Employers are not always aware of their obligations in relation to privacy in the workplace. The invasion of employee privacy can occur in a number of different ways including through records and information, physical and electronic surveillance and monitoring. In Australia, several different legislative instruments govern how employers deal with employee privacy issues and different rules apply depending on the use of such information prior to and during employment.
From an organisational perspective, the advancement of digital workplaces and technology has increased the amount of information employers can access about employees. In addition the line between work and employees’ private lives has been considerably blurred in recent times as a result of social media and the breakdown of traditional working hours and modes of work. With this in mind, the right to privacy is likely to be an area of future conflict for both employers and employees especially where legal parameters are poorly understood. Importantly, the law does not determine what constitutes privacy but rather it enunciates what situations of privacy will be afforded legal protection, or will be deemed private due to the circumstances.
The Privacy Act 1988 (Cth) (“Privacy Act”) applies to federal government agencies as well as private sector organisations including bodies corporate who use or disclose personal information in the course of carrying on a business. In March 2014, the Privacy Act was amended to introduce thirteen legally binding Australian Privacy Principles (“APP”) which apply to personal information held by Australian government agencies and most Australian companies. Worthy of note is that personal information handled by a private sector employer is exempt from the APP if it is directly related to:
- a current or former employment relationship; or
- an employee record relating to the individual employee concerned.
“Employee record” refers to a record of personal information relating to the employment of a person, such as information about the employee’s:
- engagement, training, disciplining or resignation;
- terms and conditions of employment;
- personal and emergency contact details;
- performance or conduct; or
- taxation, banking or superannuation affairs.
However, the exemption does not include information otherwise collected about candidates when determining to offer employment. In this respect, employers must ensure that any personal or sensitive information collected about a prospective employee is not used unless the employee consents and the information is reasonably necessary for one or more of the entity’s functions or activities. In addition, employers must ensure that the means of collecting such information is only by lawful and fair means. In most cases, organisations are required to provide candidates with written notification of the intended collection or use of sensitive or personal information including the primary purpose for which the information will be obtained.
Once a job candidate, however, is offered and accepts employment a private sector employer is exempted from the APP in the Privacy Act when handling current and past employee records. This exemption applies as long as the collection and use of the information is for something that is directly related to the employment relationship. The employer is also able to refuse access to personal information for many reasons, including on the basis that giving access would have an unreasonable impact on the privacy of other individuals. As such, this means that an employer does not have to grant an employee access to their employee records under the Privacy Act. Whilst this may be the case legally, even if the employee records exemption does apply, employers should take steps to protect the confidentiality of employee records and review the security systems they have in place to achieve this. In particular, the APP now requires organisations to take such steps as are reasonable in the circumstances to destroy information or de-identify it when it is no longer needed for any permitted purpose. Employers can determine under the new privacy regime how long they keep employee records but it is good practice to destroy those records no longer needed and not required to be kept pursuant to any other applicable legislation, in a timely manner.
In the recent decision of ‘JO’ and Comcare  AICmr 64, an employee of Comcare filed a complaint with the Office of the Australian Information Commissioner when Comcare made an error when it disclosed personal information about the employee’s injuries sustained at his current employer, Department of Defence, to his previous employer, Department of Human Services and its insurer, Allianz. The employee argued Comcare breached his privacy and failed to take reasonable action to protect his information from unauthorised disclosure. In this case, in 2013 and 2014, the employee had lodged three workers’ compensation claims with Comcare regarding injuries sustained during his employment with Department of Defence. In early 2014, the employee also lodged a further workers’ compensation claim with Comcare regarding an injury sustained in his previous employment with the Department of Human Services (“DHS”). Comcare accepted and closed the DHS claim in the same year.
On 2 February 2016, the complainant received an email from Comcare advising that a new pilot program would change the way his current workers’ compensation claim with DHS would be managed. The employee lodged a complaint with Comcare to question why he was being included in the pilot, as he was not a current employee of DHS and did not have a current workers’ compensation claim with DHS or Allianz. Shortly after, Comcare wrote to the employee apologising for a disclosure of the employee’s personal information in relation to his claims against DHS and Allianz. As a result, the employee lodged a complaint with Office of the Australian Information Commissioner alleging Comcare had disclosed, without permission, details of his workers’ compensation claims.
Comcare did not dispute the claims and stated it was a mistake due to a technical issue. Accordingly, Privacy Commissioner Pilgrim found that Comcare did interfere with the employee’s privacy because the employee did not give consent for the use or disclosure of the information. He awarded the employee $3,000 in damages for the anxiety and distress he suffered as a result of Comcare sharing his personal information. Privacy Commissioner Pilgrim further ordered Comcare to review its quality assurance procedures and develop clear control measures on the personal information that is disclosed in automated bulk file transfers.
It therefore follows that providing training and developing a sound privacy protection and assurance policy can assist employers demonstrate that they are taking responsible and reasonable steps to comply with the APP as well as implement practices, procedures and systems to maintain confidentiality of employee information.
What has been discussed so far relates predominantly to information privacy and how such information must be treated by employers. What then is the position in relation to information that is neither personal nor sensitive but may be private? Even though a person’s expectation of privacy may not be as extensive in the workplace, is it reasonable for employees to expect some level of protection against unauthorised intrusions by their employer via means of electronic monitoring and surveillance.
The use of surveillance in the workplace is regulated by legislation, in NSW for example the Workplace Surveillance Act 2005 (NSW) (“Surveillance Act”) applies to the making of covert video footage of employees within the workplace (such as hidden cameras). In order to use such technologies including cameras, listening devices, global positioning systems, telephone recorders and the like, employers must comply with strict disclosure and notice obligations prescribed by the Surveillance Act to ensure that employee privacy is maintained. Similar legislative provisions can also be found in Victoria, Western Australia, South Australia, Tasmania and the Northern Territory.
Provided therefore that the mode of surveillance is not covert and is not used in restricted areas (such as bathrooms), it is lawful for an employer to install surveillance systems in the workplace where the following steps have been taken:
- The surveillance must not commence without prior notice in writing to the employee;
- Written notice must be given at least 14 days before the surveillance commences (unless an employee agrees to a lesser period of notice);
- The notice must indicate details of:
- The kind of surveillance to be carried out, for example, camera recording;
- How the surveillance will be carried out;
- When the surveillance will start;
- Whether the surveillance will be intermittent or continuous; and
- Whether the surveillance will be for a specified period or ongoing.
Email notification is generally considered acceptable under the Surveillance Act for the purposes of an employer complying with the above notice requirements. In addition to these obligations, overt camera surveillance of employees is not permitted to be carried out in NSW unless:
- The camera used for the surveillance is clearly visible in the place where the surveillance is taking place; and
- Signs notifying people that they may be under surveillance in that place are clearly visible at the entrance to that place.
Where an employer fails to take the appropriate steps before introducing surveillance in the workplace, they may be subject to fines and other penalties. Directors and others involved in the management of the company may also be subject to criminal sanction for breaching the provisions of the Surveillance Act.
Internet Usage and Email
An employee’s activities while using an employer’s computer system are largely unprotected by personal privacy laws other than the notice requirements of the Surveillance Act as set out above. In addition, the employer must have a policy setting out how the surveillance will be conducted and must ensure the employee is notified of the policy in advance of commencement of the surveillance and that they are aware and understand the terms of the policy.
Emails are generally considered to be company property if they are sent using the employer’s computer system. However, only to the extent that the employer has complied with the requirements of the Surveillance Act, employers have the right to monitor and view employee email, so long as they have a valid business purpose for doing so. Many employers now have email systems that copy all email messages as they pass through the system to check for productivity, illegal use, and other issues. In this regard, email is frequently being used as evidence during legal proceedings to prove employee misconduct or wrongdoing. In addition, employers have the right to track the websites visited by their employees, to block employees from visiting specific Internet sites, or to limit the amount of time an employee may spend on specific website (such as social networking sites). It is advised that if employers want to monitor computer usage they must develop a policy on the use of data surveillance. The policy must outline how data device usage may be monitored and the expectations of employees. Failure to have a policy and to comply with the notification requirements would constitute a breach of the Surveillance Act and place in jeopardy any reliance on information gathered as part of the surveillance in future legal proceedings.
Please note that the discussion regarding the requirements for computer surveillance as governed by the Surveillance Act apply in NSW only, although other states and territories have similar legislation.
Exposure to Employers
Employees employed in private sector businesses with a turnover of over $3 million are entitled to bring a claim for breach of privacy to the Office of the Australian Privacy Commissioner (“OAIC”). The OAIC will review the complaint and if appropriate attempt to resolve the complaint by conciliation. An employee may apply to the Federal Court of Australia or the Federal Circuit Court for a review of a decision of the OAIC. Alternatively, an employee may be able to make a general complaint to the NSW Privacy Commissioner who can, if the claim is accepted, attempt to conciliate the matter. An employee may also apply to the NSW Civil and Administrative Tribunal for a review of the decision complained about.
Even though payments awarded to individuals in privacy claims have not been significant in amount, the reputational risk to employers and the cost involved to defend such proceedings and implement reform as part of Court ordered change to business procedures, practices and systems can be significant.
Lesson for Employers
It is important employers understand their obligations under the privacy laws and ensure their human resources department or relevant managers are provided training to prevent potential breaches, and ensure your company practices operate efficiently. Employers should consider implementing positive covenants in employment contracts that allow the organisation to gather personal information with consent of the employee and allow the organisation to monitor employees during work. The employment contract also provides a suitable and efficient means of providing the relevant notice required by the legislation.
If you wish to discuss any aspect of this article or require specialist advice or assistance in relation to an employment law issue, please do not hesitate to contact us.
This alert is not intended to constitute, and should not be treated as, legal advice.