Nolan, Jim --- "Privacy in the workplace - Part 1: legal issues" [1995] PrivLawPRpr 1; (1995) 2(1) Privacy Law & Policy Reporter 1

Privacy in the workplace - Part 1: legal issues

Jim Nolan

No man or woman upon entering into an employment contract thereby agrees to forgo those basic civil liberties which distinguish our society from more barbarous regimes.

- Macken J, Industrial Commission of NSW [1979] AR 72 at 79.

Introduction

In the last decade the privacy debate has focused on the workplace to an unprecedented degree. The availability of cheap intrusive electronic monitoring equipment, the computerisation of every aspect of work and the current vogue for drug and alcohol testing of employees has meant that a range of privacy issues may be present in many workplaces.

That the basic privacy of many employees has not been respected has been most dramatically demonstrated in recent, well-publicised sexual harassment cases. But a disregard for privacy may occur across the privacy spectrum: employees may often be injured in different but nonetheless serious ways by the abuse of privacy through unfairness in the collection and use of personal information, electronic monitoring techniques and other privacy intrusions. This article will endeavour to identify some privacy issues which should be of concern to employers and employees and their unions, and to draw attention to the real risks of not taking privacy interests seriously in the employment setting.

This article will also draw attention to recent developments in employment law which have significantly affected the likelihood of privacy issues being raised in the employment context. These include:

1. Recent decisions of the High Court which have significantly expanded the range of matters which may become the subject of industrial awards made by the Industrial Relations Commission under the Industrial Relations Act (1988).
2. Developments in the law of unfair dismissal are also relevant. Legal reforms have now created a legal right not to be unfairly dismissed. In assessing fairness in a particular dismissal, the courts have shown that they will take into account factors which include the 'privacy' rights of employees.

These issues are discussed in detail below.

ALRC report and current privacy issues in employment

The most extensive study of privacy in Australia was that undertaken by the Australian Law Reform Commission. In its 1983 Report on the law of privacy[1], the Law Reform Commission identified a number of privacy issues relevant to employment. These were:

1. Disclosure of criminal record information.[2]
2. Disclosure of medical information.
3. Psychological testing.
4. The use of lie detectors[3] and similar surveillance devices at the workplace.
5. The use and disclosure of employment records - both in the public and private sectors.

Some of these issues have already been dealt with by legislation, while others still await attention. A few appear to have slipped off any agenda for change. The treatment of privacy concerns in employment is unlikely to be addressed comprehensively by direct Commonwealth legislation even though there has been a preparedness to legislate into domestic law the subject of international conventions on other topics such as conservation and employment. In the light of this inactivity, the industrial relations system will no doubt be called on to tailor industrial prescriptions to meet many of these concerns.

Canadian Privacy Commissioner's Report on employment privacy

A decade after the ALRC Report, the Canadian Privacy Commissioner examined privacy issues relevant to the workplace in Canada.[4] The Canadian report identified the three main areas of privacy intrusions affecting employees:

1. Electronic monitoring
2. Employee testing
3. Misuse of employment records

These potential privacy intrusions give rise to the following concerns according to the Canadian report:

1. Loss of personal autonomy
2. Lack of consent
3. Invasion of privacy of persons
4. Invasion of informational privacy

The paper warns that the impact of these practices on employees is yet to be fully appreciated and that many of the practices are in their infancy. The expansion of technology and rapid developments in availability and costs of this technology mean that the techniques of privacy intrusions at the workplace are likely to become much more widespread.

The Canadian Report expresses a preference for direct legislation because it is said the patchy coverage of collective bargaining in Canada leaves most employees without the protection of union membership or of collectively determined labour arrangements which provide recourse to arbitration. The Canadian report confirms that while there is a considerable degree of international interests in privacy issues at the workplace there is yet to be any developed approach to the issues by legislators.

Other international developments

International trends in privacy protection in employment provide a valuable guide for Australians interested in industrial relations. Recent European initiatives have pointed the way ahead. The Committee of Ministers of the Council of Europe has adopted detailed guidelines for the protection of the privacy of employment records. Member countries are expected to ensure their adoption by employers in each country. The guidelines embrace:

1. Consultation with employees in relation to data policies and implementation.
2. Collection, use and storage, security and retention of personal data.
3. Communication of personal data to employee representatives.
4. External communication of personal data.
5. Trans-border data flows.
6. Data handling of sensitive categories of personal data, for example, health records.
7. Rights of employee access and correction.

Responding to this initiative, the Australian Privacy Commissioner, Kevin O'Connor, has recently stated an intention to develop a process for the adoption of national standards by bodies representing employers and employees in relation to the handling of personal records.[5]

In 1993, the International Labor Organisation undertook a study of worker privacy across a range of countries.[6] Although making no specific recommendation for legislation, it provides a valuable resource for the consideration of approaches to privacy issues. It is particularly noteworthy that in jurisdictions which have comparatively light privacy protections (in employment) such as the US, the courts have been willing to find so-called 'implied in law covenant of good faith and fair dealing in employment contracts' to sanction violations of worker privacy.

Numerous State courts in the US have held that statements in personal procedure handbooks may give right to implied contractual rights which may be sued upon. While providing salutary lessons for employers and their advisers, these remedies are essentially after the event as they arise in wrongful dismissal/breach of contract proceedings.

In the organised sector of the workforce, the National Labor Relations Board has made determinations relevant to videotaping and photographing employees engaged in pickets, and governing the circumstances in which personal bag and locker searches may take place. More recent initiatives aimed at restricting employee monitoring through a national Privacy for Consumers and Workers Act has stalled in the legislative process of the Congress.

Commonwealth 'privacy' laws relevant to employment

In Australia there is no comprehensive privacy law nor do specific privacy laws deal with employment as such. A number of State and Commonwealth 'privacy' laws nevertheless have relevance for employment in differing circumstances and with differing application. In the area of access to personal information, public employees fare considerably better than their private sector counterparts as beneficiaries of access laws.

The most important of these is the Privacy Act 1988. This Act complements the Freedom of Information Act 1982 and in the main, neither pertains to private sector employees. The Commonwealth Human Rights and Equal Opportunity Act also contains a measure of privacy protection in as much as it enacts the international covenant as a schedule to the Act and the right to personal privacy is enshrined in the covenant.[7]

The Commonwealth laws on privacy apply to particular and limited activities. They derive from amendments to the Privacy Act 1988 which have extended privacy protections to the private sector. There are three main areas which affect private sector employment: tax file numbers, spent convictions and credit reference reports.

The Privacy Act 1988 regulates the privacy aspects of the Commonwealth's tax file numbering scheme and is of particular importance for employers. In this regard it applies to the public sector of the States, the private sector and local government in addition to Commonwealth agencies as defined. The Privacy Commissioner may investigate complaints concerning the alleged misuse of tax file numbers in a manner similar to complaints of contravention of the Information Privacy Principles, and in certain cases, award compensation.

Since 1 July 1990 a new Commonwealth law has regulated the use and disclosure of certain criminal records. This legislation is of particular importance to employers in both the private and public sectors. The new law follows a reference to the Australian Law Reform Commission and its 1987 report on spent convictions.[8] The new law adds a new Pt VIIC to the Commonwealth Crimes Act[9] which establishes a Federal Spent Convictions Scheme. The Privacy Commissioner administers the scheme including a system of exclusions as with his functions under the Privacy Act. He is empowered to award compensation for damage suffered as a result of an unauthorised disclosure.

The main features of the scheme are:

1. A conviction as an adult for a Federal offence under a Commonwealth law is to be treated as 'spent' once it is ten years old if the punishment imposed was not more than 30 months imprisonment and the person has not re-offended.
2. A conviction as a minor (that is, under 18 at the time of the offence) for a Federal offence under a Commonwealth law is to be treated as 'spent' once it is five years old if the punishment imposed was not more than 30 months imprisonment and the person has not re-offended.
3. Commonwealth agencies are more extensively bound in that they are also required to observe these restrictions in the case of State offences.

Certain exclusions apply to the legislation, principally in relation to:

1. The appointment of certain designated positions in Commonwealth public sector employment.
2. Police employment and intelligence.
3. Criminal justice and the courts.
4. Migration.
5. Child care and teacher employment.

The Privacy Commissioner has granted a small number of exemptions being:

1. People (including employees) involved in institutional or residential care of prisoners and people with disabilities.
2. Certain government organisations involved in the administration of justice.
3. Industries susceptible to the infiltration of organised crime, for example, casinos.

Requests for exemption rejected by the Commissioner included requests from financial institutions and the Commonwealth government relating to blanket pre-employment checking.

In contrast to the position in the US, the system of credit referencing in Australia has been largely ignored for pre-employment screening checks. The Privacy Act now contains, arguably, the world's best scheme of credit reporting regulation. Once again the scheme follows the familiar pattern of the Privacy Commissioner in a supervisory role with the power to award compensation to complainants. It departs from the Privacy Act model to the extent that it provides for a series of offences with hefty penalties for unauthorised use of credit files - such unauthorised use includes employment-related use and disclosure of credit reports.

Concern about credit checking in employment is not academic. In the US this is a widespread practice. In Australia, there have been examples of the abuse of credit reports in the employment context. The 1987 Annual Report of the Privacy Committee recounts a complaint by a bank employee who was listed as a defaulter by her former employer (the bank) on CRAA following a dispute over a wrong overpayment which the bank could not recover at law. Under the Privacy Act this would arguably be treated as an offence and punishable by a significant fine. The employee concerned would also be entitled to monetary compensation.

As I have already observed, apart from the specific matters to do with the tax file number, spent convictions and credit reference reporting, the Privacy Commissioner's jurisdiction is limited to Commonwealth record keepers. This is despite the ALRC's recommendations that privacy laws be extended to the private sector and it was always envisaged that its report and resulting legislation would address privacy issues in the private as well as public sectors.

There is, however, one important function of the Privacy Commissioner which will allow some interaction with private sector record keepers and which has special relevance for employment records. One of the Commissioner's functions is to 'encourage corporations to develop programs for the handling of records of personal information that are consistent with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (s 27(1)(n))'.[10] Those guidelines are, in part, the source of the IPPs and contain the following principles (my summary):

1. Collection limitation: fair collection with the consent of the 'data subject'.
2. Data quality: relevant accurate, up to date and complete.
3. Purpose specification: purpose of collection to be specified, information to be used for that purpose.
4. Use limitation: personal data not to be used for another purpose unless authorised by law or with consent.
5. Security safeguards: personal data to be safely secured against loss damage, unauthorised access.
6. Openness: there should be a general policy of openness about developments, practices, etc. regarding personal data.
7. Individual participation: a right of ready access and challenge concerning any denial of access to one's personal data.
8. Accountability: record keepers to be accountable with respect to compliance with these principles.

The simple recitation of these principles and reference to the original terms of reference of the ALRC's Privacy Report - not to mention the report itself - compel the conclusion that there is much to be done by the Privacy Commissioner's office in furtherance of this function. In combination with his research and 'forward monitoring' function (s 27(1)(c)) and the public education function (s 27(1)(m)) the Privacy Commissioner is equipped with a potentially potent and persuasive jurisdiction over the private sector and State and Local Governments. The significance of this is that where persuasion fails legislation may

soon follow.

The Privacy Commissioner also acts as a law reform agency regarding privacy matters, a function which will not be lost on many interest groups and businesses alike. As noted above, the Privacy Commissioner made it clear in his first annual report and in published statements that he considers employment-related privacy issues high on the list of his priorities.

The States

The Privacy Committee Act 1975 established a statutory committee as a privacy Ombudsman unique to NSW. The committee performs a variety of functions including the investigation of complaints. It may not make binding determinations but can report to Parliament and 'name' persons and organisations who engage in objectionable practices. It promulgates guidelines regarding privacy protection in various spheres of life and recommends administrative practices and where necessary, legislation in the interests of privacy protection. The government is not obliged to accept any committee recommendation. A wide variety of committee activities has relevance to employment.

The Privacy Committee has published guidelines and policies on employment records and telephone monitoring at the workplace. The committee has also published a report on employee drug testing[11] in response to developments in Australia -- see below. Its annual reports often record complaints about privacy invasive employment practices. For example, recent annual reports[12] contain reports of complaints and issues about:

1. A requirement that an employee supply a bank account number to the employer for salary payment purposes: the complaint was dismissed as the procedure was part of industrial agreement.
2. Subject access to a staff report at a higher education institution: access was granted after committee conciliation.
3. Access to personal records by independent school teachers: access granted and new guidelines adopted after committee intervention.
4. Pre-employment health screening: advice given.
5. Post-employment references: agreement reached with employer on the form of reference.

Other NSW legislation relevant to privacy protection includes, the prohibition against administering lie detector tests for employment purposes, the use of listening devices, and prohibitions against communicating the results of AIDS antibodies tests in certain circumstances. (see Lie Detectors Act 1983 (NSW); Listening Devices Act (NSW); Defamation Act 1974 NSW, s 22). The Public Health (Proclaimed Diseases) Amendment Act 1985 and its accompanying regulations[13] state that public sector employees have certain privacy rights under the Freedom of Information Act 1989.

Spent convictions are now dealt with by the Criminal Records Act 1991.[14] The Privacy Committee has reported one unfair dismissal case where an employee was successful in challenging a dismissal based on the wrongful disclosure and use of a spent conviction.[15]

In Victoria, apart from information privacy protected by that State's Freedom of Information Act 1983, statutory protection of one's 'private life' is acknowledged in a limited form in the Equal Opportunity Act.

In Qld, the Privacy Committee Act 1985 established a committee similar to the NSW body, however the similarity is in name only as the Qld committee lacks the power to investigate complaints other than those referred to it by the Minister. In WA 'privacy guidelines' have been adopted on an administrative basis by the public sector while in SA a similar step has been taken but with the addition of a Privacy Committee established on an administrative basis. Queensland and WA have spent convictions legislation.

Jim Nolan, Barrister practicing in Industrial Law, formerly Lecturer in Labour Law (part-time) Sydney University Law School, formerly Executive Member NSW Privacy Committee (1984-1987).

Next issue:

Privacy protections in industrial relations law.

[1] The Law Reform Commission Privacy Report No 22 (3 vols) AGPS, Canberra ACT 1983, see Vol 1, pp 152-169, 408-9.

[2] The Commission has since published its final report on criminal records and spent convictions (see below).

[3] Note that the use of lie detectors in connection with employment is now prohibited in Lie Detectors Act (1983) NSW.

[4] Report on Employee Privacy Privacy Commissioner, Canada (1993).

[5] Kevin O'Connor Privacy Commissioner, Privacy: New responsibilities for government and business speech given to the Institute of Directors in Australia (NSW Branch), 6 April 1989.

[6] Conditions of Work Digest, Vol 12 1/1993 ILO.

[7] Article 17 of the International Covenant on Civil and Political Rights provides as follows:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.

[8] The Law Reform Commission Spent Convictions Report No. 37, AGPS 1987.

[9] Sections 85ZL-85ZZK Crimes Act (Cth) (inserted by the Crimes Legislation Amendment Act 1989, No 108 of 1989).

[10] The guidelines are set out in the ALRC Privacy Report, pp 270-272, the above summary omits some qualifications.

[11]Drug Testing in the Workplace October 1992.

[12] Privacy Committee Annual Report (1987), (1991), (1992).

[13] No 122 of 1986 Public Health Act Regulation (Gazette No 60, 11 April 1986).

[14] Privacy Committee Annual Report (1991) p 27.

[15]Annual Report (1992) p 61.