Facebook and employee privacy

10 minute read 09.11.2016 Dan Williams, Craig Boyle, Cathy Lyndon

Last week, in Jurecek v Director, Transport Safety Victoria [2016] VSC 285, the Victorian Supreme Court considered difficult issues when dealing with claims by a public sector employee that her employer had breached the Information Privacy Principles (IPPs) contained in the (then current) Victorian Information Privacy Act 2000, when it accessed her Facebook posts without her knowledge as part of a disciplinary investigation.

The IPPs, which are also contained in the Privacy and Data Protection Act 2014 that replaced the 2000 Act, apply to Victorian public sector entities and agencies.

In Jurecek, the employer was successful in defending the allegations. However, the case highlights the potential broad reach of privacy laws in their application to public sector employers who gather information about their employees and all employers who gather information about prospective employees or other individuals, including for the purposes of legitimate investigations. The case is also a reminder that similar issues can arise in relation to information collected from social media in a recruitment process.

What was the case about?

A Victorian public sector employee had been experiencing issues at work, including alleged bullying and stress, and had been discussing these issues via posts and chats with a work colleague on Facebook. The employee used a Facebook account under a pseudonym, and some of the Facebook posts involved inappropriate and abusive comments about her work colleagues.

The employee then posted a lengthy and abusive post on her work colleague's Facebook wall. The colleague reported the Facebook posts to their employer, who conducted a disciplinary investigation. The investigation process included human resource staff and an external investigator conducting Google and Facebook searches for the employee’s Facebook account and posts, and accessing the employee’s Facebook posts and chats from a Facebook friend’s pages.

The employer did not tell the employee it had collected information from her Facebook account until she was issued with a ‘Notice of Investigation’ letter.

The employee claimed the employer breached a number of IPPs by:

‘unfairly, intrusively and secretly’ collecting the employee’s personal information obtained from her Facebook account (IPP 1.2);
collecting personal information that was not necessary for one of the employer’s functions and activities (IPP 1.1);
failing to notify the employee of the collection of her personal information at the time it was collected (IPP 1.3); and
failing to attempt to collect the personal information directly from the employee in the first instance (IPP 1.4).

The employer argued that the employee's Facebook posts were 'generally available publications' rather than 'personal information' and were therefore not subject to the IPPs.

What did the Supreme Court say?

Social media posts using a pseudonym may constitute 'personal information'

As the employer was able to ascertain the identity of the employee (who made the relevant Facebook posts through a pseudonym account) through extraneous materials, including using a chain of related information which, when combined, identified the employee, the information was identifiable. Therefore the opinions she expressed to hold about her colleagues constituted 'personal information' as defined in the IP Act, as her employer could attribute them to her.

Social media posts may not be a 'generally available publication'

The employee's Facebook chats and posts did not constitute a 'generally available publication', because the term only covers information which can be accessed by most of the general public Information only accessible by those with particular skills in searching for information on social media was not within the exemption (which is particular to the Victorian legislation). In this case, the information posted by the employee was difficult to access due to her use of a pseudonym and application of privacy settings, amongst other things.

Collection of personal information from Facebook for the purpose of a workplace investigation did not breach the IPPs

In this particular case, the manner in which the employer collected the employee's personal information from Facebook did not breach the IPPs.
Drawing on international human rights principles, Bell J indicated that there is no absolute protection from interference with personal privacy, but rather that privacy legislation protects against being subjected to arbitrary or unlawful interferences to privacy.
In the circumstances, the collection of the employee’s personal information from her Facebook account was 'necessary' for the employer to conduct the misconduct investigation. The Court clarified that the collection of personal information will be 'necessary' as part of the functions or activities of an organisation covered by the IPPs if it is ‘reasonably necessary’. The collection does not need to be 'essential' or 'indispensable' to be permissible.
It was also reasonable for the employer not to attempt to collect the information directly from the employee or to advise her (at the time) of the collection, as this would have compromised the effectiveness of the investigation process. In particular, if the employer had attempted to collect the information from the employee in the first instance, this may have ‘...defeated the purpose of the collection itself’.
In relation to the obligation to take reasonable steps to notify an employee of the collection of information, the Court found the employer had met its obligations under IPP 1.3 as it notified the employee of the collection of her personal information as soon as it was practicable during the investigation process.

Implications for employers

Searching for and collecting information from employees' social media accounts is a common practice by employers both during recruitment and as part of workplace investigations.

This decision is an important reminder of the application of privacy legislation in these circumstances, and the need to take care when navigating the grey line between employees' work and personal conduct.

Even anonymous social media posts can constitute 'personal information'

Employers should not assume that a post that does not explicitly identify the respondent employee as the author is not the personal information of that employee. If the content of the post - combined with other information available to the employer - may be used to identify the employee, it will be personal information.

Employers should also not assume that just because 'non-friends' can access Facebook information about the employee that the Facebook information is 'generally available'. Although the provisions of the Commonwealth Privacy Act are slightly different to the Victorian legislation, it is clear that even personal information collected from generally available publications must be handled in accordance with the Privacy Act.

Action can be taken for inappropriate social media posts by employees

Importantly, this decision affirms that it can be considered ‘reasonably necessary’ for an employer to collect employees' social media comments for the purposes of a workplace investigation.

There are in fact a number of recent unfair dismissal cases which have held that misconduct, in the form of after-hours Facebook posts by employees or after-hours conduct documented on social media, can be a valid reason for dismissal. Importantly, in these cases, there was a nexus between the outside-work conduct and the employment, including where, for example:

an employee criticises their employer and/or their colleagues on social media (including where the employer or colleague are not expressly named); or
an employee posted photos of Facebook of his attendance at a New Year's Eve party when he was purportedly on sick leave.

In the context of the bullying provisions of the Fair Work Act 2009 (Cth), the Fair Work Commission Full Bench has accepted the principle that when a worker is 'at work' for the purposes of a bullying application extends to periods where an employee is not actually performing work, such as during a meal break or when accessing social media during work hours.

Given an employer's potential liability for social media posts by its employees, it will often be appropriate and indeed necessary to access employees' social media platforms.

However, any investigation into an employee's social media posts must be reasonably proportionate having regard to all the relevant circumstances. This will be assessed on an objective basis - relevant considerations will include the fact that the individual is an employee, and the nature of the allegations.

Consider privacy issues as part of your investigation plan

Most private sector employers must comply with the Australian Privacy Principles (APPs), in the Privacy Act 1988 (Cth). The Privacy Act exempts the acts and practices of these employers in connection with personal information that form part of an 'employee record'. The decision in Jurecek did not consider the employee records exemption as the Victorian privacy legislation does not include this exemption.

However, the employee records exemption in the Privacy Act is more limited than many employers realise. 'Employee records' are defined as 'records of personal information relating to the employment of the (current or former) employee.'

It will be almost impossible for an employer to know, prior to collection, if information in an email or Facebook post relates to an employee's employment, or is truly personal. Because of the nature of a Facebook page, it will often be very easy to copy (and retain) extraneous posts which will not be covered by the exemption. The exemption will also not apply if a third party (such as an external investigator) accesses the employee's personal information.

But consider the application of privacy legislation when undertaking workplace investigations – and don't assume the employee records exemption will apply

In light of the comments regarding reasonable proportionality in Jurecek, employers should also consider including a privacy section in your investigation plan which reminds investigators that information from social media pages should only be collected if reasonably necessary and proportionate for the purposes of investigating the allegations.

Specifically, the investigation plan should document:

that sufficient evidence is not available from sources other than personal social media pages;
that the investigator understands the privacy interests at stake for the respondent employee;
an explanation why, notwithstanding those privacy interests, accessing the personal information is required to investigate allegations of misconduct; and
the seriousness of the allegations which give rise to the need to access the personal information.

Use your policies to get permission to collect and use this kind of information

A well-drafted policy, with the most recent version appropriately notified to all employees, will be your best defence to an allegation that you have collected personal information unreasonably or used it for an impermissible purpose.

Your Information Technology Use, Bullying and/or Social Media policies can ensure that employees are made aware of expectations in respect of social media posts and that their employer may view and use their emails and posts in certain circumstances.

Social media searches during the recruitment phase

Similar privacy issues can arise in relation to searches conducted as part of a recruitment process, and as the employee records exemption does not extend to potential employees, employers must comply with the APPs when collecting and handling their personal information.

In the absence of a clear collection statement to job applicants, it may be difficult to establish that any collection of otherwise personal information from social media pages is 'necessary' as part of the employer's recruitment functions or activities. If any information collected includes sensitive information such as information about their health or sexual preferences or a criminal record, then employers must have consent to collect this information.

To deal with this risk, employers (both private sector and public sector) should ensure that an appropriate collection notice is provided to job applicants as required by the applicable Privacy Principles. In addition, appropriate steps to securely destroy any personal information obtained during pre-employment searches once an employment decision has been made should be taken once the information is no longer required.