This can only end badly... And for you. Talk to your boss and her boss if they're not the same person. Say you've noticed someone has been going through your stuff, and you've heard from other people it is this person. Let them then either call the person in and deal with it or pass it over to HR. Keep doing what you're doing and you might find yourself on the wrong end of a disciplinary notice/hearing for installing some kind of unauthorized software on company computers or possibly even criminal charges along the lines of illegal wiretapping.
I know we all like to bemoan the bureaucratic red tape, and how we wish we could just get things done, but the simple fact is that that red tape is there for a reason. All those stupid warnings you see on products, like don't use a hairdrier in the shower, are because someone sued after doing that. Same basic principle applies to most HR policies. It's not quite like the Dilbert comic where there's someone in the HR department who sits around all day coming up with new policies just to torment people. Virtually every policy has some kind of an origin in either your company, or several companies in the past, having been bitten in the ****.
So, I cannot stress this enough that you should cease and desist IMMEDIATELY. Hopefully you haven't told any of your coworkers what you're doing, but if you have, make sure to tell them you decided it wasn't worth it. If the company officials aren't willing to do anything, then you can either choose to just live with this person's "habit" or you could risk confronting them, though then they may claim you're making false accusations against them without any proof, that it's harassment, etc. You're kind of in a no-win situation in the event the company won't do anything and others won't come forward to corroborate your story. It sucks, and for what it's worth, I am certainly empathetic to your situation. I'm kind of a private person myself, and don't like people going through my stuff or eavesdropping on conversations... Even if the content is completely innocuous. But this will only end badly for you if you continue, so one last time I will strongly encourage you to stop immediately if not sooner.
I have an employee that constantly goes through my desk, so I'm told and looks through all of my stuff. None of her co-workers want to officially sign any paperwork ratting her out. What I'd like to do is leave some bait on or in my desk. My idea was to create a DVD with an autorun.inf file on it that just simply copies the another file on the disc to our network drive mapped for each employee to z:. If I come in and that file is on the drive I know she snooped. Or at least, I'll be able to by the time frame narrow down that she took the disc off my desk and put it in hers.
I've made a few DVD's with two files on them;
autorun.inf
and
send.bat (I could just grab any file but grabbed that one.
Both are in the root of my DVD but it doesn't work on any of our XP computers. It doesn't send the file.
INF Below;
[autorun]
copy source=send.bat
destination=z:\send.bat
Any thoughts on either how to make this work or some other options? I also thought about making the autorun send a system message to my computer which would be 'locked' but still receive system messages.
Thanks for your help.

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic