You catch your employee accessing customer data unauthorized. For example, because your employee looked up financial information of his neighbor without necessity or verified the address of a Dutch celebrity out of curiosity. Can you summarily dismiss the employee at such a time? The answer follows from two classic rulings.
As an organization, you have a lot of information about your customers. In the most ideal situation, only the case handler has access to this data. In practice, however, things usually work differently. For example, not all programs are suitable for strict access restriction per employee and it can also happen that several employees are working on one file from their own discipline. For example, if you are a national service provider, such as a bank or insurance agency, you will usually have purchased one central system to exchange all these personal data quickly and easily. If you are a government agency, then you will have access to programs to verify relevant information. Even within smaller organizations, client registration systems may be in use, in which each colleague creates his or her own file. All these systems are convenient, but they also pose an immediate threat to privacy. Precisely because information exchange can take place without too much effort and often even anonymously.
The first ruling dealing with this subject is a decision of the Amsterdam District Court dated October 15, 2015 (find: ECLI:NL:RBAMS:2015:8341). An employee of the Social Insurance Bank (SVB) used the program Suwinet to obtain the data of 23 people, consisting of neighbors and family members, solely for private purposes. This was followed by immediate dismissal. Although the subdistrict court held that the employee was guilty of a "flagrant" violation of the employer's trust, the summary dismissal could not stand. After all, the SVB had failed to train its staff on privacy issues. The subdistrict court very aptly articulated that the employer must "train" its staff to be privacy-sensitive.
Drawing up rules and guidelines once is insufficient to make employees permanently aware that correct use of programs such as Suinet is essential. Precisely because such programs are used daily, courses and training are necessary, the subdistrict court said in its ruling. The subdistrict court went further and also stated that a standard warning message that always appears on the screen when one logs into the program loses credibility and strength if inspections and sanctions do not actually follow. Thus, even such a measure will not provide relief. Incidentally, the instant dismissal did not stand, but at the same time the subdistrict court found that the working relationship between employer and employee could not stand. However, this should have been initiated with a less far-reaching measure, rather than through summary dismissal.
The second ruling dealing with this subject is a September 15, 2015 ruling by the District Court of the Northern Netherlands (find: ECLI:NL: RBNNE:2015:4342). This ruling focused on the conduct of an employee of a large banking institution. This employee ended up in a divorce which had a great impact on her. When her former husband gets a new partner, she extracts various information about the new partner from the system. Among other things, she checks the name and address details of this lady obtained elsewhere and she can even have a BKR check done without any need. The new partner becomes aware of this and complains to the employee's employer. After further investigation, the employer summarily dismisses her. Although the Subdistrict Court was also of the opinion that a bank employee could be expected to act with integrity and importance was attached to the applicable Code of Conduct and Employee Integrity Regulations, the immediate dismissal was again not upheld.
In short, a summary dismissal for privacy violations usually will not stand. This is prompted by the fact that most employers roll out rules and guidelines once and then do not permanently train employees to stay alert when it comes to privacy. Even when integrity is expected of an employee, it will be necessary to keep repeating it. In addition, subdistrict litigation is highly fact-specific and all facts and circumstances will come into play. An irreproachable employment record in the past counts heavily in that case. Building up a file is therefore essential; if your employee shows unacceptable behavior, confront him or her and record this in a performance report.
Melanie Hermes teaches the Privacy in the Workplace course on Oct. 29
This article can also be found in the Privacy in the Workplace file
