The digitisation of our society challenges our natural curiosity – it has never been easier to access information. When personal data is involved, our self-control is put to the test. This also applies in the work environment. Generally, employees have access to all information (including sensitive information) on the internal network. Employees might be tempted to snoop around in personal files and look up information that is not for their eyes or is not necessary for their job. Is this punishable? A recent judgment of the Court of Cassation provides new insights.
Curiosity is not a criminal offence
During the US elections, reports about hacking featured prominently in the media in connection with "Russia-gate". Hacking is the offence committed when unauthorised persons access an information network.
In Belgium, it is not only a criminal offence when an external person gains unauthorised access to an information network (external hacking); it can also be a criminal offence when the authorisation granted to persons who are provided with access to the network is transgressed (internal hacking). The latter type of intrusion is only punishable if the person exceeded his/her access authorisation with the intent to harm or abuse the data accessed. Mere curiosity is therefore not (criminally) punishable.
If, for example, a nurse accesses the electronic patient file of a famous singer in order to sell the information to a tabloid, he or she has committed the criminal offence of hacking. The nurse, who did not have authority to access the file, reviewed the file with a criminal intent to cash in on the sale of the personal information.
Access-all-areas authorisation prevents (conviction for) hacking
The Ghent Court of Appeal ruled that the conditions for internal hacking are met when a person who is, in principle, authorised to access certain data has consulted these data for reasons other than the mere execution of his function. In the case at issue, an employee in the ICT department conducted a search of personal data on the internal network for personal reasons. The Court of Appeal argued that the employee had committed internal hacking, notwithstanding the fact that he had the authority to access the full internal network. The court found that the employee had diverted the granted authority from its purpose, namely the maintenance of the internal network.
Not so, according to a decision of the Court of Cassation in January. It is not the purpose of the authority but the authority itself which is decisive. If a person has the authority to access all documents, there can be no internal hacking. As such, an access-all-areas authorisation prevents a conviction for hacking.
The "holy trinity" for each company: select, inform and protect
The fact that curiosity is not subject to criminal sanctions does not mean that employers should not take action. Today, all companies, institutions and administrative bodies have personal and often very sensitive data relating to their clients or users: financial data about clients or citizens, patients' medical information, or data regarding consumer behaviour. The data collector is responsible for protecting these data appropriately. In 2018, the new European rules regarding the protection, storage, processing and control of such data will be further be strengthened with the entry into force of the GDPR (General Data Protection Regulation – see also Eubelius Spotlights June 2016).
Companies and administrative bodies should therefore invest in "internal data hygiene" and protect against data-snooping by employees. Even though the aforementioned judgment of the Court of Cassation does not render the diversion of authority to access data punishable under criminal law, employers can still punish such behaviour by means of deontological sanctions.
Moreover, companies and administrative bodies should apply the "holy trinity" of data protection: select, inform and protect. First, review whether your company or administration really needs all the data requested in order to effectively provide the service offered (select). Research shows that, all too often, users are asked to provide personal information that will never be used. Second, inform your employees clearly which stored data they can use, for what purpose, within which boundaries, and inform them about the sanctions in case of violation. Third, protect personal data internally. Especially for very sensitive data, it is advisable to consider separate passwords, locations or files on the internal network. Carefully select who is granted access to all data from the perspective of the job requirements.
Catherine Van de Heyning
catherine.vandeheyning@eubelius.com
Tom Bauwens
tom.bauwens@eubelius.com