The IPPs, which are also contained in the Privacy and Data Protection Act 2014 that replaced the 2000 Act, apply to Victorian public sector entities and agencies.
In Jurecek, the employer was successful in defending the allegations. However, the case highlights the potential broad reach of privacy laws in their application to public sector employers who gather information about their employees and all employers who gather information about prospective employees or other individuals, including for the purposes of legitimate investigations. The case is also a reminder that similar issues can arise in relation to information collected from social media in a recruitment process.
A Victorian public sector employee had been experiencing issues at work, including alleged bullying and stress, and had been discussing these issues via posts and chats with a work colleague on Facebook. The employee used a Facebook account under a pseudonym, and some of the Facebook posts involved inappropriate and abusive comments about her work colleagues.
The employee then posted a lengthy and abusive post on her work colleague's Facebook wall. The colleague reported the Facebook posts to their employer, who conducted a disciplinary investigation. The investigation process included human resource staff and an external investigator conducting Google and Facebook searches for the employee’s Facebook account and posts, and accessing the employee’s Facebook posts and chats from a Facebook friend’s pages.
The employer did not tell the employee it had collected information from her Facebook account until she was issued with a ‘Notice of Investigation’ letter.
The employee claimed the employer breached a number of IPPs by:
The employer argued that the employee's Facebook posts were 'generally available publications' rather than 'personal information' and were therefore not subject to the IPPs.
Searching for and collecting information from employees' social media accounts is a common practice by employers both during recruitment and as part of workplace investigations.
This decision is an important reminder of the application of privacy legislation in these circumstances, and the need to take care when navigating the grey line between employees' work and personal conduct.
Employers should not assume that a post that does not explicitly identify the respondent employee as the author is not the personal information of that employee. If the content of the post - combined with other information available to the employer - may be used to identify the employee, it will be personal information.
Employers should also not assume that just because 'non-friends' can access Facebook information about the employee that the Facebook information is 'generally available'. Although the provisions of the Commonwealth Privacy Act are slightly different to the Victorian legislation, it is clear that even personal information collected from generally available publications must be handled in accordance with the Privacy Act.
Importantly, this decision affirms that it can be considered ‘reasonably necessary’ for an employer to collect employees' social media comments for the purposes of a workplace investigation.
There are in fact a number of recent unfair dismissal cases which have held that misconduct, in the form of after-hours Facebook posts by employees or after-hours conduct documented on social media, can be a valid reason for dismissal. Importantly, in these cases, there was a nexus between the outside-work conduct and the employment, including where, for example:
In the context of the bullying provisions of the Fair Work Act 2009 (Cth), the Fair Work Commission Full Bench has accepted the principle that when a worker is 'at work' for the purposes of a bullying application extends to periods where an employee is not actually performing work, such as during a meal break or when accessing social media during work hours.
Given an employer's potential liability for social media posts by its employees, it will often be appropriate and indeed necessary to access employees' social media platforms.
However, any investigation into an employee's social media posts must be reasonably proportionate having regard to all the relevant circumstances. This will be assessed on an objective basis - relevant considerations will include the fact that the individual is an employee, and the nature of the allegations.
Most private sector employers must comply with the Australian Privacy Principles (APPs), in the Privacy Act 1988 (Cth). The Privacy Act exempts the acts and practices of these employers in connection with personal information that form part of an 'employee record'. The decision in Jurecek did not consider the employee records exemption as the Victorian privacy legislation does not include this exemption.
However, the employee records exemption in the Privacy Act is more limited than many employers realise. 'Employee records' are defined as 'records of personal information relating to the employment of the (current or former) employee.'
It will be almost impossible for an employer to know, prior to collection, if information in an email or Facebook post relates to an employee's employment, or is truly personal. Because of the nature of a Facebook page, it will often be very easy to copy (and retain) extraneous posts which will not be covered by the exemption. The exemption will also not apply if a third party (such as an external investigator) accesses the employee's personal information.
In light of the comments regarding reasonable proportionality in Jurecek, employers should also consider including a privacy section in your investigation plan which reminds investigators that information from social media pages should only be collected if reasonably necessary and proportionate for the purposes of investigating the allegations.
Specifically, the investigation plan should document:
A well-drafted policy, with the most recent version appropriately notified to all employees, will be your best defence to an allegation that you have collected personal information unreasonably or used it for an impermissible purpose.
Your Information Technology Use, Bullying and/or Social Media policies can ensure that employees are made aware of expectations in respect of social media posts and that their employer may view and use their emails and posts in certain circumstances.
Similar privacy issues can arise in relation to searches conducted as part of a recruitment process, and as the employee records exemption does not extend to potential employees, employers must comply with the APPs when collecting and handling their personal information.
In the absence of a clear collection statement to job applicants, it may be difficult to establish that any collection of otherwise personal information from social media pages is 'necessary' as part of the employer's recruitment functions or activities. If any information collected includes sensitive information such as information about their health or sexual preferences or a criminal record, then employers must have consent to collect this information.
To deal with this risk, employers (both private sector and public sector) should ensure that an appropriate collection notice is provided to job applicants as required by the applicable Privacy Principles. In addition, appropriate steps to securely destroy any personal information obtained during pre-employment searches once an employment decision has been made should be taken once the information is no longer required.