For some positions, client information is at our fingertips and often just a keystroke or mouse click away.
This was the position that a NSW Police Constable was in when he used the NSW Police database system to look up the police record of a woman he was flirting with earlier this year.
The Police Constable had met the woman on eHarmony and exchanged text messages with her, one of which jokingly stated that he would “check and make sure” that she was the “cleanskin” she had claimed to be. The Police Constable later texted the woman teasing about her speeding fines and noting that she had some domestic violence matters recorded.
An investigation by the NSW Police Professional Standards Command later discovered that the NSW Police Constable had accessed the records. He was charged and earlier this month pleaded guilty to accessing restricted data held in a computer.
It is not only in law enforcement where the risk of breaching a person’s privacy (by accessing confidential information) arises. The risk will arise wherever any personal information is collected: consider for example, a nurse or medical receptionist who has access to medical records (for example, checking medical history), or a bank teller who can access customer bank records (for example the assets / debts of a potential partner). There is also the potential for employees who have access to this information to use it for their own purpose / financial gain (e.g. fraudulent transactions and/or selling customer information).
What are the privacy obligations on businesses?
In Australia there are actually many legislative sources of confidentiality, the most obvious being the Privacy Act 1988 (Cth). That Act sets out Australian Privacy Principles (APPs) which apply to Australian government agencies, businesses and organisations with an annual turnover of more than $3 million and private health service providers. The 13 APPs cover the management, collection and use of personal information.
Under the Act, personal information must only be used for the purpose it was collected for and must not be used or disclosed for another purpose without consent (and subject to other exceptions). Obviously, information on a police database would not have been collected for the purpose of permitting background checking of a “Tinder match”.
Importantly, under the Act businesses also have an obligation that the personal information is kept secure and protected from misuse or unauthorised access and disclosure.
How can businesses keep client information confidential and prevent or limit unauthorised access by employees to this information?
In the scenario discussed above, the NSW Police Force database had a clear message upon logging in, that the information was confidential, was not to be disclosed to unauthorised persons and not to be accessed for personal reasons.
It is recommended that businesses have a privacy policy that clearly reminds the person accessing that information is personal in nature and must not be misused (i.e. for personal use) and only to be accessed with authorisation (i.e. looking up health records not as a course of normal duties).
Employees should also be trained that personal information is “private and confidential” and on their obligations when handling or using such information.
Information provided in this blog is not legal advice and should not be relied upon as such. Workplace Law does not accept liability for any loss or damage arising from reliance on the content of this blog, or from links on this website to any external website. Where applicable, liability is limited by a scheme approved under Professional Standards Legislation.
