Resources: Blogs

Just one look... or in the case for one former job centre employee, thirty five unauthorised “looks” at an ex-lover’s job seeker profile.

It was recently reported in the media that an employee who worked for a job services provider was convicted of criminal offences for accessing restricted data without authorisation.

The employee was involved in a personal relationship with a co-worker, which ended in 2014. When the co-worker eventually left the employment in 2015, the employee repeatedly called him and his new girlfriend.

Since the break-up, the former co-worker had changed his mobile number on multiple occasions and had only divulged his number to a limited number of people and organisations. One of those organisations was a job services provider that used the Department of Employment’s restricted access “Employment Services System.” The employee also had access to the “Employment Services System” in her employment.

When charging the employee with offences, the NSW Police alleged that the employee had used the restricted Employment Services System to obtain her former co-worker’s mobile numbers. The employee illegally accessed his profile on the Employment Services System a total of thirty five times.

Naturally, the employee required access to the Employment Services System to do her job, but in this case her access was misused to obtain personal information about her ex-lover.

Wherever personal information is collected and stored, there exists a risk of rogue employees doing the wrong thing with personal information. Businesses have special responsibilities to ensure that personal information is not misused and is safely stored – this includes access and use by their own employees.

The Australian Privacy Principles (APPs) set out under the Privacy Act 1988 (Cth) provide that personal information must only be used for the purpose it was collected for and must not be used or disclosed for another purpose without consent (subject to certain exceptions). Furthermore, the businesses must keep personal information secure and protect it from misuse, unauthorised access and disclosure.

Human resources professionals often have access to and handle more personal information than other positions and should be alert to and aware of their privacy obligations. For example, what can be disclosed about an employee as part of an employment check or loan application?

To ensure compliance with privacy obligations, businesses must adopt a privacy policy that, at a minimum, outlines:

• What is “personal information”;
• How personal information is collected and maintained;
• How personal information will be secured, including determining or limiting who will have access to personal information;
• That personal information must not be misused (including used for a personal reason or financial gain);
• That personal information must not be disclosed to unauthorised persons or for a purpose other than which that information was collected for; and
• Consequences for breaches of the privacy policy and/or privacy laws.

Access to personal information must be strictly on a “need to know” basis. Employers should monitor and restrict access to personal information to those who require the information for their normal duties and provide training to employees about accessing other people’s personal information and their obligations.