Govt worker snooped on neighbour’s file 73 times
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s ‘‘sensitive’’ records.
He also changed the man’s file to add allegations of ‘‘improper conduct’’.
When the government agency found out about the privacy breach it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.
A heavily edited summary of the case was revealed recently in the annual report of the Privacy Commissioner. The summary did not name either man involved or the ‘‘government agency’’.
The summary said that 73 times over three years the employee accessed the file his employer had on the neighbour and changed it to add allegations of ‘‘improper conduct’’.
The neighbour found out about what happened and complained to the Privacy Commissioner.
The commissioner said processes did not have to be foolproof but agencies should have safeguards to prevent loss, misuse and disclosure of personal information.
The agency could have done more to protect the neighbour’s information.
The employee had access to sensitive information, including his neighbour’s, to do his job.
The commissioner was not satisfied that the agency trained its employee properly about the seriousness and consequences of ‘‘employee browsing’’. There was nothing to show the employee knew his access might be randomly audited.
Either the employee did not understand his obligations or was confident he could ‘‘browse’’ without being caught, the commissioner said.
He was satisfied the neighbour felt significantly violated and humiliated.
The agency reviewed its processes but would not apologise or compensate the neighbour.
The Privacy Commissioner has now closed his file on the case which was included in a review of the year ended June 2018. The neighbour could now take a claim to the Human Rights Review Tribunal which could award up to $350,000 damages.
The commissioner has called for changes to the Privacy Act to introduce ‘‘meaningful consequences’’ for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.
Its investigations were almost always confidential. It would only name organisations when an organisation would not ‘‘engage’’ with an investigation, a privacy breach was especially serious, or the office suspected the organisation’s conduct could affect other people.
In the year ended June 2018 it named Facebook after it refused to cooperate with an investigation into a privacy complaint.
The agency could have done more to protect the neighbour’s information.