Employee use of information systems

Need to know principle

As an organization, you can be expected to now only have access to personal data to which you are entitled given the purpose and basis. But this does not mean that all your employees should also have access to this information. Therefore, an employee should only be able to view that information within systems that is strictly necessary for the performance of their work.(1) After all, staff, like you, are bound by the need to know principle. A doctor does not need to have access to his patient's financial data, and the hospital's financial administration does not need to know the patient's blood type. This while the hospital as an institution is allowed to have this information.

That this can easily go wrong was shown by a recent investigation by the Personal Data Authority. It followed from this investigation that the HagaZiekenhuis in The Hague did not properly secure its patient files internally. This came to light after dozens of employees of this healthcare institution accessed the patient file of a well-known Dutchman without necessity.(2) The HagaZiekenhuis has since been fined € 460,000.00.(3)

However, shielding an information system will not always be possible. Consider a program such as Suwinet, which allows government organizations to easily request information about citizens and companies from each other. It is not known in advance which employee of a government organization will have to look up which citizen or company. Thus, the program cannot be shielded at 'customer level' and will have to be shielded much more on content, so that, for example, financial information can only be retrieved by financial employees.

Dismissal after misuse of information system

Although an employer's first impulse will be to issue summary dismissal after an employee misuses an information system, this will often not hold up.

An employee of the Social Insurance Bank used the program Suwinet to obtain the data of 23 persons, consisting of neighbors and family members, solely for private purposes.(4) This was followed by immediate dismissal. Although the subdistrict court held that the employee was guilty of a "flagrant" violation of the employer's trust, the instant dismissal could not stand.(5) After all, the Social Insurance Bank failed to train its staff on privacy issues. The subdistrict court very aptly articulated that the employer must "educate" its staff on privacy issues.(6)

A similar example involves an employee of a large banking institution.(7) This employee is going through a divorce that is having a major impact on her. When her former husband gets a new partner, she retrieves various information about the new partner from the system. Among other things, she tests this lady's name and address information obtained elsewhere and can even have a BKR check done without any need. The employer summarily dismisses her. Although the Subdistrict Court was also of the opinion in this case that a bank employee can be expected to work with integrity and importance is attached to the applicable Code of Conduct and Employee Integrity Regulations, the immediate dismissal once again did not stand.

Considerations when using information systems

From previous examples, we can distill some action points:

• First, critically examine what information each individual employee should have access to. Lock out parts that are not strictly necessary for the employee.

• If it is not possible to deny access entirely, then you should take additional measures, which together make the employee aware of privacy. Consider:

• • IT Code of Conduct, including enforcement measures and sanctions.

  • Training employee with integrity.

  • Alert notification in case of conspicuous or unusual use of the system.

• If it is not possible to deny access entirely, then you should take additional measures, which together make the employee aware of privacy. Consider:

• You should regularly repeat the proper use and the rules and guidelines for this purpose in training and courses. If you fail to do so, you run the risk of being unable to take any or sufficient action against employee violations of proper use.

• If you suspect that an employee is not complying with regulations, conduct a further investigation into the employee's behavior as soon as possible. In doing so, clarify how you have made this employee aware of applicable regulations in the past period.

Footnotes

(1) Article 5, first paragraph under c AVG.
(2) Source: Research report Access to digital patient records by employees of the HagaZiekenhuis, March 2019. Published via autoriteitpersoonsgegevens.nl.
(3) Source: Decision to impose an administrative fine and an order for periodic penalty payments, June 18, 2019. Published via autoriteitpersoonsgegevens.nl.
(4) Amsterdam District Court Oct. 15, 2015, ECLI:NL:RBAMS:2015:8341.
(5) Incidentally, it was considered that the Social Insurance Bank could not enforce this employee due to the serious violation of the rules.(6) Recital 9.
(7) North Netherlands District Court Sept. 15, 2015, ECLI:NL:RBNNE:2015:4342.

This article is a summary of a more extensive section from the book: Privacy in the Workplace, ISBN: 9789492952288.

Privacy in the Workplace contains all kinds of practical information on how to deal with privacy in the workplace and covers topics such as job applications, absenteeism systems, camera surveillance and more.

The book is suitable for anyone dealing with personnel; think HR advisors, Works Council, payroll administrators, in-house lawyers, data protection officers and many more professionals.

Click here for more information or to order the book

This article can also be found in the Privacy in the Workplace file