[Previous] [Next] [Title]

15. Workplace privacy issues


Chris Connolly, 17 May 2001 Updated by Nigel Waters 23 May 2002

Note: this Reading Guide only covers Australian issues as yet.


 

15.1. Resources

  •  United Kingdom Employment Code of Practice (Draft)
  • David Banisar and Sarah Andrews 'Workplace privacy' (2000) 7 PLPR 119
  • Electronic Frontiers Australia (EFA) 'Model acceptable use policy for employee use of the internet' (2000) 7 PLPR137
  • 15.2. Workplace privacy issues
  • Privacy issues arise in the workplace in numerous ways. The general legal approach in most jurisdictions (with two notable exceptions) is to protect employee privacy rights through a mixture of industrial relations regulations and general privacy regulations. The two notable exceptions are the United States and Australia.
     
     

    In the United States certain court decisions have swung the balance in favour of employers, and employees now have only very limited privacy protection (see Nolan). In Australia (at least in the private sector), privacy has been exempted from Federal industrial relations laws, and industrial relations has been exempted from Federal privacy laws. This situation is discussed in detail below.

    In the workplace, some specific privacy issue arise in the following areas:

    While this course is not designed to include a comprehensive overview of international laws on privacy and surveillance in the workplace, it should be noted that international developments have generally been more privacy positive, and more advanced, than developments in Australia. 15.43.1. The Public Sector

    Personal information contained in employee records within Commonwealth Government Departments and Agencies receives the same protection as other personal information under the Privacy Act 1988, and is subject to the IPPs.

    Around 5 to 10% of the privacy complaints received by the Office of the Federal Privacy Commissioner which are outside their jurisdiction (ie State matters and private sector matters) each year relate to workplace privacy. No figures are available for the proportion of complaints within jurisdiction which relate to workplace privacy, however, the Commissioner often publishes short abstracts of workplace privacy complaints in thehttp://www.privacy.gov.au/publications/index.html#1 Annual Report.

    These abstracts can be a useful guide to the application of the IPPs to the workplace. Some examples:

    1999 Annual Report - Access to documents on a work computer

    The complainant was a full-time employee of a government agency and stored some personal documents on her work computer. Her employer queried her absences from work and the complainant then lodged a workers' compensation claim. The claim was passed to Comcare for assessment and, at Comcare's request, the agency provided copies of documents held on the work computer. These contained intimate information concerning the complainant's health and the birth of her child.

     The case raised a number of legal issues:

     (i) whether Comcare was legally entitled to request the information held on her work computer;

     (ii) whether the Privacy Act permitted her employer to disclose those documents to Comcare; and

     (iii) whether her employer had a right to access the non-work-related documents on her work computer.

     In relation to (i) and (ii), the request by Comcare for a copy of documents held on the computer was valid and made in accordance with the relevant legislation, the Safety, Rehabilitation and Compensation Act 1988. That Act requires the employer to comply with such a request and the disclosure to Comcare was therefore permissible under IPP 11.1(d).

     In relation to (iii), where a person composes and stores personal information on a computer owned by a third party, in this case the employer, the owner has the right of access to the machine and the information stored on it. The Commissioner concluded that there had been no breach of the complainant's privacy.

    1998 Annual Report - Disclosure of medical information to internal staff

    Information that the complainant was undergoing psychiatric examination as part of a compensation claim was provided to a number of staff within a government agency by letter and e-mail. IPP 10 requires that this type of personal information is only to be used for the particular purpose for which it was collected. As the information was collected as part of a compensation claim, it should have only been passed to other staff who had a need to be informed, such as the staff who were processing the compensation claim and the complainant's supervisor. It was not necessary to pass this information onto the complainant's colleagues as they did not need to know the actual reason for his absence from work.

     The complainant was very sensitive about this issue and was humiliated to discover that his work colleagues knew that he had been seeing a psychiatrist. He felt that his colleagues would assume that he was mentally unstable because he was visiting a psychiatrist.

     As the same set of facts gave rise to both the alleged privacy breach and the exacerbation of an existing Worker'scompensationworker's compensation claim, it was not possible to separate one claim from the other. Following negotiations between the agency and the complainant in relation to both matters, the complainant accepted a confidential settlement, which included the settlement of his worker's compensation case, together with some of his legal costs.
     
     

    The Office of the Federal Privacy Commissioner has also issued http://www.privacy.gov.au/publications/covertsurveillance.pdf Guidelines on Covert Optical Surveillance in Commonwealth Administration(1992).
     
     

    15.34.2. The Private Sector

    A complete exemption for private sector employee records is contained in the Privacy (Private Sector) Amendment Act 2000, at 7 (B):

     Employee records

     (3) An act done, or practice engaged in, by anorganisation that is or was an employer of an individual, is exemptfor the purposes of paragraph 7(1)(ee) if the act or practice is directlyrelated to:

     (a) a current or former employment relationship betweenthe employer and the individual; and

     (b) an employee record held by the organisation andrelating to the individual."

     This exemption does not appear to cover persons who are currently applying for employment or who have applied in the past but have been unsuccessful. This may have been an oversight.

    Subclause A has been included to narrow the scope of the exemption slightly. The Attorney General explains:

     "The exemption applies to acts or practices directly related to an employee record and a current or former employment relationship. This dual requirement is designed to ensure that employers do not take commercial advantage of the exemption. For example, it will stop an employer selling personal information from employee records to direct marketers. Also, the exemption only applies to employee records held by the employer and does not continue if the employee records are disclosed by the employer to another organisation. For example, if records containing personal information of an employee are disclosed to the employer's insurer for the purposes of workerscompensation workers compensation then those records do not retain their exempt status in the hands of the insurance company."

     The Attorney General also announced an Inquiry into existing privacy protections for employees. But no progress has been made with this review as at May 2002 and it is unlikely that anything will happen before the general This review will becomplete by the time of the two year review of the new legislation due after two years (December 2003).

     This exemption for employee records is unique in world privacy laws. It has been heavily criticised by privacy advocates, commentators and the European Union. In most other jurisdictions employee records receive at least the same protection as other personal records. In some jurisdictions, notably the US, Safe harbour arrangement with the European Union, employee records receive an additional layer of protection.
     
     

    15.34.3. Email Use

    The Office of the Federal Privacy Commissioner has published Guidelines on Workplace Email, Web Browsing and Privacy.

    The Privacy Commissioner's Guidelines do not have the force of legislation, and are very general. As noted above, mMore detailed regulation of workplace email monitoring is being developed in the United Kingdom[1] and in Hong Kong[2]. The anticipated New South Wales regulation legislation (see below) is also expected to set a higher standard for protecting privacy in workplace emails.

     The OFPC Guidelines are designed to assist organisations to develop policies or improve their existing policies. They state:

    1. The policy should be promulgated to staff and management should ensure that it is known and understood by staff. Ideally the policy should be linked from a screen that the user sees when they logon to the network.

    2. The policy should be explicit as to what activities are permitted and forbidden. While it is up to each organisation to determine what itconsiders to be appropriate use of its system, to simply say that all activity must be "work-related" may not be clear. There may be scope for guidelines outlining what personal use of email both within the organisation and externally is appropriate. Other activities may be specifically prohibited, eg. the use of email to harass, defame or disclose information, or to transmit pornography.

     The policy should refer to any relevant legislation. The Sex, Race and Disability Discrimination Acts and workplace relations law apply in both the public and private sectors. In particular, employers should be aware of their obligations under these Acts to protect their employees against sexual harassment, racial vilification and other forms of unlawful discrimination which could occur through email and Internet use.

    3. The policy should clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff email and browsing activities.

    Staff email boxes will normally contain the emails they have sent andreceived. Back-ups and archives may also contain copies of emails that have been deleted by the user. As well as the actual content of messages, the date and time the message was transmitted, received and opened and the email addresses of the sender andrecipients will normally be recorded.

    Normally, access rights to staff mail boxes and logs would be restricted to those with the responsibility for administering the system. Such access should beas limited as possible and who has access rights should be clearly set out in the policy.

    4. The policy should refer to the organisation's computer security policy. Improper use of email may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation.

    5. The policy should outline, in plain English, how theorganisation intends to monitor or audit staff compliance with its rules relating to acceptable use of email and web browsing.

    6. The policy should be reviewed on a regular basis in order to keepup with the accelerating development of the Internet and Information Technology.

    For an example of a useful email policy for employees, see the Model Acceptable Use Policy developed by the Electronic Frontiers Australia.

    15.34.4. Internet use

    There is a growing trend for employers to monitor the Internet use of employees beyond email use as described above. (see Schulman article in (2001) 8 PLPR 49) Software is available which is specifically designed to monitor employee web browsing and warn the employer if too much time is being spent on irrelevant or inappropriate sites.

    Even without this software, employers can monitor employee web browsing activities through access logs. However, there has only been limited legal consideration of this issue to date.

     15.54. Australian State Legislation

    15.54.1. NSW

    The Privacy and Personal Information Protection Act 1998 (NSW) covers information held on employees by the public sector except for `information or an opinion about an individual's suitability for appointment or employment as a public sector official' (which is exempt from definition of personal information at s4(3)(j)).

     There are also specific laws and codes guidelines in NSW which impact on workplace surveillance. These include:

    The NSW Law Reform Commission is completed an interim report on all forms of surveillance in itsInquiry into surveillance in the very near futureFebruary 2001, after a lengthy inquiry (see Issues Paper no 12 1997) but the report was only finally released in December 2001. The progress of thatinquiry has included the release of Issues Paper no 12 1997 on Surveillance.

    The original Terms of Reference for the Inquiry were:


    The Inquiry was widened to include workplace surveillance issues in 2000. The interim report  is a comprehensive review of overt and covert surveillance practices involving the full range of technology (including video, audio, computer monitoring and tracking devices). The Commission recommends a broad new Surveillance Act to replace both the Listening Devices Act 1984 and the Workplace Video Surveillance Act 1998, following the approach in the latter law of requiring judicial warrants for covert surveillance and compliance with privacy principles for overt or `announced' surveillance.

    As reported in (2001) 8(2) PLPR 48, the NSW Attorney-General has already foreshadowed the government's acceptance of the need for a broader workplace surveillance law. expected to include significant newregulations for the use of surveillance technologies in the workplace,including email and web use.

    15.45.2. Victoria

    The InformationPrivacy Act 2000 (Vic) applies to employee records in the public sector.

     Like NSW, Victoria also has more specific legislation on workplace surveillance. The Surveillance Devices Act 1999 (Vic) regulates the installation, use and maintenance of surveillance devices. It also:

    In general the Act prohibits the use of listening devices and optical surveillance devices to record private conversation or activity without the consent of each party involved. The Act also restricts the use of tracking devices to record the location of a person/object without that person's knowledge, and the use of data surveillance devices (by law enforcement officers only) to monitor input and output from a computer without the person's knowledge.

    The provision for monitoring input and output from a person's computer would presumably cover the flow of email traffic - though this is not made explicit. However, this provision only covers activities of law enforcement officers, and so would have minimal impact on the workplace (except in investigations, where law enforcement officers could monitor with authority of a warrant).

    15.65. Do industrial relations laws protect privacy?

     Australia's federal industrial relations regime does not protect the privacy of employees, unless a privacy policy or arrangement has been made between the employer and employees in a specific workplace. Nolan states:

    "Section 89A of the Workplace Relations Act 1996 (Cth) restricts the jurisdiction of theAustralian Industrial Relations Commission (AIRC) to 20 `allowable matters'. Not included in this catalogue is anything to do with employee privacy. The rationale of this limitation is to compel employment terms and conditions beyond the minimum safety net to be the subject of enterprise based negotiations and included in certified agreements. Accordingly, the `safety net' award system at the Commonwealth level is not well suited to deal with privacy related matters. In some state jurisdictions, however, the scope of industrial tribunals to deal with privacy concerns is not so circumscribed."
    The leading Australian case is the Ansett Case: Australian Municipal, Administrative, Clerical and Services Union v Ansett Australia Ltd.

    On 7 April 2000 the Federal Court considered an allegation that an employee had been sacked after distributing a union bulletin via Ansett's office email system. Ansett claimed the employee had breached its IT policy which stated that employees could only use email for authorisedauthorized lawful business activities.

    The action against Ansett was based on an alleged breach of the freedom of association provisions of the Workplace Relations Act1996 (Cth) ("the WR Act"), when it dismissed the employee for a "prohibited reason". The prohibited reason was allegedly dismissing the employee because she was a union delegate. The email in question was in fact a message to union members on the current state of enterprise bargaining.

    The decision appears critical of the vagueness of the IT policy. Defining "authorised lawful business activities" depends largely on individual circumstances, and in this case the Court accepted that Ansett's involvement in enterprise bargaining meant that staff could circulate union material relating to those negotiations.

     The case sends a clear message to industry to set out clear and unambiguous policies on what constitutes acceptable use of the office email system.

     The Court's findings provide useful guidance to employers. From the judgment it appears clear that employers wishing to dismiss employees for "email misconduct" must:

    The case coincided with the release of the Office of the Privacy Commissioner's "Guidelines on Workplace Email, Web Browsing and Privacy" already mentioned above. Although the guidelines stop short of promoting restrictions on privacy intrusive behaviour by business, they complement the Court's decision by encouraging businesses to set out explicit policies on email use.

     15.76. Drug Testing
     
     

    Drug testing in the workplace is as much a `bodily privacy' issue as it is an information privacy matter, and information privacy laws are at best an indirect and blunt way of dealing with the intrusion involved. Nevertheless, to the extent that records are inevitably kept of test results, all the privacy principles, but especially fair collection, necessity, and proportionality, can be used to challenge the scope of testing as well as to ensure accountability.
     
     

    The issue of random drug testing of employees appeared before the Australian courts in BHP Iron Ore Pty Ltd v Construction, Mining, Energy, Timberyards Sawmills and Woodworkers Union of Australia Western Australian Branch [1998][3]. A program of random drug testing was proposed by BHP after extensive discussion with unions and employees but was opposed by the CFMEU. The Tribunal noted:

     "The most controversial aspect of the Programme is that part which involves testing for drugs. In essence, the Programme requires that an employee, as a condition of employment, submit to random testing of a sample of the employee's urine. If such a test proves positive the employee concerned, on the first occasion, is liable to be sent home on paid special leave; on a second occasion within a period of two years, is liable to be sent home on unpaid special leave; and on the third occasion within the same period, further employment of the employee with the Company will be the subject of discussions."

     BHP argued successfully that the program was necessary to enable it to satisfy its obligations under the Mines Safety and Inspection Act 1994 (WA) and the Regulations, and to enable it to satisfy its common law duty to provide its employees with a safe workplace.

    BHP acknowledged the privacy concerns raised by the CFMEU and pointed to strict security measures designed to avoid publication of any test result and any other information given as part of the program, including information regarding prescription drugs.[4]

     15.78. Out of hours and out of workplace activity

     There is of course no neat and tidy definition of workplace or of working time - increasingly employees are expected to perform work related activities while at home, while commuting and even while on holiday. This trend raises difficult issues about the legitimacy and extent of employers intrusion into employees' out of hours, and out of workplace activities. These issues are compounded by the provision of communications infrastructure (mobile phones and computers) by employers which employees are allowed to use fro private purposes. Drawing lines between appropriate monitoring of work use but not unreasonably intruding on private lives can be complex. Both the UK and draft Hong Kong Codes of Practice already mentioned discuss this issue in detail
     
     

    Again, Nolan is athe most useful resource on this topic.

     In Rose v Telstra (unreported, AIRC, Vice President Ross,4 December 1998 Print Q9292) an application for unfair dismissal under s170CE of the Workplace Relations Act 1996 (Cth) was heard by the Commission.

     Mr Rose was dismissed following an incident which took place while on assignment in Armidale NSW. He became involved in a fight with a Telstra colleague after a night of drinking at the hotel where they were staying. The police were called and Mr Rose's colleague was taken into custody. At the time of the incident neither Mr Rose nor his colleague were in their Telstra uniforms, nor were they `on call'.

     On 1 April 1998 Mr Rose was advised that he had been found guilty of improper conduct and his employment was terminated. Telstra had distributed to all its employees a document entitled `Our Company Values and Our Code of Conduct'. Under the heading `Outside Employment and Other Activities' the Code states:

    "We should avoid outside activity likely to affect adversely either our work or someone else's (for example, in terms of occupational health and safety), or which could discredit either ourselves or our Company, or which could conflict with the Company interests."
    The Commission considered the circumstances in which out of hours conduct may result in adverse consequences for a person's employment. Those limited circumstances are: His Honour summarised this as `[i]n essence the conduct complained of must be of such gravity or importance as to indicate a rejection or repudiation of the employment contract by the employee' [para 30].

     Applying these tests, The Commission concluded that Mr Rose's conduct on the night in question lacked the requisite connection to his employment and therefore it did not provide a valid reason for his termination. The incident in question took place outside of working hours. At the relevant time neither Mr Rose nor Mr Mitchell were in their Telstra uniforms, nor were they `on call'. The incident did not take place in what could be regarded as a public place but rather inside a hotel room that the men shared.

    15.8. Internationalprotection

     While this course is not designed to include acomprehensive overview of international laws on privacy and surveillance in the workplace, it should benoted that international developments have generally been more privacypositive than developments in Australia.


    [Previous] [Next] [Title]