Note: this Reading Guide only covers Australian issues as yet.
Privacy issues arise in the workplace in numerous ways. The general legal approach in most jurisdictions (with two notable exceptions) is to protect employee privacy rights through a mixture of industrial relations regulations and general privacy regulations. The two notable exceptions are the United States and Australia.
United Kingdom Employment Code of Practice (Draft) David Banisar and Sarah Andrews 'Workplace privacy' (2000) 7 PLPR 119 Electronic Frontiers Australia (EFA) 'Model acceptable use policy for employee use of the internet' (2000) 7 PLPR137 15.2. Workplace privacy issues
In the United States certain court decisions have swung the balance in favour of employers, and employees now have only very limited privacy protection (see Nolan). In Australia (at least in the private sector), privacy has been exempted from Federal industrial relations laws, and industrial relations has been exempted from Federal privacy laws. This situation is discussed in detail below.
In the workplace, some specific privacy issue arise in the following areas:
Personal information contained in employee records within Commonwealth Government Departments and Agencies receives the same protection as other personal information under the Privacy Act 1988, and is subject to the IPPs.
Around 5 to 10% of the privacy complaints received by the Office of the Federal Privacy Commissioner which are outside their jurisdiction (ie State matters and private sector matters) each year relate to workplace privacy. No figures are available for the proportion of complaints within jurisdiction which relate to workplace privacy, however, the Commissioner often publishes short abstracts of workplace privacy complaints in thehttp://www.privacy.gov.au/publications/index.html#1 Annual Report.
These abstracts can be a useful guide to the application of the IPPs to the workplace. Some examples:
The case raised a number of legal issues:
(i) whether Comcare was legally entitled to request the information held on her work computer;
(ii) whether the Privacy Act permitted her employer to disclose those documents to Comcare; and
(iii) whether her employer had a right to access the non-work-related documents on her work computer.
In relation to (i) and (ii), the request by Comcare for a copy of documents held on the computer was valid and made in accordance with the relevant legislation, the Safety, Rehabilitation and Compensation Act 1988. That Act requires the employer to comply with such a request and the disclosure to Comcare was therefore permissible under IPP 11.1(d).
In relation to (iii), where a person composes and stores personal information on a computer owned by a third party, in this case the employer, the owner has the right of access to the machine and the information stored on it. The Commissioner concluded that there had been no breach of the complainant's privacy.
The complainant was very sensitive about this issue and was humiliated to discover that his work colleagues knew that he had been seeing a psychiatrist. He felt that his colleagues would assume that he was mentally unstable because he was visiting a psychiatrist.
As the same set of facts gave rise to both the alleged privacy
breach and the exacerbation of an existing Worker'scompensationworker's
compensation claim, it was not possible to separate one claim from the
other. Following negotiations between the agency and the complainant in
relation to both matters, the complainant accepted a confidential settlement,
which included the settlement of his worker's compensation case, together
with some of his legal costs.
The Office of the Federal Privacy Commissioner has also issued http://www.privacy.gov.au/publications/covertsurveillance.pdf
Guidelines on Covert Optical Surveillance in Commonwealth Administration(1992).
15.34.2. The Private Sector
A complete exemption for private sector employee records is contained in the Privacy (Private Sector) Amendment Act 2000, at 7 (B):
(3) An act done, or practice engaged in, by anorganisation that is or was an employer of an individual, is exemptfor the purposes of paragraph 7(1)(ee) if the act or practice is directlyrelated to:
(a) a current or former employment relationship betweenthe employer and the individual; and
(b) an employee record held by the organisation andrelating to the individual."
This exemption does not appear to cover persons who are currently applying for employment or who have applied in the past but have been unsuccessful. This may have been an oversight.
Subclause A has been included to narrow the scope of the exemption slightly. The Attorney General explains:
"The exemption applies to acts or practices directly related to an employee record and a current or former employment relationship. This dual requirement is designed to ensure that employers do not take commercial advantage of the exemption. For example, it will stop an employer selling personal information from employee records to direct marketers. Also, the exemption only applies to employee records held by the employer and does not continue if the employee records are disclosed by the employer to another organisation. For example, if records containing personal information of an employee are disclosed to the employer's insurer for the purposes of workerscompensation workers compensation then those records do not retain their exempt status in the hands of the insurance company."
The Attorney General also announced an Inquiry into existing privacy protections for employees. But no progress has been made with this review as at May 2002 and it is unlikely that anything will happen before the general This review will becomplete by the time of the two year review of the new legislation due after two years (December 2003).
This exemption for employee records is unique in world privacy
laws. It has been heavily criticised by privacy advocates, commentators
and the European
Union. In most other jurisdictions employee records receive at least
the same protection as other personal records. In some jurisdictions, notably
the US, Safe harbour arrangement with the European Union, employee records
receive an additional layer of protection.
15.34.3. Email Use
The Office of the Federal Privacy Commissioner has published Guidelines on Workplace Email, Web Browsing and Privacy.
The Privacy Commissioner's Guidelines do not have the force of legislation, and are very general. As noted above, mMore detailed regulation of workplace email monitoring is being developed in the United Kingdom and in Hong Kong. The anticipated New South Wales regulation legislation (see below) is also expected to set a higher standard for protecting privacy in workplace emails.
The OFPC Guidelines are designed to assist organisations to develop policies or improve their existing policies. They state:
1. The policy should be promulgated to staff and management should ensure that it is known and understood by staff. Ideally the policy should be linked from a screen that the user sees when they logon to the network.
2. The policy should be explicit as to what activities are permitted and forbidden. While it is up to each organisation to determine what itconsiders to be appropriate use of its system, to simply say that all activity must be "work-related" may not be clear. There may be scope for guidelines outlining what personal use of email both within the organisation and externally is appropriate. Other activities may be specifically prohibited, eg. the use of email to harass, defame or disclose information, or to transmit pornography.
The policy should refer to any relevant legislation. The Sex, Race and Disability Discrimination Acts and workplace relations law apply in both the public and private sectors. In particular, employers should be aware of their obligations under these Acts to protect their employees against sexual harassment, racial vilification and other forms of unlawful discrimination which could occur through email and Internet use.
3. The policy should clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff email and browsing activities.
Staff email boxes will normally contain the emails they have sent andreceived. Back-ups and archives may also contain copies of emails that have been deleted by the user. As well as the actual content of messages, the date and time the message was transmitted, received and opened and the email addresses of the sender andrecipients will normally be recorded.
Normally, access rights to staff mail boxes and logs would be restricted to those with the responsibility for administering the system. Such access should beas limited as possible and who has access rights should be clearly set out in the policy.
4. The policy should refer to the organisation's computer security policy. Improper use of email may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation.
5. The policy should outline, in plain English, how theorganisation intends to monitor or audit staff compliance with its rules relating to acceptable use of email and web browsing.
6. The policy should be reviewed on a regular basis in order to keepup with the accelerating development of the Internet and Information Technology.
For an example of a useful email policy for employees, see the Model Acceptable Use Policy developed by the Electronic Frontiers Australia.
15.34.4. Internet use
There is a growing trend for employers to monitor the Internet use of employees beyond email use as described above. (see Schulman article in (2001) 8 PLPR 49) Software is available which is specifically designed to monitor employee web browsing and warn the employer if too much time is being spent on irrelevant or inappropriate sites.
Even without this software, employers can monitor employee web browsing activities through access logs. However, there has only been limited legal consideration of this issue to date.
15.54. Australian State Legislation
The Privacy and Personal Information Protection Act 1998 (NSW) covers information held on employees by the public sector except for `information or an opinion about an individual's suitability for appointment or employment as a public sector official' (which is exempt from definition of personal information at s4(3)(j)).
There are also specific laws and codes guidelines in NSW which impact on workplace surveillance. These include:
The original Terms of Reference for the Inquiry were:
o the need to regulate the use of visual surveillance equipment, and any related matter.
o the views and interests of users of surveillance technology, including law enforcement agencies, private investigators, and owners of private premises, such as banks, service stations and shops;
o the use of surveillance technology in public places.
The Inquiry was widened to include workplace surveillance issues in 2000. The interim report is a comprehensive review of overt and covert surveillance practices involving the full range of technology (including video, audio, computer monitoring and tracking devices). The Commission recommends a broad new Surveillance Act to replace both the Listening Devices Act 1984 and the Workplace Video Surveillance Act 1998, following the approach in the latter law of requiring judicial warrants for covert surveillance and compliance with privacy principles for overt or `announced' surveillance.
As reported in (2001) 8(2) PLPR 48, the NSW Attorney-General has already foreshadowed the government's acceptance of the need for a broader workplace surveillance law. expected to include significant newregulations for the use of surveillance technologies in the workplace,including email and web use.
The InformationPrivacy Act 2000 (Vic) applies to employee records in the public sector.
Like NSW, Victoria also has more specific legislation on workplace surveillance. The Surveillance Devices Act 1999 (Vic) regulates the installation, use and maintenance of surveillance devices. It also:
The provision for monitoring input and output from a person's computer would presumably cover the flow of email traffic - though this is not made explicit. However, this provision only covers activities of law enforcement officers, and so would have minimal impact on the workplace (except in investigations, where law enforcement officers could monitor with authority of a warrant).
15.65. Do industrial relations laws protect privacy?
"Section 89A of the Workplace Relations Act 1996 (Cth) restricts the jurisdiction of theAustralian Industrial Relations Commission (AIRC) to 20 `allowable matters'. Not included in this catalogue is anything to do with employee privacy. The rationale of this limitation is to compel employment terms and conditions beyond the minimum safety net to be the subject of enterprise based negotiations and included in certified agreements. Accordingly, the `safety net' award system at the Commonwealth level is not well suited to deal with privacy related matters. In some state jurisdictions, however, the scope of industrial tribunals to deal with privacy concerns is not so circumscribed."The leading Australian case is the Ansett Case: Australian Municipal, Administrative, Clerical and Services Union v Ansett Australia Ltd.
On 7 April 2000 the Federal Court considered an allegation that an employee had been sacked after distributing a union bulletin via Ansett's office email system. Ansett claimed the employee had breached its IT policy which stated that employees could only use email for authorisedauthorized lawful business activities.
The action against Ansett was based on an alleged breach of the freedom of association provisions of the Workplace Relations Act1996 (Cth) ("the WR Act"), when it dismissed the employee for a "prohibited reason". The prohibited reason was allegedly dismissing the employee because she was a union delegate. The email in question was in fact a message to union members on the current state of enterprise bargaining.
The decision appears critical of the vagueness of the IT policy. Defining "authorised lawful business activities" depends largely on individual circumstances, and in this case the Court accepted that Ansett's involvement in enterprise bargaining meant that staff could circulate union material relating to those negotiations.
The case sends a clear message to industry to set out clear and unambiguous policies on what constitutes acceptable use of the office email system.
The Court's findings provide useful guidance to employers. From the judgment it appears clear that employers wishing to dismiss employees for "email misconduct" must:
15.76. Drug Testing
Drug testing in the workplace is as much a `bodily privacy' issue as
it is an information privacy matter, and information privacy laws are at
best an indirect and blunt way of dealing with the intrusion involved.
Nevertheless, to the extent that records are inevitably kept of test results,
all the privacy principles, but especially fair collection, necessity,
and proportionality, can be used to challenge the scope of testing as well
as to ensure accountability.
The issue of random drug testing of employees appeared before the Australian courts in BHP Iron Ore Pty Ltd v Construction, Mining, Energy, Timberyards Sawmills and Woodworkers Union of Australia Western Australian Branch . A program of random drug testing was proposed by BHP after extensive discussion with unions and employees but was opposed by the CFMEU. The Tribunal noted:
"The most controversial aspect of the Programme is that part which involves testing for drugs. In essence, the Programme requires that an employee, as a condition of employment, submit to random testing of a sample of the employee's urine. If such a test proves positive the employee concerned, on the first occasion, is liable to be sent home on paid special leave; on a second occasion within a period of two years, is liable to be sent home on unpaid special leave; and on the third occasion within the same period, further employment of the employee with the Company will be the subject of discussions."
BHP argued successfully that the program was necessary to enable it to satisfy its obligations under the Mines Safety and Inspection Act 1994 (WA) and the Regulations, and to enable it to satisfy its common law duty to provide its employees with a safe workplace.
BHP acknowledged the privacy concerns raised by the CFMEU and pointed to strict security measures designed to avoid publication of any test result and any other information given as part of the program, including information regarding prescription drugs.
15.78. Out of hours and out of workplace activity
There is of course no neat and tidy definition of workplace or
of working time - increasingly employees are expected to perform work related
activities while at home, while commuting and even while on holiday. This
trend raises difficult issues about the legitimacy and extent of employers
intrusion into employees' out of hours, and out of workplace activities.
These issues are compounded by the provision of communications infrastructure
(mobile phones and computers) by employers which employees are allowed
to use fro private purposes. Drawing lines between appropriate monitoring
of work use but not unreasonably intruding on private lives can be complex.
Both the UK and draft Hong Kong Codes of Practice already mentioned discuss
this issue in detail
Again, Nolan is athe most useful resource on this topic.
In Rose v Telstra (unreported, AIRC, Vice President Ross,4 December 1998 Print Q9292) an application for unfair dismissal under s170CE of the Workplace Relations Act 1996 (Cth) was heard by the Commission.
Mr Rose was dismissed following an incident which took place while on assignment in Armidale NSW. He became involved in a fight with a Telstra colleague after a night of drinking at the hotel where they were staying. The police were called and Mr Rose's colleague was taken into custody. At the time of the incident neither Mr Rose nor his colleague were in their Telstra uniforms, nor were they `on call'.
On 1 April 1998 Mr Rose was advised that he had been found guilty of improper conduct and his employment was terminated. Telstra had distributed to all its employees a document entitled `Our Company Values and Our Code of Conduct'. Under the heading `Outside Employment and Other Activities' the Code states:
"We should avoid outside activity likely to affect adversely either our work or someone else's (for example, in terms of occupational health and safety), or which could discredit either ourselves or our Company, or which could conflict with the Company interests."The Commission considered the circumstances in which out of hours conduct may result in adverse consequences for a person's employment. Those limited circumstances are:
Applying these tests, The Commission concluded that Mr Rose's conduct on the night in question lacked the requisite connection to his employment and therefore it did not provide a valid reason for his termination. The incident in question took place outside of working hours. At the relevant time neither Mr Rose nor Mr Mitchell were in their Telstra uniforms, nor were they `on call'. The incident did not take place in what could be regarded as a public place but rather inside a hotel room that the men shared.
While this course is not designed to include acomprehensive overview of international laws on privacy and surveillance in the workplace, it should benoted that international developments have generally been more privacypositive than developments in Australia.
 Western Australian Industrial Relations Commission 130 (WAIRC) (19 June1998)
 See also Australian Railway Union of Workers, West Australian Branch and Ors v West Australian Government Railways Commission WAIRC Beech C, 20 January1999 commercialisation of employee data.