The law is open to interpretation.
The basic premise is that info is collected for a certain purpose and should be dealt with, with care and responsibility.
If all fails throw the Bible at the employee.... Do unto others...
The law is open to interpretation.
The basic premise is that info is collected for a certain purpose and should be dealt with, with care and responsibility.
If all fails throw the Bible at the employee.... Do unto others...
The law doesn't deal with idle gossip or slips of the tongue.
I think this comes down to the nature and scope of the admin's role. If they are expected to, within a reasonable degree of accuracy, keep this information private as part of their role, then you ought to investigate the circumstances behind the breach and conduct disciplinary action.
You should also review your employment handbook and make sure there are provisions in there dealing with people handling sensitive information about other employees.
Ultimately this is your business - you build your own culture.
@iliketurtles Isnt this open to interpretation, specially when you paint the picture of personal data with very broad strokes?
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
DPP5: formulates and provides policies and practices in relation to personal data.
Yes but this isn't a right the Company has against its employee (not under the ordinance anyway) - this is a right from the abused against the Company.
Doesnt it need to be explained to the employees that what they're doing to the other employees may put the company and their jobs in danger....
This is really where I started from. We have a business culture that is fundamentally built around the "western" model. In a western model, some things don't really need to be spelled out in such detail (at least, not among professionals - we are not talking about Coronation Street gossips here).
The glitch was (not actually but similar to) leaving a piece of paper lying in the board room with some sensitive information on it. I.e. it was not gossip nor malicious, but more driven by (I think) a lack of understanding of what is "sensitive" to people. I don't think it would have happened if we had been in UK or Australia, because people would have just naturally "known" that health-related information is private in the same way we "just know" that we would not leave a list of people's salaries lying around!
But I don't think my admin person "just knows" it - hence the original questions about culture. Some of this IS cultural.
I liked Shri's suggestion of using the Privacy Ordinance, but we are really struggling to apply it. The privacy ordinance seems to focus more on what is allowed (by employers) than that is not! Plus I can't find a clear definition of what "private information" actually is... which makes it harder to use it to highlight the point to the employee (which is necessary to build the culture).
I have no interest whatsoever in reprimanding my employee nor threatening to terminate them. That's not part of our company culture and not what this is about. It's about helping someone to understand what's important to keep private and why. And adhering to the law, per Shri's points above which are well taken.