals have shown.  Employers should be prepared to take appropriate disciplinary action against employees who snoop into personal  information.  In some instances, termination of employment may be appropriate. To minimize liability for wrongful dismissal claims, employers should take careful steps to prevent snooping in the first place and be ready to investigate and discipline employees appropriately if an incident occurs.

Privacy Commissioner:  Consider Firing Employees with Prying Eyes

Employers will welcome the comments of Saskatchewan Privacy Commissioner Ron Kruzeniski, who recently took a strong stance against snooping workers, after two employees at the Saskatchewan Cancer Agency were disciplined for prying into the health records of 48 people.  Health information should only be accessed by staff caring for patients, and even then, only on a need-to-know basis.  The agency learned of the breaches in May and conducted an investigation.  The employees were asked why they had looked at the records, but no explanations were forthcoming.

“In extreme cases, I think the firing option should be considered” when an employee pokes their nose where it doesn’t belong, Kruzeniski said.  He noted, however, that the “circumstances of each case are also very relevant”.  For example, unintentional access may occur when names are mis-typed.

An Ounce of Prevention

Cyber-snooping should be taken seriously, and termination of employment may indeed be appropriate in serious cases.   To minimize liability for wrongful dismissal claims, employers should take careful steps to prevent snooping in the first place and be ready to investigate and discipline employees appropriately if an incident occurs.  By making it clear that snooping will not be tolerated, an employer may both decrease the incidence of snooping and strengthen their case for appropriate employee discipline if the rules are broken.

Consider taking the following steps:

  1. Set the boundaries. Create workplace policies and rules that clearly explain the circumstances in which private or sensitive information may be accessed, and by which employees.  Provide training, including refreshers at appropriate intervals, to ensure that employees know how to follow the rules.
  2. Build practical barriers. Don’t make it easy to access private records:  consider deploying password protection, minimal access  or a system that records each time sensitive data is accessed and by whom – or a combination of all three.
  3. Explain the consequences. Courts will be less likely to deem discipline, including termination of employment, to be excessive if employees are clearly put on notice of potential consequences before they decide to snoop.  Policies should include a clear statement of the disciplinary action that will be taken against rule-breakers.
  4. Get it in writing. If the policy is properly incorporated into the employment agreement, it may be possible to discipline or terminate an employee for breaching the policy.
  5. Stick to your guns. Turning a blind eye to “minor” snooping may be fatal to an employer’s case for discipline, especially termination for just cause, if behaviour escalates.  Be sure to apply policies consistently and fairly.
  6. Investigate fairly. Jumping to conclusions will increase potential liability for wrongful dismissal, defamation and other potential claims.  Ensure that employees have an opportunity to explain their actions.
  7. Discipline proportionately. Termination of employment may be appropriate in certain circumstances but should not be done precipitously.  Employers may also consider ending employment of non-union employees without cause (as long as the termination is not connected to a ground protected under human rights legislation) by providing notice or pay in lieu of notice as required under the terms of employment.

Snooping can occur for reasons ranging from the sinister to the mundane, including garden-variety curiosity or boredom.  Regardless of the employee’s motivation, employers should be ready to deal with snoops fairly and decisively. This is particularly true now, as recent amendments to Canada’s privacy legislation (which we wrote about here) have introduced a requirement to document breaches of security safeguards, mandatory notification of breaches and the potential for significant fines.