Case note 229558 [2012] NZ PrivCmr 1 : Employer uses monitoring software to collect personal information
June 8, 2012 |
In Case note 229558 [2012] NZ PrivCmr 1 the Privacy Commissioner considered the collection of personal information on an employee’s computer.
FACTS
During an employment investigation an employer collected personal information from a man’s work computer. The information included emails sent to and from the work computer, as well as key stroke logs for the computer. The employer used information collected from key stroke logging to access the man’s personal web-based email account and copy several emails.
The man complained to us about the information his employer had collected.
DECISION
Two issues were identified; information collected directly from the work computer and information collected from the man’s personal email account.
Information collected directly from the work computer
This complied with the Privacy Act because in the employment agreement and employee manual the employer had clearly set out that work computers would be subject to monitoring.
With respect to the collection of key stroke information Principle 3(1) sets out that where an agency collects information from an individual it must take such steps which are, in the circumstances, reasonable to ensure that the individual is aware of a number of things, including the fact that information is being collected. In this case the policies set out in the agreement and manual were not explicit enough to make staff aware that such detailed information was being collected. Accordingly the employer had breached principle 3 in collecting key stroke information.
Information collected from the personal email account
The employer used the password it obtained from key stroke information to access the man’s personal email account. This raised issues under principles 1, 3 and 4 of the Privacy Act.
Under Principle 1 agencies must not collect personal information unless it is for a lawful purpose connected with the functions or activities of the agency, and collection is necessary for that purpose. The employer’s actions went well beyond any information that may have been relevant to the employment investigation and had breached principle 1 because the collection was unnecessary and disproportionate to the employer’s needs.
The employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer.
Principle 4 deals with method of collection and requires that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive. In that context an individual’s personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it. There were no exceptional circumstances here and and so this method of collection was unreasonably intrusive and in breach of principle 4.
ISSUE
The issue of employer monitoring of employee’s computer and social media is a ongoing source of privacy intrusions and question of continuing balance between a person’s expectation of privacy and the right of an employer to ensure that there has been compliance with laws and proper supervision. This decision highlights where an employer has gone well beyond what is responsible and reasonable in the circumstances and used technology to intrude into what is a clearly private domain. This issue has been dealt with in the Techye.net article Monitoring employees digital media access is still a freaking risk. The article provides:
Businesses are increasingly spying on their employees when it comes to their behaviour with social media, a report has found.
According to Gartner, around 60 percent of corporations are expected to put in place
formal programs for monitoring external social media for security breaches and incidents by 2015.
It said that although many organisations already have some sort of social media monitoring as part of brand management and marketing, less than 10 percent currently use these same techniques as part of their security monitoring program.
According to the analyst house, the growth in monitoring employee behaviour in digital environments has been made easier with new technology.
However, it warned that surveillance of individuals could create a privacy risk and should therefore be managed carefully to “comply with ethical and legal standards.”
Traditionally companies have focused their attentions on monitoring their employees behaviour on internal IT, Gartner said. However, it pointed out that times were changing as a result of new technology such as cloud, meaning these traditional methods weren’t as good as they could be.
It said this meant that these practices had to “follow enterprise information assets and work processes into whichever technical environments were used by employees to execute work.
“Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behaviour wherever the employees pursue business-related interactions on digital systems,” it added.
Gartner also claims that cloud services, such as Facebook, YouTube and LinkedIn, provide new targets for security monitoring. But it warned that surveillance of user activity in these services generated additional ethical and legal risks.
It said that at times information available could assist in risk mitigation for an organisation, such as employees posting videos of inappropriate activities within corporate facilities.
However, there were other times when accessing the information could generate serious liabilities, such as a manager reviewing an employee’s Facebook profile to determine the employee’s religion or sexual orientation in violation of equal employment opportunity and privacy regulations.
To help create a happy medium, Gartner pointed out there were a range of products and services. However, it warned that there were still a number of problems that needed to be considered to ensure privacy was protected.