Posted on: Aug 26, 2013
This case acts as a reminder for employers to be aware of the Privacy Act when conducting employment investigations.
As part of an employment investigation, an employer collected personal information from a man’s work computer. The information collected included emails sent to and from the work computer, as well as key stroke logs for the computer. The employer used information collected from key stroke logging to access the man’s personal web-based email account and copy several emails.
The man complained to the Privacy Commission about the information his employer had collected.
The Commissioner considered that separate issues were raised for the two different types of information collected; information collected directly from the work computer and information collected from the man’s personal email account.
Information collected directly from the work computer
The Commissioner was satisfied that this action complied with the Privacy Act. This was because in both the employment agreement and employee manual the employer had clearly set out that work computers would be subject to monitoring. However, they considered the collection of key stroke information raised issues under principle 3 of the Privacy Act.
Principle 3(1) sets out that where an agency collects information from an individual, the agency must take such steps which are, in the circumstances, reasonable to ensure that the individual is aware of a number of things, including the fact that information is being collected.
The policies set out in the agreement and manual were not explicit enough to make staff aware that such detailed information was being collected. On this basis the Commissioner considered that the employer had breached principle 3 in collecting key stroke information.
Information collected from the personal email account
Using the password it obtained from key stroke information the employer accessed the man’s personal email account. The Commissioner considered this raised issues under principles 1, 3 and 4 of the Privacy Act, which are outlined below.
Principle 1 sets out that agencies must not collect personal information unless it’s for a lawful purpose connected with the functions or activities of the agency, and collection is necessary for that purpose.
When the employer accessed the man’s personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.
This went well beyond any information that may have been relevant to the employment investigation. The Commissioner formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer’s needs.
The Commissioner was also satisfied that the employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information, and therefore formed the view that this also breached principle 3.
Principle 4 requires that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive.
Principle 4 is concerned with the method of collection. The Commissioner considered that an individual’s personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it.
This case was not considered to include exceptional circumstances, and so this method of collection was unreasonably intrusive and in breach of principle 4.
The Commissioner advised the employer of their views. The man and his employer attended mediation, were able to reach a settlement, and the complaint was closed.
Case note 229558  NZ PrivCmr 1
This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.