Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy in the Workplace

Published byTiffany Ward Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy in the Workplace"— Presentation transcript:

1 Privacy in the Workplace
Roland Hassall, Partner Date: 12 November 2015

2 Overview The right to privacy What is private information
Legal principles Workplace surveillance Case Law Compliance strategies © Sparke Helmore Lawyers 2013

3 The right to privacy? Australians do not have an inherent ‘right to privacy’. Privacy is protected through a range of statutory provisions. In the employment space, privacy complaints have increased in frequency Rummery and Federal Privacy Commissioner and Anor [2004] AATA 1221 . People often speak in general terms of their ‘right to privacy’ as though it were a universally recognised and enforceable right. But, there is no generally recognised or common law right to privacy in Australia. There is also no constitutional protection relating to privacy. There are, however, a range of statutory protections relating to the specific issue of information privacy Rummery and Federal Privacy Commissioner and Anor [2004] AATA 1221. The Privacy Commissioner determined that Mr Rummery’s privacy had been interfered with by the ACT Department of Justice and Community Safety (JACS) when personal information was disclosed to the Ombudsman’s office in the course of an investigation of a complaint made to that office by Mr Rummery. An officer of the Federal Privacy Commissioner disclosed to the Ombudsman that Rummery had requested a voluntary redundancy after facing issues at work and information concerning Rummery’s out of work activities as a bookmaker. The personal information disclosed was not directly relevant to the subject matter of the complaint and the disclosure was found to have breached Rummery’s privacy rights. As a result, the Federal Privacy Commissioner was ordered to pay Rummery $8,000 for loss and damage. Such a claim might have been avoided if there adequate policies, procedures and training in relation to privacy matters had been implemented in the organisation at the time. Having regard to these consequences, in our view, it is preferable to take steps to ensure compliance rather than responsive action to deal with allegations of breaches. © Sparke Helmore 2014

4 What can be classified as private?
‘Personal information’ ‘Sensitive information’ ‘Health information’ The types of information that can be disclosed in a breach of privacy are understandably broad. The Privacy Act 1998 uses three key terms in relation to privacy matters: Personal information’ is as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is’: • true or not, and • recorded in a material form or not (section 6(1) Privacy Act). Sensitive information’ includes health information, racial or ethnic origin, political opinion or association, religious and philosophical beliefs, professional or trade association/union membership, sexual preferences and practices and criminal record (section 6(1) of the Privacy Act). ‘Health information’ is information or an opinion about: • the health or a disability (at any time) of an individual • an individual's expressed wishes about the future provision of health services to him or her • a health service provided, or to be provided, to an individual • other personal information collected to provide, or in providing, a health service • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of their body parts, organs or body substances, or • genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. © Sparke Helmore 2014

5 Legal Principles The 13 Australian Privacy Principles (APPs) are contained in the Privacy Act 1988 and apply to the following organisations: Government agencies Organisations with >$3 million turnover Private health service providers Many small businesses The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information).  The APPs apply to the following: Australian and Norfolk Island Government agencies all private sector and not-for-profit organisations with an annual turnover of more than $3 million all private health service providers some small businesses © Sparke Helmore Lawyers 2013

6 Key Privacy Principles
Australian Privacy Principle 1 — Open and transparent management Australian Privacy Principle 3 — Collection of solicited personal information Australian Privacy Principle 5 — Notification of collection Australian Privacy Principle 6 — Use & disclosure Australian Privacy Principle 10 — Quality of information Australian Privacy Principle 11 — Retention & security Australian Privacy Principle 12 — Access Australian Privacy Principle 13 — Correction APP 1 Open and transparent management Organisations must implement practices, procedures and systems, including: • a clearly expressed and up-to-date privacy policy • a complaints handling process. APP 3 – Collection of solicited personal information The collection of solicited information must: • be reasonably necessary for functions or activities of Council • only be collected by lawful means • only be collected from the relevant individual, unless unreasonable or impracticable. APP 5 – Notification of collection Organisations must take steps as are reasonable in the circumstances to notify individual of collection and specified matters including: • the purpose of collection of information • the likely use and disclosure • the main consequences if not collected • that the organisation’s privacy policy has information regarding access, correction and complaints, and • whether information likely to be sent overseas APP 6 – Use & disclosure Information is permitted to be used and disclosed to the extent that its use or disclosure is in accordance with the primary purpose for which it was obtained. Information may only be used for a secondary purpose if: • consent has been given by the individual • the secondary purpose is directly related to the primary purpose and, where the information is sensitive information, the individual would reasonably expect that the information would be used for the secondary purpose • it occurs in a permitted general or health situation • it is required or authorised by law, or • it is reasonably necessary for enforcement activities. APP 10 Quality of information Organisations have obligations to take reasonable steps to ensure information is accurate, up-to-date, complete and relevant before it is collected, used or disclosed. APP 11 Retention & security Organisations have obligations to take reasonable steps to protect from misuse, interference, loss, unauthorised access, modification or disclosure. APP 12 Access When an individual requests access to personal information held by the organisation about them, the organisation must: • If the organisation is a Government Agency: give access to the individual, unless the information sought is exempt under FOI or other legislation permits refusal of access respond within 30 days if access is refused, consider alternatives and provide written reasons, and cannot charge an application fee or a fee for access. • If the organisation is a private sector organisation it must give access to individual unless: giving the information would:  create a serious threat to life, health or safety  cause an unreasonable impact on the privacy of another person  reveal intentions in negotiations with the individual  be unlawful or the denial of access is required by law  prejudice action regarding suspected unlawful activity or misconduct of a serious nature, or  reveal commercially sensitive decision-making, or the request:  is frivolous or vexatious, or  relates to existing or anticipated legal proceedings with the individual AND would not be accessible in discovery process. APP 13 Correction Organisations have obligations to correct the personal information it holds about individuals, including: • inaccurate information must be corrected and anyone to whom information was disclosed notified • if the organisation is a government agency, it must determine the correction within 30 days of being notified • if refusing request to correct information, it must provide written reasons for the refusal and a copy of the complaints process and must keep record of the correction request with the record of personal information. © Sparke Helmore Lawyers 2013

7 Privacy Principles – In practice
An organisation/agency that does not comply will open themselves up to serious civil penalties (civil penalties of up to $1.7 million for corporations and $370,000 for individuals). Case Law C v Commonwealth Agency [2003] PrivCmrA 1 AeroCare Pty Ltd [2014] AICmr 32 C v Commonwealth Agency [2003] PrivCmrA 1 The privacy commissioner ordered an employer apologise and pay an employee $7,000 after the employee’s supervisor, who acted as a referee for a job the employee had applied for, disclosed to the prospective employer that the employee had epilepsy and depression and had taken a specified amount of sick leave. The privacy commissioner found the disclosure of personal information was not permissible, and rejected an argument that the employee had provided implied consent when he requested the supervisor to provide an employment reference AeroCare Pty Ltd [2014] AICmr 32 An organisation was ordered to apologise, review its staff training and pay $8,500 to a complainant after a staff member asked the complainant to disclose sensitive medical information in the presence of others and without adequately disclosing the reason for which the information was required. This occurred in circumstances where the complainant, who is blind, was waiting to board a flight with the respondent organisation © Sparke Helmore Lawyers 2013

8 Workplace Surveillance
Workplace surveillance is regulated on a state by state basis. For example, in NSW: The Workplace Surveillance Act 2005 , prohibits surveillance by any of the following means unless 14 days notice is given: Camera surveillance Computer surveillance Tracking surveillance In Victoria: The Surveillance Devices Act 1999 regulates Listening devices Optical surveillance devices Tracking devices Data surveillance devices The internet and have revolutionised workplaces, providing instant access to information and people around the globe and an ease of communication now relied upon to maintain busy work schedules. However, in addition to the benefits of an online workforce, employers are increasingly faced with employee misuse and abuse of privileges, including internet and at work and flexible work practices. In an attempt to combat potential misuse, as well as for security and compliance purposes, it is common practice today for businesses to implement security systems to monitor access to their premises and communication systems. It is unsurprising then that, the issue of protecting complete privacy in the workplace, even beyond employee information, has received much attention. In New South Wales, where the Workplace Surveillance Act 2005 (WS Act) was enacted to specifically govern the use of surveillance systems in the workplace. The WS Act regulates both the overt and covert use of camera, computer and tracking surveillance devices. There are also specific prohibitions on the use of surveillance of employees in bathrooms, change rooms and toilets. Often notice is given by way of Policy or in an employment contract. In Victoria the Surveillance Devices Act 1999 provides that Victorian employers can use audio or visual surveillance or tracking devices to monitor employees’ activities at work, provided the observation occurs in areas accessible to other employees or members of the public and the activities being monitored are not ‘private’ © Sparke Helmore Lawyers 2013

9 Case examples Haslam v Fazche Pty Ltd t/as Integrity New Homes [2013] FWC 5593 Thomas v Newland Food Company [2013] FWC 8220 “In my view, there could hardly be an act which strikes at the heart of the employment relationship, such as to shatter any chance of re-establishing the trust and confidence necessary to maintain that relationship, than the secret recording by an employee of conversations he or she has with management." Recent cases have shed light on the ability of an employer or employee to conduct surveillance in their place of work, and at what point it becomes unlawful. Increasingly we are seeing it becoming common for employees to covertly record these meetings with their employers in an attempt to protect their own interests In Haslam v Fazche Pty Ltd t/as Integrity New Homes [2013] FWC 5593, an employee (Ms Haslam) sought to rely on recordings of meetings with two managers of her former employer (Fazche). Ms Haslam alleged she had been constructively dismissed and asserted that the recordings (made covertly and without the knowledge of the managers) showed she was forced to resign. Fazche opposed admission of the recordings into evidence. The Commission noted that the desirability of admitting the recordings did not outweighed the undesirability of admitting improperly obtained evidence because it was unlikely to solely determine the primary issues in dispute. In Thomas v Newland Food Company [2013] FWC 8220, the worker secretly recorded a number of discussions he had with his operations manager and he secretly recorded his dismissal meeting. Despite finding that his dismissal was unfair, the Commission refused to order reinstatement, stating: “In my view, there could hardly be an act which strikes at the heart of the employment relationship, such as to shatter any chance of re-establishing the trust and confidence necessary to maintain that relationship, than the secret recording by an employee of conversations he or she has with management." Key lessons Clearly define appropriate employee conduct through policies or Codes of Conduct For particularly sensitive meetings, consider requiring employees to attend meetings without mobile phones (or other recording equipment) or to declare that they are not recording a meeting before the meeting © Sparke Helmore Lawyers 2013

10 Case examples (cont.) SF v Shoalhaven City Council [2013] NSWADT 94
information collected must be for a lawful purpose that is directly related to a function or activity of the agency; and the collection of the information is reasonably necessary for that purpose. Under a program operated by the Council, CCTV cameras installed in the Nowra CBD recorded images which were retained on a computer hard drive located at Nowra Police Station. The cameras and computer equipment are owned and operated by the Council, however police officers at the Nowra Police Station are able to view live feed footage captured from the cameras. There are signs indicating the presence of CCTV camera coverage in the area where the cameras were located, although not all cameras had a sign near them. The system, as designed, required the duty officer at the police station to enter a generic user name and password at the commencement of their shift in order to log into the "live feed" monitor, but evidence before the ADT suggested that this process had not been followed. A preliminary issue arose in regard to whether the Council's use of the CCTV cameras to record images of members of the public in public places complied with section 8 of the Privacy Act that a public sector agency must not collect personal information unless: the information is collected for a lawful purpose that is directly related to a function or activity of the agency; and the collection of the information is reasonably necessary for that purpose. The Council argued that local government authorities have an express statutory power to develop local crime prevention plans which make the provision for crime prevention and open space planning and management. The ADT agreed with the Council. Privacy Principles: The Council had not taken reasonable steps to ensure that the subject of the CCTV information collection was made aware of the implications for their privacy of the collection process The Council had not taken such steps as are reasonable in the circumstances (having regard to the purpose for which the information is collected) to ensure that the CCTV information that is collected is relevant to that purpose, is not excessive and is accurate, up to date and complete. the Council had not taken reasonable security safeguards against loss, unauthorised access and misuse of the CCTV information. These were failures to comply with the Information Protection Principles (IPPs) set out in the Privacy and Personal Information Protection Act 1998 (NSW). These IPPs have now been incorporated into the previously discussed APPs Key Lessons: If a Government agency, local council or university wants to use CCTV in a public place, it must make sure that it is using CCTV for lawful purposes Government agencies, local council or universities must comply with all of the applicable IPPs/APPs as CCTV will usually capture images of individuals and therefore have privacy risks. If CCTV is to be used in the workplace in NSW, the employer must comply with the Workplace Surveillance Act 2005 (NSW) which sets out the basis on which surveillance can be carried out. Similar laws exist in other States and Territories. © Sparke Helmore Lawyers 2013

11 Protected Disclosures
What is a protected disclosure? In NSW see the Public Interest Disclosures Act (NSW) Disclosures of corrupt conduct, maladministration and serious and substantial waste made by public officials What are the privacy obligations in relation to a protected disclosure? In NSW, a disclosure is a public interest disclosure if the Disclosure is made: • by a public official (an individual who is an employee in the service of a public authority and can include an independent contractor providing services to or on behalf of the public authority) • voluntary, and • to a specified person(s). Disclosure must be made in an honest belief, on reasonable grounds, that the disclosure shows or tends to show maladministration, corrupt conduct, serious and substantial waste of public money, government information contravention or local government pecuniary interest contravention. Obligations A person who receives a public interest disclosure not to disclose information that might identify or tend to identify a person who has made the public interest disclosure unless: • the person consents in writing before the disclosure is made • it is generally known the person has made the public interest disclosure because the person has previously voluntarily identified themselves as having made the public interest disclosure • it is essential, for natural justice, that the identifying information be disclosed • disclosure of the identifying information is necessary to investigate the matter effectively, or • it is in the public interest to disclose the identifying information. Public authorities must have a policy outlining the procedures for receiving, assessing and dealing with public interest disclosures. © Sparke Helmore Lawyers 2013

12 Strategies for Compliance
Be aware of the applicable legislative requirements. Be conscious of privacy laws when dealing with employee records Where possible, obtain consent from the person to whom the information relates Ensure information is stored securely, is kept up-to-date and is accurate. Ensure that organisations have a security and data breach plan is in place Implement, maintain and train staff in its policies and procedures Anyone responsible for records and complaints management must be trained and aware of the legislative requirements. Affected organisations are careful in their use of employee records to ensure that the ‘spirit’ of the privacy laws is being observed and caution is exercised in relation to the exemptions from the relevant principles. The best practice is to ensure that the person to whom the information relates has consented to the proposed collection, use and disclosure of their information. In terms of collecting, holding and using information, implement rigorous systems for ensuring that personal and health information is held securely, is kept up-to-date and accurate. In relation to personal information, review their information security and data breach plan and conduct a privacy impact assessment for new projects, and Implement, maintain and train staff in its policies and procedures - if your policies and procedures are robust, up-to-date and well known then you will be well on your way to best privacy practice. © Sparke Helmore Lawyers 2013

13 Questions?

14 Presenter details Roland Hassall, Partner
Sydney t: e:

15 Addendum – State Privacy Legislation
New South Wales: Privacy and Personal Information Protection Act 1998 (NSW) Health Records and Information Privacy Act 2002 (NSW) Surveillance Act 2005 (NSW) Surveillance Devices Act 2007 (NSW) Victoria: Information Privacy Act 2000 (Vic) Health Records Act 2001 (Vic) Surveillance Devices Act 1999 (Vic) including the Surveillance Devices (Workplace Privacy) Act 2006 (Vic) © Sparke Helmore Lawyers 2013

16 Addendum – State Privacy Legislation
Queensland: Information Standard 42—Information Privacy (IS 42) Health Quality and Complaints Commission Act 2006 (Qld) Health Services Act 1991 (Qld) Information Standard 42A—Information Privacy for the Queensland Department of Health (IS 42A) Western Australia: Freedom of Information Act 1992 (WA) Information Privacy Bill 2007 South Australia: PC012—Information Privacy Principles Instruction © Sparke Helmore Lawyers 2013

17 Addendum – State Privacy Legislation
Tasmania: Personal Information Protection Act 2004 (Tas) Australian Capital Territory: Health Records (Privacy and Access) Act 1997 (ACT) Australian Capital Territory Government Service (Consequential Provisions) Act (Cth) Northern Territory: Information Act 2002 (NT) © Sparke Helmore Lawyers 2013

18 Addendum – State Protected Disclosure Legislation
New South Wales: Protected Disclosures Act 1994 Queensland: Public Interest Disclosure Act 2013 Victoria: Protected Disclosure Act 2012 South Australia: Whistleblowers Protection Act 1992 Australian Capital Territory: Public Interest Disclosure Act 2012 Tasmania: Public Interest Disclosures Act 2002 Northern Territory: Public Interest Disclosure Act (No. 38 of 2008) © Sparke Helmore Lawyers 2013

Download ppt "Privacy in the Workplace"

Similar presentations

Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Recent cases: Is there fragmentation of Australia's public sector privacy laws? Professor Graham Greenleaf UNSW Faculty of Law - 22 May 2003 NSW Freedom.

Recent cases: Is there fragmentation of Australia's public sector privacy laws? Professor Graham Greenleaf UNSW Faculty of Law - 22 May 2003 NSW Freedom.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.

13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.

Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.
Protecting information rights –­ advancing information policy The Australian Privacy Principles.

Protecting information rights –­ advancing information policy The Australian Privacy Principles.

Similar presentations

Ads by Google