Employee snooped on neighbour’s file 73 times
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s ‘‘sensitive’’ records.
He also changed the man’s file to add allegations of ‘‘improper conduct’’.
When the government agency found out about the privacy breach, it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation. A heavily edited summary of the case was revealed recently in the annual report of the Privacy Commissioner.
The summary did not name either man involved or the ‘‘government agency’’.
The summary said that 73 times over three years, the employee accessed a file his employer had on the neighbour and changed it to add allegations of ‘‘improper conduct’’.
The neighbour found out about what happened and complained to the commissioner.
The commissioner said processes did not have to be foolproof but agencies should have safeguards to prevent loss, misuse and disclosure of personal information. The agency could have done more to protect the neighbour’s information.
The employee had access to sensitive information, including his neighbour’s, to do his job.
The commissioner was not satisfied the agency trained its staff properly about the seriousness of ‘‘employee browsing’’. There was nothing to show the employee knew his access might be randomly audited.
He was satisfied the neighbour felt significantly violated and humiliated.
The agency reviewed its processes but would not apologise or compensate the neighbour.
The Privacy Commissioner has now closed his file on the case, which was included in a review of the year ended June 2018. The neighbour could now take a claim to the Human Rights Review Tribunal, which could award up to $350,000 damages.
The commissioner has called for changes to the Privacy Act to introduce ‘‘meaningful consequences’’ for non-compliance, including for the commissioner to decide which cases should go to the tribunal and to take claims.
Its investigations were almost always confidential.
It would only name organisations when one would not ‘‘engage’’ with an investigation, a privacy breach was especially serious, or the office suspected that the organisation’s conduct could affect other people.
In the year ended June 2018, it named Facebook after it refused to co-operate with an investigation into a privacy complaint.