The Privacy Act could be one of the most misunderstood statutes, quoted regularly by people from all walks of life, but frequently quite wrongly. Some, it seems, are reluctant to do anything for fear of Privacy Act consequences, while others have startlingly little appreciation of the limits it might impose on activities.
The Privacy Act starts with a presumption that information about you belongs to you. It deals with “personal information” which is “information about an identifiable individual”. It sets out, in 11 “information privacy principles” the general rules. They include that information about you should only be gathered for a lawful purpose, and it should be collected from you directly, or with your consent. Once gathered, it should be held securely, only for the purpose and as long as necessary, and you should be allowed to access it, or correct it if its wrong. The Act deals in detail with how these principles might be observed, and with a number of exceptions.
In the modern workplace, a huge body of “personal information” can be collected. An employee’s security tag can generate information about when they arrive at work, when they leave and which parts of the building the move to. It may also generate information about how much they print, or when they use company facilities or resources. An employee’s phone is capable of collecting information about how much time the employee spends on calls, emails, social media and other apps. It can register how much exercise the employee gets, where they travel to, where they stay the night, where they shop and who they spend time with.
Some of this information might also be ‘company information’ – information that an employer has some legitimate interest in – say when an employee accesses certain information on company databases, or where employees are during the day. However, it seems that modern technology now delivers the ability to discover information that was previously the employee’s private domain. How and when can an employer access that information?
The Privacy Act says information about employees (identifiable individuals) should only be collected with permission, and only used for the purpose for which it is collected. So, a good starting point is, does the employee know about the information that is being collected?
Take GPS trackers in company vehicles. Does the employee know that such devices are used? What is the employee told of the purpose of those devices? Does the employer have access to information about how the vehicles are used in the evening or the weekend? It is perfectly legitimate to collect that information if the employee consents to its collection for a known purpose. But, it is more challenging to use that information for some other purpose. Say, for example, the employer forms a suspicion that the employee has a gambling problem because the GPS shows the vehicle regularly parked in a casino carpark. Is that a legitimate use of the information? Not only that, but having collected information, the employer needs to hold it in a way that is secure, and prevents unauthorised disclosure. Who in the business can review the GPS data? For what purpose??
In my experience, Privacy policies usually deal with the privacy rights of the business’ clients and customers better than the rights of employees. Significant personal information is collected by employers about workers, and sometimes there is no evidence that employees are aware of the collection, or the purpose of it.
Here is a good thought experiment – what are the devices or processes in your workplace that collect information? Vehicles, security cards, security cameras, machines, smartphones, computer systems etc. What do employees know of these devices? How is the information collected on these devices held and accessed, and by whom? What do employees know of that? Is it time to put a modern policy in place?
#privacy #information #personalgrievance #datacollection
