Is it wrong to peek at a colleague's paycheck?












55















As a background story, I am part of the IT personnel at the company.



The company wants to create a system to automate the invoicing and billing process using our internal system, because at the moment we're doing all of those manually by looking at the transaction history on our system and then copy/paste to an online accounting system service.



Obviously I need access to be able to request an API call to that accounting system online to create the invoice/billing from our internal system. Additionally I need full access to the system to do that (the accounting system we're using is not very good to be able to implement a minimum access policy for this, but it is good enough for us so far).



Consequently since we're using the same system and the same account both for our customer and internal accounting stuff (staff paycheck, bills, etc.), I could see literally everything (we're a small company with <20 staff in the office).



Is it ethically wrong to have a peek at staff paychecks?










share|improve this question




















  • 2





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Jane S
    Jan 6 at 0:31






  • 31





    You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

    – Eric Lippert
    Jan 6 at 1:19
















55















As a background story, I am part of the IT personnel at the company.



The company wants to create a system to automate the invoicing and billing process using our internal system, because at the moment we're doing all of those manually by looking at the transaction history on our system and then copy/paste to an online accounting system service.



Obviously I need access to be able to request an API call to that accounting system online to create the invoice/billing from our internal system. Additionally I need full access to the system to do that (the accounting system we're using is not very good to be able to implement a minimum access policy for this, but it is good enough for us so far).



Consequently since we're using the same system and the same account both for our customer and internal accounting stuff (staff paycheck, bills, etc.), I could see literally everything (we're a small company with <20 staff in the office).



Is it ethically wrong to have a peek at staff paychecks?










share|improve this question




















  • 2





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Jane S
    Jan 6 at 0:31






  • 31





    You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

    – Eric Lippert
    Jan 6 at 1:19














55












55








55


5






As a background story, I am part of the IT personnel at the company.



The company wants to create a system to automate the invoicing and billing process using our internal system, because at the moment we're doing all of those manually by looking at the transaction history on our system and then copy/paste to an online accounting system service.



Obviously I need access to be able to request an API call to that accounting system online to create the invoice/billing from our internal system. Additionally I need full access to the system to do that (the accounting system we're using is not very good to be able to implement a minimum access policy for this, but it is good enough for us so far).



Consequently since we're using the same system and the same account both for our customer and internal accounting stuff (staff paycheck, bills, etc.), I could see literally everything (we're a small company with <20 staff in the office).



Is it ethically wrong to have a peek at staff paychecks?










share|improve this question
















As a background story, I am part of the IT personnel at the company.



The company wants to create a system to automate the invoicing and billing process using our internal system, because at the moment we're doing all of those manually by looking at the transaction history on our system and then copy/paste to an online accounting system service.



Obviously I need access to be able to request an API call to that accounting system online to create the invoice/billing from our internal system. Additionally I need full access to the system to do that (the accounting system we're using is not very good to be able to implement a minimum access policy for this, but it is good enough for us so far).



Consequently since we're using the same system and the same account both for our customer and internal accounting stuff (staff paycheck, bills, etc.), I could see literally everything (we're a small company with <20 staff in the office).



Is it ethically wrong to have a peek at staff paychecks?







salary ethics united-kingdom






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 5 at 14:04









RedSonja

2,30021016




2,30021016










asked Jan 4 at 12:44







user97530















  • 2





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Jane S
    Jan 6 at 0:31






  • 31





    You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

    – Eric Lippert
    Jan 6 at 1:19














  • 2





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Jane S
    Jan 6 at 0:31






  • 31





    You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

    – Eric Lippert
    Jan 6 at 1:19








2




2





Comments are not for extended discussion; this conversation has been moved to chat.

– Jane S
Jan 6 at 0:31





Comments are not for extended discussion; this conversation has been moved to chat.

– Jane S
Jan 6 at 0:31




31




31





You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

– Eric Lippert
Jan 6 at 1:19





You are IT; you should implement a system that logs who does what queries. Then you will know whether anyone is using their admin privileges to access what information. Would the existence of such a system change whether or not you would use it to do a particular query?

– Eric Lippert
Jan 6 at 1:19










14 Answers
14






active

oldest

votes


















299














Stop what you're doing and think things through.



You're developing APIs that interact with a live finance system. If things go wrong and you write instead of read or do something to corrupt the system, you could wreck people's lives (and the company for that matter).



Don't do that.



Create or request a separate test system to interface with and use that to develop and test against before attaching to the live system. If this is an online (third party) system, then they should be able to provide you with a test system/account to use for the purposes of development.



Even with a small company like yours, this is really really important.



And don't look at people's personal information - it's morally (and potentially legally) wrong - make sure that your test system has test values in it.






share|improve this answer





















  • 4





    The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

    – Snow
    Jan 4 at 14:55






  • 46





    In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

    – Josh
    Jan 4 at 15:55






  • 3





    Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

    – user71659
    Jan 4 at 17:46






  • 36





    @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

    – Konrad Rudolph
    Jan 4 at 19:07








  • 5





    @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

    – Mark Rotteveel
    Jan 5 at 11:04



















83















Is it ethically wrong to have peek at staff paycheck?




Yes, and illegal in a lot of countries. Don't do this, and if you did hope no one will ever know or you risk your job and maybe more.






share|improve this answer



















  • 5





    Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

    – Borgh
    Jan 4 at 13:14











  • As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

    – LP154
    Jan 4 at 13:15






  • 1





    As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

    – Borgh
    Jan 4 at 13:22



















23














I agree fully with the answer of @Snow. Besides that:




  • Never use administrative access to "peek" at things. In 99% of the cases there is no credible explanation that you actually need to look at a real live document as an IT person, unless you need to give support on a specific case.


  • If you happen to come across such information without being explicitly permitted and asked to by the administration of your company, keep it absolutely confidential and never ever talk about it - but inform your boss that some procedure is not OK (see next point).


  • If you have a support role where you get in touch with personal information and your company has not given you a dedicated training/explanation on it, including introducing the person actually responsible for this, then something is severely wrong in the administration. In a well organized company, there is no way that somebody gets in contact with salary information without that being addressed explicitly, including precise limitations and procedure how to handle things, and a form which you have to sign that you understood what was said.







share|improve this answer





















  • 4





    Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

    – Dan Neely
    Jan 5 at 0:48











  • Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

    – Sascha
    Jan 5 at 11:01



















12














People get fired for this. I even know someone who got fired for not immediately firing someone who was caught doing what you suggested.



Accessing records which you're not authorized to access is trouble. And before you ask, having the ability to access data is not at all the same as having the authority. Forget "ethically", your problem is "contractually" and "legally", either of which carry significantly harsher consequences than "ethically".






share|improve this answer































    8














    Yes. You should only be accessing the data you need to access to do your job, especially when it comes to financial data.






    share|improve this answer































      8














      Most companies, looking at someone else's paycheck without having a valid business reason is a reason for immediate termination. Also, many companies log such read access, and there are audits about it.

      Because you are in a small company, it seems this isn't tracked or formalized, but there is a good chance that the owner would terminate you anyway if he found out.






      share|improve this answer































        7















        Is it ethically wrong to have peek at staff paycheck?




        Of course it's wrong.



        I'm guessing you already know that. But in case you aren't sure, ask your boss first.



        Never use Production. Use a test system with simulated data.






        share|improve this answer
























        • Do not recommend asking the boss. That is very risky advice.

          – Stig Hemmer
          Jan 7 at 9:32











        • @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

          – vlaz
          Jan 8 at 7:08











        • @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

          – Stig Hemmer
          Jan 9 at 8:14











        • @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

          – vlaz
          Jan 9 at 8:19



















        7














        Rule #1 of interacting with sensitive data: Mind your own business.



        That being said, the central question you should ask yourself before accessing any sensitive data:



        What's your business purpose for needing to know this?



        Based on your question, it sounds like the answer is "none whatsoever" - it sounds more like you're tempted to look because you can, not because you have an actual need to know about that.



        Satisfying your personal curiosity is not a legitimate business purpose.



        Even if you are in a position where you have an actual business need to access sensitive data like that, you should do so in the least invasive way possible.



        For example, I have access to our company's recruiting platform (and, consequently, the application data for many of the company's current employees, myself included). I could literally look up how the people who interviewed me rated me in my interviews. Guess what? I've never done it - nor will I. In fact, I've never looked up anyone I know personally - in every single case, looking at data on people I don't know has been sufficient.



        So yes, it's wrong. Don't do that.






        share|improve this answer































          5















          Is it ethically wrong to have peek at staff paycheck?




          Yes, and legally.



          I would stop and go to your boss immediately with the following:




          1. You're accessing LIVE data and there's a risk you can break it.

          2. You're able to see pay information. Are you able to see PII information as well? If so, I would immediately stop.


          You risk not only your job but also legal problems. Maybe jail or a heavy fine. It only takes one person to understand what you're doing and they go to the proper authorities or lawyer in your country and begin the process. You need to email this to your boss and save that email with the following:




          Boss, I am accessing an API that shows our staff's PII and pay information. I am able to access this without restriction and modify the data. I need a test bed and not be able to see this data as it is a violation of [insert country's privacy law]







          share|improve this answer































            5














            Other than what all the other answers have said about your question, what do you hope to gain by knowing what a colleague's salary is? Do you hope to feel good because you are paid more? What if he earns more than you? You can't use that information as grounds for requesting/negotiating an increase anyway. That information might very well cause all sorts of problems for you on all sorts of levels. Just be let it be.






            share|improve this answer



















            • 4





              This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

              – dim
              Jan 5 at 14:44





















            4














            While most answers address the legal and personal ethics, there is also the code of ethics that is established by the relevant professional body/ies in your country or that you may be a member of (personally, I use these despite not being a member).



            In Australia, the relevant body is the Information Technology Professionals Association which is the successor of the System Administrator's Guild of Australia (SAGE-AU). The code of ethics produced by this organisation has been adopted by many professional bodies around the world.



            There is a difference between coming across confidential information in the course of your duties and deliberately accessing confidential information.



            In my opinion, it is unethical to deliberately access information that you haven't been given explicit authority to access. If you are a member of a professional body and they were to find out, then you would have your membership revoked (which could hamper future job applications); if you are not a member then you run the risk of being refused membership if they discover that you have done this (employer or another employee may report you to the body).



            As IT professionals, we are entrusted with confidential information (our privilege) and we must protect that information (our responsibility) from all, including ourselves.






            share|improve this answer

































              3














              I am in this exact situation. I automate the invoicing/payroll for a consultancy firm. I have access to the whole accounting software and API's. This means I am practically in control of all the finances of the company I work for. As an example; I can increase my own paycheck if I wanted to.



              First things first. Although you have the possibility to check everything you want. Don't do it when it is not needed. It is not ethical and you gain nothing from it. Only read, access and modify what you got asked to do or what you think you will need. If in the slightest doubt, ask for permission. (Written, always leave a paper trail) My contract, and probably yours will state that disclosing or modifying any of the data will bring in a lot of trouble for me. I cannot recall the exact consequences a.t.m. but I will be fired, fined and a lawsuit may follow.



              Second. Do not disclose any information that you find while developing this tool to anyone. Not to your colleagues, family, best friend,... And only report something you have seen to your boss when asked, without an opinion.



              Third, not workplace related. As pointed out before. When working on a system like this, you have to work with a second development platform that is identically set up as the system you use in production. But, use dummy data. Especially if you host it locally on your own laptop/pc. In case of theft, hacking,... the company's data is not at risk. You don't want to be the one responsible for a data breach in a company.



              Remember, with great power, comes great responsibility.



              If you have any more questions about developing such software and about good practices around this, feel free to ask. I've been in this situation for about 8 months now.






              share|improve this answer































                2














                Being an IT worker at your company gives you access to data that is confidential, but that does not entitle you to read it. You should treat it no differently than it being a physical file in a cabinet. Just because the filing cabinet is in the same room as you and you have the key, does not mean you should be perusing through it at your leisure. It is morally and ethically wrong, and it may also have legal consequences. Not only would you put your job at risk, but you may be subjecting yourself to prosecution.



                You should only be accessing data that pertains to your job. If you do happen to come across confidential information during your routine duties, you must never disclose this information to others, or use it for personal gain. There may also be controls on this system that you are not aware of. You should treat your access as if someone is always looking over your shoulder. You may never know that someone is watching over you until you are being marched out of the building by security, so please keep that in mind.



                As others have said, you should look into having a separate server instance with fake data to develop against. As a developer, there is no reason to test against a live system. If something ever went wrong, you wouldn't want to be the one that people are pointing fingers at.






                share|improve this answer































                  -3














                  Depends on what you consider ethically wrong. I for one would be curious and do it when no one is watching, not because it's right or ethical, but because I would want to know if I'm getting shafted with the pay. As the answers above pointed out, I would refrain if specifically requested not to or it's illegal to do so.






                  share|improve this answer



















                  • 8





                    If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                    – gnasher729
                    Jan 4 at 14:00






                  • 10





                    "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                    – UKMonkey
                    Jan 4 at 14:10






                  • 2





                    @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                    – cdkMoose
                    Jan 4 at 18:28






                  • 1





                    @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                    – UKMonkey
                    Jan 4 at 18:44






                  • 9





                    '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                    – Ramhound
                    Jan 4 at 21:08










                  protected by Jane S Jan 6 at 0:31



                  Thank you for your interest in this question.
                  Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                  Would you like to answer one of these unanswered questions instead?













                  14 Answers
                  14






                  active

                  oldest

                  votes








                  14 Answers
                  14






                  active

                  oldest

                  votes









                  active

                  oldest

                  votes






                  active

                  oldest

                  votes









                  299














                  Stop what you're doing and think things through.



                  You're developing APIs that interact with a live finance system. If things go wrong and you write instead of read or do something to corrupt the system, you could wreck people's lives (and the company for that matter).



                  Don't do that.



                  Create or request a separate test system to interface with and use that to develop and test against before attaching to the live system. If this is an online (third party) system, then they should be able to provide you with a test system/account to use for the purposes of development.



                  Even with a small company like yours, this is really really important.



                  And don't look at people's personal information - it's morally (and potentially legally) wrong - make sure that your test system has test values in it.






                  share|improve this answer





















                  • 4





                    The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                    – Snow
                    Jan 4 at 14:55






                  • 46





                    In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                    – Josh
                    Jan 4 at 15:55






                  • 3





                    Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                    – user71659
                    Jan 4 at 17:46






                  • 36





                    @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                    – Konrad Rudolph
                    Jan 4 at 19:07








                  • 5





                    @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                    – Mark Rotteveel
                    Jan 5 at 11:04
















                  299














                  Stop what you're doing and think things through.



                  You're developing APIs that interact with a live finance system. If things go wrong and you write instead of read or do something to corrupt the system, you could wreck people's lives (and the company for that matter).



                  Don't do that.



                  Create or request a separate test system to interface with and use that to develop and test against before attaching to the live system. If this is an online (third party) system, then they should be able to provide you with a test system/account to use for the purposes of development.



                  Even with a small company like yours, this is really really important.



                  And don't look at people's personal information - it's morally (and potentially legally) wrong - make sure that your test system has test values in it.






                  share|improve this answer





















                  • 4





                    The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                    – Snow
                    Jan 4 at 14:55






                  • 46





                    In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                    – Josh
                    Jan 4 at 15:55






                  • 3





                    Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                    – user71659
                    Jan 4 at 17:46






                  • 36





                    @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                    – Konrad Rudolph
                    Jan 4 at 19:07








                  • 5





                    @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                    – Mark Rotteveel
                    Jan 5 at 11:04














                  299












                  299








                  299







                  Stop what you're doing and think things through.



                  You're developing APIs that interact with a live finance system. If things go wrong and you write instead of read or do something to corrupt the system, you could wreck people's lives (and the company for that matter).



                  Don't do that.



                  Create or request a separate test system to interface with and use that to develop and test against before attaching to the live system. If this is an online (third party) system, then they should be able to provide you with a test system/account to use for the purposes of development.



                  Even with a small company like yours, this is really really important.



                  And don't look at people's personal information - it's morally (and potentially legally) wrong - make sure that your test system has test values in it.






                  share|improve this answer















                  Stop what you're doing and think things through.



                  You're developing APIs that interact with a live finance system. If things go wrong and you write instead of read or do something to corrupt the system, you could wreck people's lives (and the company for that matter).



                  Don't do that.



                  Create or request a separate test system to interface with and use that to develop and test against before attaching to the live system. If this is an online (third party) system, then they should be able to provide you with a test system/account to use for the purposes of development.



                  Even with a small company like yours, this is really really important.



                  And don't look at people's personal information - it's morally (and potentially legally) wrong - make sure that your test system has test values in it.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jan 4 at 13:19

























                  answered Jan 4 at 12:58









                  SnowSnow

                  59.5k51192239




                  59.5k51192239








                  • 4





                    The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                    – Snow
                    Jan 4 at 14:55






                  • 46





                    In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                    – Josh
                    Jan 4 at 15:55






                  • 3





                    Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                    – user71659
                    Jan 4 at 17:46






                  • 36





                    @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                    – Konrad Rudolph
                    Jan 4 at 19:07








                  • 5





                    @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                    – Mark Rotteveel
                    Jan 5 at 11:04














                  • 4





                    The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                    – Snow
                    Jan 4 at 14:55






                  • 46





                    In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                    – Josh
                    Jan 4 at 15:55






                  • 3





                    Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                    – user71659
                    Jan 4 at 17:46






                  • 36





                    @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                    – Konrad Rudolph
                    Jan 4 at 19:07








                  • 5





                    @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                    – Mark Rotteveel
                    Jan 5 at 11:04








                  4




                  4





                  The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                  – Snow
                  Jan 4 at 14:55





                  The context here is the United Kingdom. The OP didn't specify whether their use of "wrong" in the question was technical/legal/moral, so I addressed all uses here.

                  – Snow
                  Jan 4 at 14:55




                  46




                  46





                  In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                  – Josh
                  Jan 4 at 15:55





                  In the context of the United Kingdom GDPR is in force, OP should definitely not have access to live financial data.

                  – Josh
                  Jan 4 at 15:55




                  3




                  3





                  Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                  – user71659
                  Jan 4 at 17:46





                  Regardless of a test environment, somebody is going to have to examine/audit the system on live data. What if there's a slight discrepancy between dev and production? I know somebody who works at a bank and they do test on their own live accounts all the time: assuming staging exactly equals production is asking for disaster.

                  – user71659
                  Jan 4 at 17:46




                  36




                  36





                  @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                  – Konrad Rudolph
                  Jan 4 at 19:07







                  @Josh GDPR concerns customer data that makes customers personally identifiable (PII). It doesn’t concern all financial data, nor all customer data, nor even necessarily all financial customer data. And lastly, it does not forbid access to customer PII data. It just regulates it.

                  – Konrad Rudolph
                  Jan 4 at 19:07






                  5




                  5





                  @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                  – Mark Rotteveel
                  Jan 5 at 11:04





                  @KonradRudolph GDPR doesn't only govern customer data, it covers PII on natural persons. See also my other comment.

                  – Mark Rotteveel
                  Jan 5 at 11:04













                  83















                  Is it ethically wrong to have peek at staff paycheck?




                  Yes, and illegal in a lot of countries. Don't do this, and if you did hope no one will ever know or you risk your job and maybe more.






                  share|improve this answer



















                  • 5





                    Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                    – Borgh
                    Jan 4 at 13:14











                  • As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                    – LP154
                    Jan 4 at 13:15






                  • 1





                    As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                    – Borgh
                    Jan 4 at 13:22
















                  83















                  Is it ethically wrong to have peek at staff paycheck?




                  Yes, and illegal in a lot of countries. Don't do this, and if you did hope no one will ever know or you risk your job and maybe more.






                  share|improve this answer



















                  • 5





                    Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                    – Borgh
                    Jan 4 at 13:14











                  • As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                    – LP154
                    Jan 4 at 13:15






                  • 1





                    As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                    – Borgh
                    Jan 4 at 13:22














                  83












                  83








                  83








                  Is it ethically wrong to have peek at staff paycheck?




                  Yes, and illegal in a lot of countries. Don't do this, and if you did hope no one will ever know or you risk your job and maybe more.






                  share|improve this answer














                  Is it ethically wrong to have peek at staff paycheck?




                  Yes, and illegal in a lot of countries. Don't do this, and if you did hope no one will ever know or you risk your job and maybe more.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 4 at 12:47









                  LP154LP154

                  2,370619




                  2,370619








                  • 5





                    Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                    – Borgh
                    Jan 4 at 13:14











                  • As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                    – LP154
                    Jan 4 at 13:15






                  • 1





                    As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                    – Borgh
                    Jan 4 at 13:22














                  • 5





                    Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                    – Borgh
                    Jan 4 at 13:14











                  • As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                    – LP154
                    Jan 4 at 13:15






                  • 1





                    As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                    – Borgh
                    Jan 4 at 13:22








                  5




                  5





                  Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                  – Borgh
                  Jan 4 at 13:14





                  Note, there are usually exceptions in the law (or company guidelines at least) for people who need to see this data, usually that means just HR. In a small company with blended roles I can see you falling under this exception but it will mean a big responsibility and probably some extra training.

                  – Borgh
                  Jan 4 at 13:14













                  As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                  – LP154
                  Jan 4 at 13:15





                  As OP said, he needs to create invoices not to look at other's paychecks. I don't think the exception will help him there.

                  – LP154
                  Jan 4 at 13:15




                  1




                  1





                  As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                  – Borgh
                  Jan 4 at 13:22





                  As I read it, he is the one responsible for their accounting software and in most companies you need someone who is able to confirm "yes we transferred (x money) to (y acocunt) on (z date)", ideally the company invoices and paychecks go through a seperate systems but in a smaller company with a single system that might not be realistic. I'd recommend building something where you get a "yes i want to see this" popup before any sensitive information is shown.

                  – Borgh
                  Jan 4 at 13:22











                  23














                  I agree fully with the answer of @Snow. Besides that:




                  • Never use administrative access to "peek" at things. In 99% of the cases there is no credible explanation that you actually need to look at a real live document as an IT person, unless you need to give support on a specific case.


                  • If you happen to come across such information without being explicitly permitted and asked to by the administration of your company, keep it absolutely confidential and never ever talk about it - but inform your boss that some procedure is not OK (see next point).


                  • If you have a support role where you get in touch with personal information and your company has not given you a dedicated training/explanation on it, including introducing the person actually responsible for this, then something is severely wrong in the administration. In a well organized company, there is no way that somebody gets in contact with salary information without that being addressed explicitly, including precise limitations and procedure how to handle things, and a form which you have to sign that you understood what was said.







                  share|improve this answer





















                  • 4





                    Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                    – Dan Neely
                    Jan 5 at 0:48











                  • Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                    – Sascha
                    Jan 5 at 11:01
















                  23














                  I agree fully with the answer of @Snow. Besides that:




                  • Never use administrative access to "peek" at things. In 99% of the cases there is no credible explanation that you actually need to look at a real live document as an IT person, unless you need to give support on a specific case.


                  • If you happen to come across such information without being explicitly permitted and asked to by the administration of your company, keep it absolutely confidential and never ever talk about it - but inform your boss that some procedure is not OK (see next point).


                  • If you have a support role where you get in touch with personal information and your company has not given you a dedicated training/explanation on it, including introducing the person actually responsible for this, then something is severely wrong in the administration. In a well organized company, there is no way that somebody gets in contact with salary information without that being addressed explicitly, including precise limitations and procedure how to handle things, and a form which you have to sign that you understood what was said.







                  share|improve this answer





















                  • 4





                    Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                    – Dan Neely
                    Jan 5 at 0:48











                  • Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                    – Sascha
                    Jan 5 at 11:01














                  23












                  23








                  23







                  I agree fully with the answer of @Snow. Besides that:




                  • Never use administrative access to "peek" at things. In 99% of the cases there is no credible explanation that you actually need to look at a real live document as an IT person, unless you need to give support on a specific case.


                  • If you happen to come across such information without being explicitly permitted and asked to by the administration of your company, keep it absolutely confidential and never ever talk about it - but inform your boss that some procedure is not OK (see next point).


                  • If you have a support role where you get in touch with personal information and your company has not given you a dedicated training/explanation on it, including introducing the person actually responsible for this, then something is severely wrong in the administration. In a well organized company, there is no way that somebody gets in contact with salary information without that being addressed explicitly, including precise limitations and procedure how to handle things, and a form which you have to sign that you understood what was said.







                  share|improve this answer















                  I agree fully with the answer of @Snow. Besides that:




                  • Never use administrative access to "peek" at things. In 99% of the cases there is no credible explanation that you actually need to look at a real live document as an IT person, unless you need to give support on a specific case.


                  • If you happen to come across such information without being explicitly permitted and asked to by the administration of your company, keep it absolutely confidential and never ever talk about it - but inform your boss that some procedure is not OK (see next point).


                  • If you have a support role where you get in touch with personal information and your company has not given you a dedicated training/explanation on it, including introducing the person actually responsible for this, then something is severely wrong in the administration. In a well organized company, there is no way that somebody gets in contact with salary information without that being addressed explicitly, including precise limitations and procedure how to handle things, and a form which you have to sign that you understood what was said.








                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jan 6 at 23:55









                  V2Blast

                  22538




                  22538










                  answered Jan 4 at 14:46









                  SaschaSascha

                  7,82021636




                  7,82021636








                  • 4





                    Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                    – Dan Neely
                    Jan 5 at 0:48











                  • Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                    – Sascha
                    Jan 5 at 11:01














                  • 4





                    Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                    – Dan Neely
                    Jan 5 at 0:48











                  • Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                    – Sascha
                    Jan 5 at 11:01








                  4




                  4





                  Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                  – Dan Neely
                  Jan 5 at 0:48





                  Regarding your last bullet, I agree that something like that should be the case, but in a small company - especially if also a young one - lots of things that "should" - and in a larger business almost certainly will - have formal policies/procedures/training associated with them don't because there's never been enough time/money to create them.

                  – Dan Neely
                  Jan 5 at 0:48













                  Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                  – Sascha
                  Jan 5 at 11:01





                  Even at a small company, I would expect that the responsible for HR is aware of the situation; it could happen in a less formal way, but I still would expect an explicit handover.

                  – Sascha
                  Jan 5 at 11:01











                  12














                  People get fired for this. I even know someone who got fired for not immediately firing someone who was caught doing what you suggested.



                  Accessing records which you're not authorized to access is trouble. And before you ask, having the ability to access data is not at all the same as having the authority. Forget "ethically", your problem is "contractually" and "legally", either of which carry significantly harsher consequences than "ethically".






                  share|improve this answer




























                    12














                    People get fired for this. I even know someone who got fired for not immediately firing someone who was caught doing what you suggested.



                    Accessing records which you're not authorized to access is trouble. And before you ask, having the ability to access data is not at all the same as having the authority. Forget "ethically", your problem is "contractually" and "legally", either of which carry significantly harsher consequences than "ethically".






                    share|improve this answer


























                      12












                      12








                      12







                      People get fired for this. I even know someone who got fired for not immediately firing someone who was caught doing what you suggested.



                      Accessing records which you're not authorized to access is trouble. And before you ask, having the ability to access data is not at all the same as having the authority. Forget "ethically", your problem is "contractually" and "legally", either of which carry significantly harsher consequences than "ethically".






                      share|improve this answer













                      People get fired for this. I even know someone who got fired for not immediately firing someone who was caught doing what you suggested.



                      Accessing records which you're not authorized to access is trouble. And before you ask, having the ability to access data is not at all the same as having the authority. Forget "ethically", your problem is "contractually" and "legally", either of which carry significantly harsher consequences than "ethically".







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Jan 5 at 16:00









                      PeterPeter

                      11.6k22140




                      11.6k22140























                          8














                          Yes. You should only be accessing the data you need to access to do your job, especially when it comes to financial data.






                          share|improve this answer




























                            8














                            Yes. You should only be accessing the data you need to access to do your job, especially when it comes to financial data.






                            share|improve this answer


























                              8












                              8








                              8







                              Yes. You should only be accessing the data you need to access to do your job, especially when it comes to financial data.






                              share|improve this answer













                              Yes. You should only be accessing the data you need to access to do your job, especially when it comes to financial data.







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Jan 4 at 12:46









                              Robert DundonRobert Dundon

                              1,673189




                              1,673189























                                  8














                                  Most companies, looking at someone else's paycheck without having a valid business reason is a reason for immediate termination. Also, many companies log such read access, and there are audits about it.

                                  Because you are in a small company, it seems this isn't tracked or formalized, but there is a good chance that the owner would terminate you anyway if he found out.






                                  share|improve this answer




























                                    8














                                    Most companies, looking at someone else's paycheck without having a valid business reason is a reason for immediate termination. Also, many companies log such read access, and there are audits about it.

                                    Because you are in a small company, it seems this isn't tracked or formalized, but there is a good chance that the owner would terminate you anyway if he found out.






                                    share|improve this answer


























                                      8












                                      8








                                      8







                                      Most companies, looking at someone else's paycheck without having a valid business reason is a reason for immediate termination. Also, many companies log such read access, and there are audits about it.

                                      Because you are in a small company, it seems this isn't tracked or formalized, but there is a good chance that the owner would terminate you anyway if he found out.






                                      share|improve this answer













                                      Most companies, looking at someone else's paycheck without having a valid business reason is a reason for immediate termination. Also, many companies log such read access, and there are audits about it.

                                      Because you are in a small company, it seems this isn't tracked or formalized, but there is a good chance that the owner would terminate you anyway if he found out.







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered Jan 4 at 15:40









                                      AganjuAganju

                                      1,10929




                                      1,10929























                                          7















                                          Is it ethically wrong to have peek at staff paycheck?




                                          Of course it's wrong.



                                          I'm guessing you already know that. But in case you aren't sure, ask your boss first.



                                          Never use Production. Use a test system with simulated data.






                                          share|improve this answer
























                                          • Do not recommend asking the boss. That is very risky advice.

                                            – Stig Hemmer
                                            Jan 7 at 9:32











                                          • @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                            – vlaz
                                            Jan 8 at 7:08











                                          • @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                            – Stig Hemmer
                                            Jan 9 at 8:14











                                          • @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                            – vlaz
                                            Jan 9 at 8:19
















                                          7















                                          Is it ethically wrong to have peek at staff paycheck?




                                          Of course it's wrong.



                                          I'm guessing you already know that. But in case you aren't sure, ask your boss first.



                                          Never use Production. Use a test system with simulated data.






                                          share|improve this answer
























                                          • Do not recommend asking the boss. That is very risky advice.

                                            – Stig Hemmer
                                            Jan 7 at 9:32











                                          • @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                            – vlaz
                                            Jan 8 at 7:08











                                          • @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                            – Stig Hemmer
                                            Jan 9 at 8:14











                                          • @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                            – vlaz
                                            Jan 9 at 8:19














                                          7












                                          7








                                          7








                                          Is it ethically wrong to have peek at staff paycheck?




                                          Of course it's wrong.



                                          I'm guessing you already know that. But in case you aren't sure, ask your boss first.



                                          Never use Production. Use a test system with simulated data.






                                          share|improve this answer














                                          Is it ethically wrong to have peek at staff paycheck?




                                          Of course it's wrong.



                                          I'm guessing you already know that. But in case you aren't sure, ask your boss first.



                                          Never use Production. Use a test system with simulated data.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered Jan 4 at 19:07









                                          Joe StrazzereJoe Strazzere

                                          245k1207141014




                                          245k1207141014













                                          • Do not recommend asking the boss. That is very risky advice.

                                            – Stig Hemmer
                                            Jan 7 at 9:32











                                          • @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                            – vlaz
                                            Jan 8 at 7:08











                                          • @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                            – Stig Hemmer
                                            Jan 9 at 8:14











                                          • @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                            – vlaz
                                            Jan 9 at 8:19



















                                          • Do not recommend asking the boss. That is very risky advice.

                                            – Stig Hemmer
                                            Jan 7 at 9:32











                                          • @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                            – vlaz
                                            Jan 8 at 7:08











                                          • @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                            – Stig Hemmer
                                            Jan 9 at 8:14











                                          • @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                            – vlaz
                                            Jan 9 at 8:19

















                                          Do not recommend asking the boss. That is very risky advice.

                                          – Stig Hemmer
                                          Jan 7 at 9:32





                                          Do not recommend asking the boss. That is very risky advice.

                                          – Stig Hemmer
                                          Jan 7 at 9:32













                                          @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                          – vlaz
                                          Jan 8 at 7:08





                                          @JoeStrazzere I would guess the concern is that the boss would say "Sure, it's fine" when it's not necessarily. That answer could be either on purpose or because they don't know better. Whatever the case. However, I think it's still a good idea to ask. Chances are the boss would say "No, don't do it". If they don't, then OP has enough advice here to point that this is not the expected answer, can do more research and then go back and say "Actually, I looked into it and it's a problem because X and Y, but we can do A and B" educates and is helpful. Or maybe it's indeed fine for another reason.

                                          – vlaz
                                          Jan 8 at 7:08













                                          @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                          – Stig Hemmer
                                          Jan 9 at 8:14





                                          @vlaz I was thinking more along the lines of the boss saying "Are you out of your mind?" and then transferring the OP to a position where they wouldn't have access to any sensitive data again.

                                          – Stig Hemmer
                                          Jan 9 at 8:14













                                          @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                          – vlaz
                                          Jan 9 at 8:19





                                          @StigHemmer I can see that as being a concern. However, I still don't see it as an automatic "don't do that" - first of all, it is probably an unreasonable boss who would do it and second, you have to make the question a bit unreasonable first. If you formulate the question to the boss like "Hey, it's fine to just peek at the sensitive data, right?" then you might elicit an (unreasonable) "NO!" as response. But if you say "Hey boss, while working on X, how do I handle sensitive data?" I very much doubt they go "You're banned from working with sensitive data again!" even if unreasonable.

                                          – vlaz
                                          Jan 9 at 8:19











                                          7














                                          Rule #1 of interacting with sensitive data: Mind your own business.



                                          That being said, the central question you should ask yourself before accessing any sensitive data:



                                          What's your business purpose for needing to know this?



                                          Based on your question, it sounds like the answer is "none whatsoever" - it sounds more like you're tempted to look because you can, not because you have an actual need to know about that.



                                          Satisfying your personal curiosity is not a legitimate business purpose.



                                          Even if you are in a position where you have an actual business need to access sensitive data like that, you should do so in the least invasive way possible.



                                          For example, I have access to our company's recruiting platform (and, consequently, the application data for many of the company's current employees, myself included). I could literally look up how the people who interviewed me rated me in my interviews. Guess what? I've never done it - nor will I. In fact, I've never looked up anyone I know personally - in every single case, looking at data on people I don't know has been sufficient.



                                          So yes, it's wrong. Don't do that.






                                          share|improve this answer




























                                            7














                                            Rule #1 of interacting with sensitive data: Mind your own business.



                                            That being said, the central question you should ask yourself before accessing any sensitive data:



                                            What's your business purpose for needing to know this?



                                            Based on your question, it sounds like the answer is "none whatsoever" - it sounds more like you're tempted to look because you can, not because you have an actual need to know about that.



                                            Satisfying your personal curiosity is not a legitimate business purpose.



                                            Even if you are in a position where you have an actual business need to access sensitive data like that, you should do so in the least invasive way possible.



                                            For example, I have access to our company's recruiting platform (and, consequently, the application data for many of the company's current employees, myself included). I could literally look up how the people who interviewed me rated me in my interviews. Guess what? I've never done it - nor will I. In fact, I've never looked up anyone I know personally - in every single case, looking at data on people I don't know has been sufficient.



                                            So yes, it's wrong. Don't do that.






                                            share|improve this answer


























                                              7












                                              7








                                              7







                                              Rule #1 of interacting with sensitive data: Mind your own business.



                                              That being said, the central question you should ask yourself before accessing any sensitive data:



                                              What's your business purpose for needing to know this?



                                              Based on your question, it sounds like the answer is "none whatsoever" - it sounds more like you're tempted to look because you can, not because you have an actual need to know about that.



                                              Satisfying your personal curiosity is not a legitimate business purpose.



                                              Even if you are in a position where you have an actual business need to access sensitive data like that, you should do so in the least invasive way possible.



                                              For example, I have access to our company's recruiting platform (and, consequently, the application data for many of the company's current employees, myself included). I could literally look up how the people who interviewed me rated me in my interviews. Guess what? I've never done it - nor will I. In fact, I've never looked up anyone I know personally - in every single case, looking at data on people I don't know has been sufficient.



                                              So yes, it's wrong. Don't do that.






                                              share|improve this answer













                                              Rule #1 of interacting with sensitive data: Mind your own business.



                                              That being said, the central question you should ask yourself before accessing any sensitive data:



                                              What's your business purpose for needing to know this?



                                              Based on your question, it sounds like the answer is "none whatsoever" - it sounds more like you're tempted to look because you can, not because you have an actual need to know about that.



                                              Satisfying your personal curiosity is not a legitimate business purpose.



                                              Even if you are in a position where you have an actual business need to access sensitive data like that, you should do so in the least invasive way possible.



                                              For example, I have access to our company's recruiting platform (and, consequently, the application data for many of the company's current employees, myself included). I could literally look up how the people who interviewed me rated me in my interviews. Guess what? I've never done it - nor will I. In fact, I've never looked up anyone I know personally - in every single case, looking at data on people I don't know has been sufficient.



                                              So yes, it's wrong. Don't do that.







                                              share|improve this answer












                                              share|improve this answer



                                              share|improve this answer










                                              answered Jan 7 at 4:57









                                              EJoshuaSEJoshuaS

                                              356113




                                              356113























                                                  5















                                                  Is it ethically wrong to have peek at staff paycheck?




                                                  Yes, and legally.



                                                  I would stop and go to your boss immediately with the following:




                                                  1. You're accessing LIVE data and there's a risk you can break it.

                                                  2. You're able to see pay information. Are you able to see PII information as well? If so, I would immediately stop.


                                                  You risk not only your job but also legal problems. Maybe jail or a heavy fine. It only takes one person to understand what you're doing and they go to the proper authorities or lawyer in your country and begin the process. You need to email this to your boss and save that email with the following:




                                                  Boss, I am accessing an API that shows our staff's PII and pay information. I am able to access this without restriction and modify the data. I need a test bed and not be able to see this data as it is a violation of [insert country's privacy law]







                                                  share|improve this answer




























                                                    5















                                                    Is it ethically wrong to have peek at staff paycheck?




                                                    Yes, and legally.



                                                    I would stop and go to your boss immediately with the following:




                                                    1. You're accessing LIVE data and there's a risk you can break it.

                                                    2. You're able to see pay information. Are you able to see PII information as well? If so, I would immediately stop.


                                                    You risk not only your job but also legal problems. Maybe jail or a heavy fine. It only takes one person to understand what you're doing and they go to the proper authorities or lawyer in your country and begin the process. You need to email this to your boss and save that email with the following:




                                                    Boss, I am accessing an API that shows our staff's PII and pay information. I am able to access this without restriction and modify the data. I need a test bed and not be able to see this data as it is a violation of [insert country's privacy law]







                                                    share|improve this answer


























                                                      5












                                                      5








                                                      5








                                                      Is it ethically wrong to have peek at staff paycheck?




                                                      Yes, and legally.



                                                      I would stop and go to your boss immediately with the following:




                                                      1. You're accessing LIVE data and there's a risk you can break it.

                                                      2. You're able to see pay information. Are you able to see PII information as well? If so, I would immediately stop.


                                                      You risk not only your job but also legal problems. Maybe jail or a heavy fine. It only takes one person to understand what you're doing and they go to the proper authorities or lawyer in your country and begin the process. You need to email this to your boss and save that email with the following:




                                                      Boss, I am accessing an API that shows our staff's PII and pay information. I am able to access this without restriction and modify the data. I need a test bed and not be able to see this data as it is a violation of [insert country's privacy law]







                                                      share|improve this answer














                                                      Is it ethically wrong to have peek at staff paycheck?




                                                      Yes, and legally.



                                                      I would stop and go to your boss immediately with the following:




                                                      1. You're accessing LIVE data and there's a risk you can break it.

                                                      2. You're able to see pay information. Are you able to see PII information as well? If so, I would immediately stop.


                                                      You risk not only your job but also legal problems. Maybe jail or a heavy fine. It only takes one person to understand what you're doing and they go to the proper authorities or lawyer in your country and begin the process. You need to email this to your boss and save that email with the following:




                                                      Boss, I am accessing an API that shows our staff's PII and pay information. I am able to access this without restriction and modify the data. I need a test bed and not be able to see this data as it is a violation of [insert country's privacy law]








                                                      share|improve this answer












                                                      share|improve this answer



                                                      share|improve this answer










                                                      answered Jan 4 at 17:55









                                                      DanDan

                                                      7,21521425




                                                      7,21521425























                                                          5














                                                          Other than what all the other answers have said about your question, what do you hope to gain by knowing what a colleague's salary is? Do you hope to feel good because you are paid more? What if he earns more than you? You can't use that information as grounds for requesting/negotiating an increase anyway. That information might very well cause all sorts of problems for you on all sorts of levels. Just be let it be.






                                                          share|improve this answer



















                                                          • 4





                                                            This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                            – dim
                                                            Jan 5 at 14:44


















                                                          5














                                                          Other than what all the other answers have said about your question, what do you hope to gain by knowing what a colleague's salary is? Do you hope to feel good because you are paid more? What if he earns more than you? You can't use that information as grounds for requesting/negotiating an increase anyway. That information might very well cause all sorts of problems for you on all sorts of levels. Just be let it be.






                                                          share|improve this answer



















                                                          • 4





                                                            This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                            – dim
                                                            Jan 5 at 14:44
















                                                          5












                                                          5








                                                          5







                                                          Other than what all the other answers have said about your question, what do you hope to gain by knowing what a colleague's salary is? Do you hope to feel good because you are paid more? What if he earns more than you? You can't use that information as grounds for requesting/negotiating an increase anyway. That information might very well cause all sorts of problems for you on all sorts of levels. Just be let it be.






                                                          share|improve this answer













                                                          Other than what all the other answers have said about your question, what do you hope to gain by knowing what a colleague's salary is? Do you hope to feel good because you are paid more? What if he earns more than you? You can't use that information as grounds for requesting/negotiating an increase anyway. That information might very well cause all sorts of problems for you on all sorts of levels. Just be let it be.







                                                          share|improve this answer












                                                          share|improve this answer



                                                          share|improve this answer










                                                          answered Jan 4 at 18:57









                                                          JustSayingJustSaying

                                                          671316




                                                          671316








                                                          • 4





                                                            This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                            – dim
                                                            Jan 5 at 14:44
















                                                          • 4





                                                            This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                            – dim
                                                            Jan 5 at 14:44










                                                          4




                                                          4





                                                          This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                          – dim
                                                          Jan 5 at 14:44







                                                          This. Ethics and probably law say it's wrong, but even if you don't get directly blamed for looking at your colleague's salary, I can't imagine any positive outcome from this. Most chances are that this would just lead to demotivation, misunderstandings, regrets, judgmental attitude, etc... Some things are better let unknown, for the benefit of everybody.

                                                          – dim
                                                          Jan 5 at 14:44













                                                          4














                                                          While most answers address the legal and personal ethics, there is also the code of ethics that is established by the relevant professional body/ies in your country or that you may be a member of (personally, I use these despite not being a member).



                                                          In Australia, the relevant body is the Information Technology Professionals Association which is the successor of the System Administrator's Guild of Australia (SAGE-AU). The code of ethics produced by this organisation has been adopted by many professional bodies around the world.



                                                          There is a difference between coming across confidential information in the course of your duties and deliberately accessing confidential information.



                                                          In my opinion, it is unethical to deliberately access information that you haven't been given explicit authority to access. If you are a member of a professional body and they were to find out, then you would have your membership revoked (which could hamper future job applications); if you are not a member then you run the risk of being refused membership if they discover that you have done this (employer or another employee may report you to the body).



                                                          As IT professionals, we are entrusted with confidential information (our privilege) and we must protect that information (our responsibility) from all, including ourselves.






                                                          share|improve this answer






























                                                            4














                                                            While most answers address the legal and personal ethics, there is also the code of ethics that is established by the relevant professional body/ies in your country or that you may be a member of (personally, I use these despite not being a member).



                                                            In Australia, the relevant body is the Information Technology Professionals Association which is the successor of the System Administrator's Guild of Australia (SAGE-AU). The code of ethics produced by this organisation has been adopted by many professional bodies around the world.



                                                            There is a difference between coming across confidential information in the course of your duties and deliberately accessing confidential information.



                                                            In my opinion, it is unethical to deliberately access information that you haven't been given explicit authority to access. If you are a member of a professional body and they were to find out, then you would have your membership revoked (which could hamper future job applications); if you are not a member then you run the risk of being refused membership if they discover that you have done this (employer or another employee may report you to the body).



                                                            As IT professionals, we are entrusted with confidential information (our privilege) and we must protect that information (our responsibility) from all, including ourselves.






                                                            share|improve this answer




























                                                              4












                                                              4








                                                              4







                                                              While most answers address the legal and personal ethics, there is also the code of ethics that is established by the relevant professional body/ies in your country or that you may be a member of (personally, I use these despite not being a member).



                                                              In Australia, the relevant body is the Information Technology Professionals Association which is the successor of the System Administrator's Guild of Australia (SAGE-AU). The code of ethics produced by this organisation has been adopted by many professional bodies around the world.



                                                              There is a difference between coming across confidential information in the course of your duties and deliberately accessing confidential information.



                                                              In my opinion, it is unethical to deliberately access information that you haven't been given explicit authority to access. If you are a member of a professional body and they were to find out, then you would have your membership revoked (which could hamper future job applications); if you are not a member then you run the risk of being refused membership if they discover that you have done this (employer or another employee may report you to the body).



                                                              As IT professionals, we are entrusted with confidential information (our privilege) and we must protect that information (our responsibility) from all, including ourselves.






                                                              share|improve this answer















                                                              While most answers address the legal and personal ethics, there is also the code of ethics that is established by the relevant professional body/ies in your country or that you may be a member of (personally, I use these despite not being a member).



                                                              In Australia, the relevant body is the Information Technology Professionals Association which is the successor of the System Administrator's Guild of Australia (SAGE-AU). The code of ethics produced by this organisation has been adopted by many professional bodies around the world.



                                                              There is a difference between coming across confidential information in the course of your duties and deliberately accessing confidential information.



                                                              In my opinion, it is unethical to deliberately access information that you haven't been given explicit authority to access. If you are a member of a professional body and they were to find out, then you would have your membership revoked (which could hamper future job applications); if you are not a member then you run the risk of being refused membership if they discover that you have done this (employer or another employee may report you to the body).



                                                              As IT professionals, we are entrusted with confidential information (our privilege) and we must protect that information (our responsibility) from all, including ourselves.







                                                              share|improve this answer














                                                              share|improve this answer



                                                              share|improve this answer








                                                              edited Jan 5 at 21:10









                                                              Peter Mortensen

                                                              52347




                                                              52347










                                                              answered Jan 5 at 2:28









                                                              AaronAaron

                                                              792




                                                              792























                                                                  3














                                                                  I am in this exact situation. I automate the invoicing/payroll for a consultancy firm. I have access to the whole accounting software and API's. This means I am practically in control of all the finances of the company I work for. As an example; I can increase my own paycheck if I wanted to.



                                                                  First things first. Although you have the possibility to check everything you want. Don't do it when it is not needed. It is not ethical and you gain nothing from it. Only read, access and modify what you got asked to do or what you think you will need. If in the slightest doubt, ask for permission. (Written, always leave a paper trail) My contract, and probably yours will state that disclosing or modifying any of the data will bring in a lot of trouble for me. I cannot recall the exact consequences a.t.m. but I will be fired, fined and a lawsuit may follow.



                                                                  Second. Do not disclose any information that you find while developing this tool to anyone. Not to your colleagues, family, best friend,... And only report something you have seen to your boss when asked, without an opinion.



                                                                  Third, not workplace related. As pointed out before. When working on a system like this, you have to work with a second development platform that is identically set up as the system you use in production. But, use dummy data. Especially if you host it locally on your own laptop/pc. In case of theft, hacking,... the company's data is not at risk. You don't want to be the one responsible for a data breach in a company.



                                                                  Remember, with great power, comes great responsibility.



                                                                  If you have any more questions about developing such software and about good practices around this, feel free to ask. I've been in this situation for about 8 months now.






                                                                  share|improve this answer




























                                                                    3














                                                                    I am in this exact situation. I automate the invoicing/payroll for a consultancy firm. I have access to the whole accounting software and API's. This means I am practically in control of all the finances of the company I work for. As an example; I can increase my own paycheck if I wanted to.



                                                                    First things first. Although you have the possibility to check everything you want. Don't do it when it is not needed. It is not ethical and you gain nothing from it. Only read, access and modify what you got asked to do or what you think you will need. If in the slightest doubt, ask for permission. (Written, always leave a paper trail) My contract, and probably yours will state that disclosing or modifying any of the data will bring in a lot of trouble for me. I cannot recall the exact consequences a.t.m. but I will be fired, fined and a lawsuit may follow.



                                                                    Second. Do not disclose any information that you find while developing this tool to anyone. Not to your colleagues, family, best friend,... And only report something you have seen to your boss when asked, without an opinion.



                                                                    Third, not workplace related. As pointed out before. When working on a system like this, you have to work with a second development platform that is identically set up as the system you use in production. But, use dummy data. Especially if you host it locally on your own laptop/pc. In case of theft, hacking,... the company's data is not at risk. You don't want to be the one responsible for a data breach in a company.



                                                                    Remember, with great power, comes great responsibility.



                                                                    If you have any more questions about developing such software and about good practices around this, feel free to ask. I've been in this situation for about 8 months now.






                                                                    share|improve this answer


























                                                                      3












                                                                      3








                                                                      3







                                                                      I am in this exact situation. I automate the invoicing/payroll for a consultancy firm. I have access to the whole accounting software and API's. This means I am practically in control of all the finances of the company I work for. As an example; I can increase my own paycheck if I wanted to.



                                                                      First things first. Although you have the possibility to check everything you want. Don't do it when it is not needed. It is not ethical and you gain nothing from it. Only read, access and modify what you got asked to do or what you think you will need. If in the slightest doubt, ask for permission. (Written, always leave a paper trail) My contract, and probably yours will state that disclosing or modifying any of the data will bring in a lot of trouble for me. I cannot recall the exact consequences a.t.m. but I will be fired, fined and a lawsuit may follow.



                                                                      Second. Do not disclose any information that you find while developing this tool to anyone. Not to your colleagues, family, best friend,... And only report something you have seen to your boss when asked, without an opinion.



                                                                      Third, not workplace related. As pointed out before. When working on a system like this, you have to work with a second development platform that is identically set up as the system you use in production. But, use dummy data. Especially if you host it locally on your own laptop/pc. In case of theft, hacking,... the company's data is not at risk. You don't want to be the one responsible for a data breach in a company.



                                                                      Remember, with great power, comes great responsibility.



                                                                      If you have any more questions about developing such software and about good practices around this, feel free to ask. I've been in this situation for about 8 months now.






                                                                      share|improve this answer













                                                                      I am in this exact situation. I automate the invoicing/payroll for a consultancy firm. I have access to the whole accounting software and API's. This means I am practically in control of all the finances of the company I work for. As an example; I can increase my own paycheck if I wanted to.



                                                                      First things first. Although you have the possibility to check everything you want. Don't do it when it is not needed. It is not ethical and you gain nothing from it. Only read, access and modify what you got asked to do or what you think you will need. If in the slightest doubt, ask for permission. (Written, always leave a paper trail) My contract, and probably yours will state that disclosing or modifying any of the data will bring in a lot of trouble for me. I cannot recall the exact consequences a.t.m. but I will be fired, fined and a lawsuit may follow.



                                                                      Second. Do not disclose any information that you find while developing this tool to anyone. Not to your colleagues, family, best friend,... And only report something you have seen to your boss when asked, without an opinion.



                                                                      Third, not workplace related. As pointed out before. When working on a system like this, you have to work with a second development platform that is identically set up as the system you use in production. But, use dummy data. Especially if you host it locally on your own laptop/pc. In case of theft, hacking,... the company's data is not at risk. You don't want to be the one responsible for a data breach in a company.



                                                                      Remember, with great power, comes great responsibility.



                                                                      If you have any more questions about developing such software and about good practices around this, feel free to ask. I've been in this situation for about 8 months now.







                                                                      share|improve this answer












                                                                      share|improve this answer



                                                                      share|improve this answer










                                                                      answered Jan 7 at 13:17









                                                                      OdyseeOdysee

                                                                      9832310




                                                                      9832310























                                                                          2














                                                                          Being an IT worker at your company gives you access to data that is confidential, but that does not entitle you to read it. You should treat it no differently than it being a physical file in a cabinet. Just because the filing cabinet is in the same room as you and you have the key, does not mean you should be perusing through it at your leisure. It is morally and ethically wrong, and it may also have legal consequences. Not only would you put your job at risk, but you may be subjecting yourself to prosecution.



                                                                          You should only be accessing data that pertains to your job. If you do happen to come across confidential information during your routine duties, you must never disclose this information to others, or use it for personal gain. There may also be controls on this system that you are not aware of. You should treat your access as if someone is always looking over your shoulder. You may never know that someone is watching over you until you are being marched out of the building by security, so please keep that in mind.



                                                                          As others have said, you should look into having a separate server instance with fake data to develop against. As a developer, there is no reason to test against a live system. If something ever went wrong, you wouldn't want to be the one that people are pointing fingers at.






                                                                          share|improve this answer




























                                                                            2














                                                                            Being an IT worker at your company gives you access to data that is confidential, but that does not entitle you to read it. You should treat it no differently than it being a physical file in a cabinet. Just because the filing cabinet is in the same room as you and you have the key, does not mean you should be perusing through it at your leisure. It is morally and ethically wrong, and it may also have legal consequences. Not only would you put your job at risk, but you may be subjecting yourself to prosecution.



                                                                            You should only be accessing data that pertains to your job. If you do happen to come across confidential information during your routine duties, you must never disclose this information to others, or use it for personal gain. There may also be controls on this system that you are not aware of. You should treat your access as if someone is always looking over your shoulder. You may never know that someone is watching over you until you are being marched out of the building by security, so please keep that in mind.



                                                                            As others have said, you should look into having a separate server instance with fake data to develop against. As a developer, there is no reason to test against a live system. If something ever went wrong, you wouldn't want to be the one that people are pointing fingers at.






                                                                            share|improve this answer


























                                                                              2












                                                                              2








                                                                              2







                                                                              Being an IT worker at your company gives you access to data that is confidential, but that does not entitle you to read it. You should treat it no differently than it being a physical file in a cabinet. Just because the filing cabinet is in the same room as you and you have the key, does not mean you should be perusing through it at your leisure. It is morally and ethically wrong, and it may also have legal consequences. Not only would you put your job at risk, but you may be subjecting yourself to prosecution.



                                                                              You should only be accessing data that pertains to your job. If you do happen to come across confidential information during your routine duties, you must never disclose this information to others, or use it for personal gain. There may also be controls on this system that you are not aware of. You should treat your access as if someone is always looking over your shoulder. You may never know that someone is watching over you until you are being marched out of the building by security, so please keep that in mind.



                                                                              As others have said, you should look into having a separate server instance with fake data to develop against. As a developer, there is no reason to test against a live system. If something ever went wrong, you wouldn't want to be the one that people are pointing fingers at.






                                                                              share|improve this answer













                                                                              Being an IT worker at your company gives you access to data that is confidential, but that does not entitle you to read it. You should treat it no differently than it being a physical file in a cabinet. Just because the filing cabinet is in the same room as you and you have the key, does not mean you should be perusing through it at your leisure. It is morally and ethically wrong, and it may also have legal consequences. Not only would you put your job at risk, but you may be subjecting yourself to prosecution.



                                                                              You should only be accessing data that pertains to your job. If you do happen to come across confidential information during your routine duties, you must never disclose this information to others, or use it for personal gain. There may also be controls on this system that you are not aware of. You should treat your access as if someone is always looking over your shoulder. You may never know that someone is watching over you until you are being marched out of the building by security, so please keep that in mind.



                                                                              As others have said, you should look into having a separate server instance with fake data to develop against. As a developer, there is no reason to test against a live system. If something ever went wrong, you wouldn't want to be the one that people are pointing fingers at.







                                                                              share|improve this answer












                                                                              share|improve this answer



                                                                              share|improve this answer










                                                                              answered Jan 4 at 19:55









                                                                              Jason HutchinsonJason Hutchinson

                                                                              1394




                                                                              1394























                                                                                  -3














                                                                                  Depends on what you consider ethically wrong. I for one would be curious and do it when no one is watching, not because it's right or ethical, but because I would want to know if I'm getting shafted with the pay. As the answers above pointed out, I would refrain if specifically requested not to or it's illegal to do so.






                                                                                  share|improve this answer



















                                                                                  • 8





                                                                                    If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                    – gnasher729
                                                                                    Jan 4 at 14:00






                                                                                  • 10





                                                                                    "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 14:10






                                                                                  • 2





                                                                                    @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                    – cdkMoose
                                                                                    Jan 4 at 18:28






                                                                                  • 1





                                                                                    @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 18:44






                                                                                  • 9





                                                                                    '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                    – Ramhound
                                                                                    Jan 4 at 21:08
















                                                                                  -3














                                                                                  Depends on what you consider ethically wrong. I for one would be curious and do it when no one is watching, not because it's right or ethical, but because I would want to know if I'm getting shafted with the pay. As the answers above pointed out, I would refrain if specifically requested not to or it's illegal to do so.






                                                                                  share|improve this answer



















                                                                                  • 8





                                                                                    If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                    – gnasher729
                                                                                    Jan 4 at 14:00






                                                                                  • 10





                                                                                    "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 14:10






                                                                                  • 2





                                                                                    @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                    – cdkMoose
                                                                                    Jan 4 at 18:28






                                                                                  • 1





                                                                                    @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 18:44






                                                                                  • 9





                                                                                    '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                    – Ramhound
                                                                                    Jan 4 at 21:08














                                                                                  -3












                                                                                  -3








                                                                                  -3







                                                                                  Depends on what you consider ethically wrong. I for one would be curious and do it when no one is watching, not because it's right or ethical, but because I would want to know if I'm getting shafted with the pay. As the answers above pointed out, I would refrain if specifically requested not to or it's illegal to do so.






                                                                                  share|improve this answer













                                                                                  Depends on what you consider ethically wrong. I for one would be curious and do it when no one is watching, not because it's right or ethical, but because I would want to know if I'm getting shafted with the pay. As the answers above pointed out, I would refrain if specifically requested not to or it's illegal to do so.







                                                                                  share|improve this answer












                                                                                  share|improve this answer



                                                                                  share|improve this answer










                                                                                  answered Jan 4 at 12:54









                                                                                  BoboDarphBoboDarph

                                                                                  2,7981516




                                                                                  2,7981516








                                                                                  • 8





                                                                                    If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                    – gnasher729
                                                                                    Jan 4 at 14:00






                                                                                  • 10





                                                                                    "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 14:10






                                                                                  • 2





                                                                                    @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                    – cdkMoose
                                                                                    Jan 4 at 18:28






                                                                                  • 1





                                                                                    @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 18:44






                                                                                  • 9





                                                                                    '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                    – Ramhound
                                                                                    Jan 4 at 21:08














                                                                                  • 8





                                                                                    If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                    – gnasher729
                                                                                    Jan 4 at 14:00






                                                                                  • 10





                                                                                    "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 14:10






                                                                                  • 2





                                                                                    @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                    – cdkMoose
                                                                                    Jan 4 at 18:28






                                                                                  • 1





                                                                                    @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                    – UKMonkey
                                                                                    Jan 4 at 18:44






                                                                                  • 9





                                                                                    '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                    – Ramhound
                                                                                    Jan 4 at 21:08








                                                                                  8




                                                                                  8





                                                                                  If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                  – gnasher729
                                                                                  Jan 4 at 14:00





                                                                                  If I find out that you looked at my salary without my permission and without any need I will do my hardest to get you out of the company. I think my boss will agree with this, so I won’t have to work hard. Even more with GDPR.

                                                                                  – gnasher729
                                                                                  Jan 4 at 14:00




                                                                                  10




                                                                                  10





                                                                                  "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                  – UKMonkey
                                                                                  Jan 4 at 14:10





                                                                                  "Depends on what you consider ethically wrong." - spot on; there are some truths people don't like to hear; like ethics is a personal thing. Legal points are not however - and this would be breaking the law. Anyway, what would you do if you did find out you were being paid less - if you say to your boss "I saw everyones pay and I want more" their reply will be with a boot.

                                                                                  – UKMonkey
                                                                                  Jan 4 at 14:10




                                                                                  2




                                                                                  2





                                                                                  @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                  – cdkMoose
                                                                                  Jan 4 at 18:28





                                                                                  @paulj, OP was told to work on billing/invoicing, not payroll. IANAL, but pretty sure this would be a violation of GDPR

                                                                                  – cdkMoose
                                                                                  Jan 4 at 18:28




                                                                                  1




                                                                                  1





                                                                                  @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                  – UKMonkey
                                                                                  Jan 4 at 18:44





                                                                                  @paulj what makes you think he's a wage slave; do you know his income? As for what law it breaks, as almost every answer here says, GDPR. I'd put money that it says it in his contract too. As for ethically, most would argue that spying on your colleagues isn't ethical. I suggest you read answers and comments before commenting.

                                                                                  – UKMonkey
                                                                                  Jan 4 at 18:44




                                                                                  9




                                                                                  9





                                                                                  '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                  – Ramhound
                                                                                  Jan 4 at 21:08





                                                                                  '"because I would want to know if I'm getting shafted with the pay." - This is not a valid reason to view sensitive information. This is absolutely horrible advice. If the author has a business need to test something on the production server, the author can view his own information, instead of that of a colleague.

                                                                                  – Ramhound
                                                                                  Jan 4 at 21:08





                                                                                  protected by Jane S Jan 6 at 0:31



                                                                                  Thank you for your interest in this question.
                                                                                  Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                                                                                  Would you like to answer one of these unanswered questions instead?



                                                                                  Popular posts from this blog

                                                                                  Aardman Animations

                                                                                  Are they similar matrix

                                                                                  “minimization” problem in Euclidean space related to orthonormal basis