As businesses become increasingly data driven, a corresponding increase occurs in the risk of unauthorised access to and use of private information, such as through data harvesting.
The right to privacy is a fundamental human right, which includes the right for all individuals to know whether information about them is being stored and, if so, for what purpose. A business has a duty to its employees to responsibly handle all private employee information in its possession or under its control. This concerns substantive information that employees may communicate through a business’s networks, as well as data that could provide insight into those employees’ behaviour, social relationships, private preferences and identity when analysed and aggregated together or with other data. Many countries have enacted data privacy legislation to protect an individual’s right to privacy from unlawful or arbitrary interference. Such legislation typically imposes the requirement to take various measures to ensure the security and integrity of personal data.
A business should implement technical, administrative and physical safeguards to protect its employees’ private information, which may be collected, deliberately or inadvertently (e.g., metadata), through its IT systems.
Businesses should employ security arrangements including the implementation of robust privacy policies and procedures (such as encrypting data and putting in place appropriate access controls and clear data breach processes) and carrying out assessments of IT systems to identify and address vulnerabilities on an ongoing basis. Businesses should also consider providing a higher level of protection to sensitive private information, such as data relating to an employee’s health or financial situation.