Employer provided devices: Privacy and ownership

An employer in the US accessing an employee’s emails has sparked debate over privacy and the ownership of data.

A former employee of US-based Verizon Wireless had thousands of her personal emails read by her employer after returning a phone provided to her by the company.

Sandi Lazette failed to clear her passwords from the phone, resulting in Chris Kulmatycki, her supervisor, gaining information regarding her family, health, career and finances, US-based Workforce reported.

Although it was found that Kulmatycki acted unlawfully, the same conclusion might not be reached in Australia.

“Commonwealth privacy and telecommunications interception legislation would not prevent an employer accessing and reading the personal emails of a former employee stored on a company-owned smartphone,” Joel Zyngier, senior associate and specialist in Workplace Relations at Holding Redlich, told HC. “However, if the employee was employed in NSW, such conduct would be unlawful pursuant to the Workplace Surveillance Act, unless the employer had previously warned the employee that the employer might monitor or access the private emails.”

Despite this, there are other precautions employers must be aware of in regards to both current and former employees. If the information gathered revealed an attribute or activity of the employee protected from unlawful discrimination – such as sexual preference or trade union affiliation – and the employee was then treated differently by the employer, the employee may allege the treatment was due to the information gathered, and claim it was thereby discriminatory.

Some states, such as Victoria, may prohibit the collection (such as reading emails) of information that can be used for discriminatory purposes.

“An employer would be vicariously liable for an employee’s unlawful disclosure of personal information or discriminatory conduct unless it took reasonable steps to prevent the employee’s disclosure/conduct,” Zyngier explained.

The disclosure of any information collected that does not directly relate to ‘employee records’ is unlawful, as well.

Zyngier confirmed that the employer owns the information stored on a company-issued device. This does not include information stored on non-company servers that the smartphone can access.

As the legal and moral obligations of the employer when dealing with this situation are complex and difficult to navigate, a robust IT policy that is easily adhered to is all important.

“Employers should have a general privacy policy to guide the conduct of their managers and employees,” Zyngier said. “If there is a need to review a former employee’s emails, the organisation should limit the people conducting the review to a limited number of authorised staff who are aware of relevant privacy obligations … employers need to have policies governing employees’ use of their employer’s computer and IT facilities, which should tie in to the employer’s equal opportunity, anti-discrimination and bullying policies.”

What do you think of the US case? Do you issue devices to employees? If so, how do you ensure privacy of information?