Privacy settings on social media not so private for employees?
An employer’s records on an employee are, at least at present, not protected under privacy legislation. They are, after all, the employer’s records. But, surely, an employee’s Facebook account (i.e. not the employer’s records at all) is “personal information” that should not be accessed or used by an employer without that employee’s permission?
The answer, or at least the answer according to Justice Bell of the Victorian Supreme Court, is one that many Facebook users will probably not ‘like’.
In Jurecek v Transport Safety Victoria  VSC 285, the employer (a government agency) accessed information on an employee’s personal Facebook account and used that information as part of an investigation into alleged misconduct on social media by that employee – and they didn’t tell the employee they were doing it. The Court found that such action was permissible as it was a reasonable and necessary part of the employer’s investigation process and did not arbitrarily or unlawfully interfere with the employee’s human right to privacy.
The crux of Ms Jurecek’s appeal from the decision of the Victorian Civil & Administrative Tribunal was that TSV had contravened the Information Privacy Principles espoused in the Information Privacy Act 2000 (Vic) (now repealed) on the following grounds:
- The employer had accessed the information for an unnecessary purpose;
- The employer had accessed the information without Ms Jurecek’s consent and by means that involved the use of a pseudonym;
- The employer had accessed the information without first seeking to obtain the information from Ms Jurecek directly; and
- The employer had used the information without telling Ms Jurecek they had gained access to such information.
While the decision concerned Victorian privacy legislation which has now been repealed, the Information Privacy Principles his Honour considered and applied are sufficiently similar to the Australian Privacy Principles (“APPs”) prescribed under the Privacy Act 1988 (Cth) to make his decision one that is a persuasive authority for the operations of most employers (at least until ruled upon by a higher court).
In dismissing the appeal, his Honour was required to undertake an unprecedented examination of the relationship between privacy laws and the use of social media in a workplace context. The decision confirmed that:
- Personal information that is available online and accessible by anyone, does not necessarily mean it is a generally available publication for the purposes of privacy laws;
- An employer conducting an investigation into alleged misconduct in respect of one of its employees is a ‘legitimate purpose’ under the privacy laws;
- The means by which the employer gained access to that information was not unlawful, unfair or unreasonably intrusive so as to be in breach of any privacy laws;
- The obligation that government agencies must take reasonable steps to ensure that an individual is aware their personal information is being accessed does not impose obligations of immediate notification. Whilst the employer had nevertheless complied with those obligations when taking steps for other purposes i.e. through their disciplinary process, it was not practicable for the employer to immediately notify Ms Jurecek as it would have jeopardised their investigation; and
- The same reason was provided in reaching the conclusion that the employer could not have obtained the personal information from Ms Jurecek directly as it would have also jeopardised the investigation.
Implications for Employers
Whilst this decision has particular effect for Victorian public sector organisations, the broader implication for many employers will depend on the privacy legislation applicable in that jurisdiction.
The Australian Privacy Principles in the Privacy Act 1988 (Cth) also create similar and, in some circumstances, more onerous obligations for agencies, particularly when dealing with sensitive information or personal information that has not been solicited.
Employers need to be mindful of these obligations and how it might affect the application of their workplace policies and procedures in particular, in dealing with employee misconduct and workplace investigations that require access to employees’ personal information.
Jurecek confirms that an employee’s personal information may be accessed by employers as long as it is for a legitimate purpose and it is accessed in a lawful and not unreasonably intrusive manner.
It does not however completely dispel the risk of breaching privacy laws.
In order to minimise this risk, employers should review their policies and procedures with particular regard to:
- Employees’ use of social media for employment or work purposes;
- The employer’s monitoring of technology and social media of employees; and
- The employer’s processes for dealing with allegations of misconduct and workplace investigations in respect of their employees.
Of course, the employer should be aware of these obligations however, there is also an onus on employees to be aware that personal information provided or posted on social media will not automatically be protected by privacy laws. Careful discretion needs to be exercised.