Current Workplace Privacy Issues

Malcolm Crompton, Federal Privacy Commissioner

1. "Many organizations have failed to recognize [a] major privacy risk within their organization - the data they collect about their own employees"

[Developments in both the domestic and international arenas are now pushing employee privacy issues to the forefront. The evolving legislative and judicial privacy landscape around the world is making successful management of global workforce data increasingly difficult. An inadequate employee privacy program that fails to consider these new rules and regulations can not only expose a company to potential privacy breaches, but can also affect the deployment of new systems designed to bring new efficiencies to human resources ("HR") functions. Without a diligent review of employee privacy regulations, companies could experience financial loss on investments made on global HR systems and HR technology solutions.

While substantial challenges are involved, employee privacy can be managed effectively and actually help to bring efficiencies to corporate HR initiatives. Moreover, effective privacy policies can also be used to improve the employer/employee relationship and combat perceived "secrecy" surrounding a company's HR practices and the information maintained about employees.]

Privacy in the Workplace: Emerging Risks in a Changing Landscape Understanding Key Employee Data Issues to Better Manage Privacy Compliance By Jacky Oorloff and Ellen Roniger Tombaugh PriceWaterhouseCoopers, March 2002

2. Recent News clips - note the title of the articles.

• "Time bandits", SMH, 26 Aug 2003
• "Busted at work!", NetGuide, Issue 63,1 Aug 2003
• "Thumbs down for finger scans", AFR, 22 July 2003
• "More white-collar thieves taken to task", AFR, 21/10/03
• "Intellectual theft a growing problem for business", AFR, 21 Oct 2003

3. Employee rights to privacy in the workplace continue to feature regularly in the media, covering topics such as:

• Email usage;
• Web surfing;
• Video surveillance;
• Drug testing;
• RFID;
• Psychological testing;
• Use of biometrics (to monitor attendance and give access/ security level);
• Future use of genetic testing.

Appropriate mix of trust and accountability

4. Striking a balanced mix of mutual trust and accountability is what is important when it comes to workplace privacy. There are three distinct types of interaction within organisations that influence this mix including:

• Staff to organisation
• Organisation to staff
• Organisation + staff to customers

5. Employers have legal responsibilities to staff and shareholders. In undertaking a privacy risk management approach, employers need to ensure that resources are being used properly by staff and that staff are not being harassed or abused through the improper use of IT systems.

6. Privacy invasive monitoring reflects an employer-employee relationship which is not based on mutual trust. Invasive monitoring may contribute to low employee moral and work satisfaction - potentially a major contributor to low productivity.

7. Organisations need to advise employees about their policies - outlining what is and is not acceptable behaviour; what the organisational values are; what the organisation's rules or code of conduct are.

8. Employee attitudes to workplace monitoring are closely intertwined with our strong sense of Right to a Fair Go (absence of discrimination/ chance to right a wrong) and the rights of the Aussie Battler (first recorded in 1896 in a Henry Lawson story). Organisation's would be wise to consider the impact cultural attitudes to employee loyalty.

9. Yes, the technology has changed the face of the workplace - the issues remain the same ...Cast your mind back to the initial response to photocopiers (in particular colour photocopiers), faxes or the desk telephone.

10. New technology has caused a lot of interest in this area but the issues have been around for a long time. For example, employee productivity levels, efficient use of equipment and resources, and, risk management of intellectual property.

Legislation Overview

8. Privacy Act 1988 - Employee Exemptions

• Guidelines on Workplace E-mail, Web Browsing and Privacy (30/3/2000)

  OFPC Statistics NPP Exemption - employee records

  Total calls by financial year	2001/2002	2002/2003
  	618	903
  Total enquiries by financial year	2001/2002	2002/2003
  	13	99

  Employee Legislative Review

  9. Attorney-General's Department, Fact Sheet on Privacy in the Private Sector-Employee Records, 22 December 2000.

  ...While employee records deserve privacy protection, it is the Government's view that such protection is more properly a matter for Workplace Relations legislation. The potential also exists for Commonwealth privacy regulation of employee records to have unintended consequences where it intersects with State and Territory laws dealing with employee records. The Government will review existing Commonwealth, State and Territory laws to consider the extent of privacy protection for employee records and whether there is a need for further regulation. The review, which will be carried out by officers of the Attorney-General's Department and the Department of Employment, Workplace Relations and Small Business, will involve consultation with State and Territory Governments, the Privacy Commissioner and other key stakeholders. The review will be completed in time to assist the Privacy Commissioner when he conducts a more general review of the legislation two years after it commences operation

10. NSW and Victorian legislation cover health information. NSW - recent announcement - proposed Workplace Surveillance Act to regulate the use of surveillance devices to monitor employees to be drafted by end of year.

11. Other activity in privacy law includes:

Victorian Law Reform Commission - Privacy (launched 5/3/2002)

Consultation - Submissions to the Workplace Privacy Issues Paper provided the Commission with a significant amount of information concerning how issues around privacy currently play out in Victorian workplaces, and attitudes towards regulation. The Commission needs to further refine its appreciation of these matters in order to develop Options Papers addressing the key issues relating to surveillance monitoring and testing.

During October and November 2003, the Commission will be convening a number of consultation groups comprising employer and employee representatives across a variety of industries, individuals and organisations with relevant technical expertise, and people with expertise in various fields of regulation, to further explore these issues. The Commission will also reconvene a slightly modified Advisory Committee to assist it to continue and conclude this reference.

The Option Papers covering surveillance, monitoring and testing are intended for release in March 2004 at which time we will pursue further consultation to gauge community attitudes to the options identified in these papers. A strategy for this round of consultation will be developed closer to the release of these publications.

Global attention to workplace monitoring is increasing

12. UK Information Commissioner, Employment Practices Data Protection Code: Part 3 Monitoring at Work.(11/06/2003)

Benefits of the Employment Practices Code:

• increase trust in the workplace - there will be transparency about information held on individuals, thus helping to create an open atmosphere where workers have trust and confidence in employment practices.
• encourage good housekeeping - following the Code encourages organisations to dispose of out-of-date information, freeing up both physical and computerised filing systems and making valuable information easier to find.
• protect organisations from legal action - adhering to the Code will help employers to protect themselves from challenges against their data protection practices.
• encourage workers to treat customers' personal data with respect - following the Code will create a general level of awareness of personal data issues, helping to ensure that information about customers is treated properly.
• help organisations to meet other legal requirements - the Code is intended to be consistent with other legislation such as the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 (RIPA).
• assist global businesses to adopt policies and practices which are consistent with similar legislation in other countries - the Code is produced in the light of EC Directive 95/46/EC and ought to be in line with data Code of Practice - monitoring at work About the Code protection law in other European Union member states.
• help to prevent the illicit use of information by workers - informing them of the principles of data protection, and the consequences of not complying with the Act, should discourage them from misusing information held by the organisation.

13. Hong Kong, Office of the Privacy Commissioner for Personal Data, A Draft Code of Practice on Monitoring and Personal Data, Privacy at Work, Consultation Document(Release 8/3/2002)

• Principle of Proportionality
• Principle of Transparency
• Scope
• Monitoring of Telephone Calls
• Monitoring of E-mail
• Monitoring of Computer Usage e.g. Internet access
• Video Monitoring.
• Issues
  • Blurring of home/work boundary's (...as working from home becomes more common, and as employees may be expected to take calls and attend to E-Mail outside formal hours of work s 4.3)
  • Domestic helpers or guest workers.

Balanced Risk Assessment

14. A balanced risk assessment needs to address the changes in technology and workplace context. For example, there are four key areas employers need to consider:

BALANCE:

• The employer has a right to know what staff are doing during work hours; they also have a responsibility to ensure the workplace is free from harassment and hostility.
• Staff should be able to organise some of their personal lives free from the surveillance of their employer.

PROPORTIONALITY:

• Data Collection limitations principles applies (1.1) Surveillance and testing must be in proportion to the risks.
• Drug testing operators of heavy machinery / would seem appropriate; Drug testing everyone in a company would not.

TRANSPARENCY/OPENNESS:

• Be open and transparent about what the company is doing; tell employees what monitoring is taking place and why.
• Be open about the process; have a policy, negotiate it with staff and circulate it.

PREVENTION:

• Prevent problems before they occur - implement in software that automatically blocks access to unauthorised sites.
• Educate and train staff in organisational policies - ensure the do and don'ts are clear.

  Background

  1. A recurring theme is that organisations are not being open and honest with their employees, engaging in covert surveillance of employees.

  2. The key concerns include cost of non-productive use of resources or cost of lost productivity.

  Cultural and Technical Issues

  15. EPIC - Workplace Privacy

  ...increased employee monitoring powers raise the risk that false inferences can be drawn about employee contact. For instance, an employee might accidentally visit whitehouse.com, a pornographic web site, while attempting to access whitehouse.gov. An employee network monitoring appliance can detect access to the inappropriate site, but not the intent of the employee. With these new monitoring tools and potential to draw false inferences, it is important now more than ever for employees to have basic due process protections--the right of notice of the violation and some "opportunity to be heard."

(http://www.epic.org/privacy/workplace/)