Australian rules govern use of personal employee information, but have exemptions
In general, an employer has a right to monitor an employee’s use of company property (e.g. a work computer), but there are limits to this right. Laws that relate to monitoring and surveillance vary across Australian states and territories and can be very complex.
This article considers the case of Madzikanda v. Australian Information Commissioner [2023] FCA 1445, which examines whether monitoring an employee’s use of company property breaches the Privacy Act 1988 (Cth) (Act).
The Act provides 13 legally binding principles, known as the Australian Privacy Principles (APPs), which concern the collection, use, disclosure and storage of personal information and applies to Australian government agencies and all private-sector organisations.
However, the Act exempts private-sector organisations from complying with the APPs when handling employee records relating to current or former employees that are directly related to the employment relationship or records concerning individual employees.
An “employee record” for the purposes of the Act means a record of personal information relating to the employment of the employee. Apart from an employee’s health information, other examples include:
- the engagement, training, disciplining or resignation of the employee
- the termination of the employment of the employee
- the terms and conditions of employment of the employee
- the employee’s personal and emergency contact details
- the employee’s performance or conduct
- the employee’s hours of employment
- the employee’s salary or wages
- the employee’s membership of a professional or trade association
- the employee’s trade union membership
- the employee’s leave entitlements
- the employee’s taxation, banking or superannuation affairs.
This means that the Act and the APPs will only apply to an employee record if the information used is for a purpose that is not directly related to the employment relationship.
Personal information on company laptop
The case of Madzikanda v. Australian Information Commissioner [2023] FCA 1445, relates to a judicial review of a decision of the Office of the Australian Information Commissioner (OAIC). The facts of this case serve as an important reminder that employers should ensure they have policies relating to the use, surveillance and monitoring of company property.
In Madzikanda, the applicant was suspended from his employment and was required to surrender his work laptop. The work laptop was used by the applicant for a number of years, and during that time he stored personal information on the laptop including passwords to online accounts such as banking, private email accounts, and his personal OneDrive and iCloud accounts.
Latest News
The applicant received a letter of allegations on 13 June 2019 referring to a conversation contained in a private email that he was working on projects that were in competition with the employer during company time. The applicant was dismissed on 17 July.
The applicant subsequently lodged a complaint with the OAIC, alleging that his employer had used personal information held on the laptop. The employer denied that this had occurred.
After considering the material provided, the OAIC determined, amongst other things, that the employer’s actions were not subject to the APPs in the Act as:
- The information on the laptop was an employee record and was subject to the exemption under the Act on the basis that the information was subject to monitoring in accordance with the employer’s policy.
- The employer’s actions in dealing with the applicant’s personal information in the laptop were directly related to the employment relationship at the time and directly related to the employee records relating to the applicant.
- Even if the exemption did not apply, there were reasonable arguments that the employer had not breached various APPs.
Data on work computer part of employee record
More particularly, the OAIC held that:
“I consider that you were aware that the work computer was not your private property, and that any data saved to the computer may have formed part of your employee records, as it was subject to routine monitoring and review.”
The OAIC determined that an investigation was not warranted as the complaint had little prospects of further practical or satisfactory resolution. The OAIC further determined that it would be an inefficient and unproductive use of the OAIC’s resources and powers to investigate the complaint further.
Judge Wheelahan dismissed the application and found that the OAIC’s decision did not contain an error of law, as “further investigation of the complaint was not warranted having regard to all the circumstances.” The court did not consider the OAIC’s decision on the “employee records” exemption.
Review of the Privacy Act
The Australian Government is currently reviewing and considering reforms to the Act, following its response to the proposed changes released on 28 September 2023. It is possible that the “employee records exemption” may be subject to reform as part of this review. As at the date of this article, the proposed changes remain under review and consultation.
Rachel Drew is a managing partner at Holding Redlich in Brisbane, specialising in workplace relations & safety and immigration law. Rose Dimitrious is a special counsel at Holding Redlich in Brisbane, specialising in workplace relations & safety. Kelvin Lee is an associate in the workplace relations and safety group at Holding Redlich in Brisbane.