Privacy Commissioner flags lack of systems to stop 'creepy' employee snooping

'Creepy' employee snooping behind a quarter of NZ privacy breaches

Privacy Commissioner flags lack of systems to stop 'creepy' employee snooping

Privacy Commissioner Michael Webster has expressed concerns about the lack of organisational systems in place to prevent employees' unauthorised access to internal information amid rising cases of privacy breaches related to employee snooping.

Webster told RNZ's Nine to Noon that he is worried in cases where employers don't have systems that can detect unauthorised access to New Zealanders' information.

"I would expect an organisation that holds New Zealanders' personal information, a significant amount of it, to have systems in place to stop it from happening," he said.

"And it's not just IT from that, it could also be staff induction and training, and people understanding and being told and taught about the importance of protecting the integrity of information."

'Creepy' employee snooping rising

Webster made the remarks as he pointed out that employee snooping, or the unauthorised browsing of personal information by staff, now accounts for 25% of all reported privacy breaches in New Zealand.

He also said he believes the true figure was significantly higher due to under-reporting.

The cases reaching his office ranged from troubling to outright criminal, with some involving harassment of members of the public whose personal details had been accessed without authorisation. 

"This is just not on behaviour — it's creepy, it's serious, it's harassment and it's not what people want to see happening from the organisations they deal with," he told the RNZ programme.

He cited incidents including a delivery worker who used a customer's address to ask if she was single, and a health professional who sent inappropriate messages to a young female patient after accessing her records.

Webster said the problem extended beyond individual misconduct, with staff increasingly being pressured — through coercion, bribery, blackmail, or threats — into misusing data held by their employers.

Institutions holding large volumes of sensitive personal information, such as banks and insurance companies, were at particular risk of being targeted by organised crime groups seeking to exploit employee access, he warned.

A recent case involving a New Zealand Police officer who accessed the force's database for dishonest purposes had already prompted police to issue additional internal guidance on unauthorised access, Webster noted.

Under New Zealand's Privacy Act, organisations that discover a serious privacy breach are required to notify the Office of the Privacy Commissioner within 72 hours and inform those affected.

LATEST NEWS