Accessing sensitive agency information without authorisation is misconduct
Three case studies involving unauthorised access to sensitive agency information by employees.
Agencies have strict rules around the privacy and security of personal and sensitive information collected and held about customers and members of the public. Agency employees need to act at all times to uphold the APS Values and Code of Conduct, and to only access personal and sensitive information for an authorised business purpose. In some client service agencies, employees may also be clients of that agency, and must not access their own information records.
When an employee accesses information without authorisation, this type of behaviour can seriously undermine the confidence of the general public in the ability of the APS to protect their privacy and respect the confidentiality of information they provide.
Here are three examples:
Case study 1
In one case, an APS level 6 employee accessed the client record of their partner. This record displayed the personal information of the partner, as well as their contact history with the agency and other identifying information. The employee stated they could not recall accessing the record, and could not explain why the access may have occurred.
The agency determined the employee had failed to follow a reasonable direction not to access client records of persons known to them, a breach of section 13(5), and had failed to take reasonable steps to avoid a conflict of interest, a breach of section 13(7) of the Code of Conduct.
The agency imposed a sanction of a reduction in salary from pay point APS level 6.5 to level 6.3, or an approximate $8000 reduction in annual salary.
The employee sought review by the MPC of the sanction imposed, because they considered it was unduly harsh. The employee also explained the sanction would cause negative financial impacts for themselves and their family.
In our view, the conduct was serious in nature. We considered the sanction decision maker had appropriately taken the financial impact of the sanction into account in deciding to impose a lesser sanction than the one initially under consideration, due to financial hardship. We considered a financial sanction was appropriate given the seriousness of the behaviour, and the importance of protecting personal information held by the agency. We recommended the sanction be confirmed as fair and reasonable in the circumstances.
Case study 2
In a second case, an APS level 3 employee who was also a client of the agency, was found to have accessed their own client record. The agency provided audit logs showing the employee’s access to their own client file.
The employee had worked in the agency for many years, had an otherwise good employment record, and confirmed they were well aware of the rules around accessing personal information only for an authorised purpose. They strenuously denied the allegation. After considering the available evidence, it was our view that there was no reason to doubt the authenticity of the system records.
We recommended the agency confirm the finding that the employee had acted without integrity, without care and diligence, and had failed to uphold the Ethical APS Value, being a breach of sections 13(1), 13(2) and 13(11) of the Code of Conduct, respectively.
We also recommended the sanction of a $500 fine and a reprimand be confirmed. In our view, this sanction was reasonable in the circumstances, given the seriousness of the behaviour, the degree of relevance to the employee’s duties and the expectations of the general public that the APS acts to protect the privacy and confidentiality of information collected about individuals. We were of the view that the risk of recurrence was low, given the employee had convincingly established their dedication to uphold the Code of Conduct and APS Values going forward, and their otherwise good employment record. We noted the sanction received by this employee was at the least severe end of the available sanctions.
Case study 3
In a third case, an employee was found to have breached the Code of Conduct when they accessed the customer records of family members of their manager. In the employee’s agency, policies and procedures provided that manager approval must be obtained before accessing the record of a colleague’s family member, even if there was otherwise a business purpose for the access. This is because there may be a perceived conflict of interest in accessing a record of a person known to them, or known to their colleague. In this case, the employee accessed the record of their manager’s family member, at the request of the manager.
We considered the agency’s policy and procedural advice did not adequately assist the employee to deal with this type of situation. The advice stated the employee should seek manager approval, however did not address what the employee should do if the manager themselves had a conflict of interest.
The agency determined the employee had acted without honesty and integrity, in breach of section 13(1) of the Code of Conduct, without care and diligence, in breach of section 13(2), and had failed to uphold the Ethical Value, in breach of section 13(11).
In our view, the employee was not improperly motivated nor acting dishonestly when they assisted the customer, who was a family member of their manager. The family member was not known to the employee, and the employee genuinely thought they were doing the right thing and following the correct policy. We therefore recommended that the agency decision be varied to find no breach of section 13(1).
Other evidence indicated that the employee provided a higher, or more preferential, level of service to customers who were family members of colleagues. We considered this failed to meet the standards of care and diligence expected in the delivery of equitable customer service. We did consider this conduct to be at a low level of seriousness.
We also found that, if known to the public, the perception that family members of staff may obtain preferential servicing could cause damage to the reputation of the agency and the APS.
We therefore recommend the agency vary the decision to confirm a breach of sections 13(2) and 13(11) of the Code of Conduct only.