What’s yours is mine?
In a world where technology is becoming more prevalent, it’s easy to feel that privacy rights are a thing of the past.
During the recent election campaign, New Zealand First leader Winston Peters accused government officials of breaching his privacy by leaking information to the media regarding errors in his superannuation payments. This created an uproar and, as yet, it’s not clear how the information was provided to the media. Not all privacy breaches are so high profile but they are becoming increasingly common given developments in technology and social media. Considering the numerous forms of communication we have now, there are many ways that information can be disseminated.
We think nothing of sending emails whether at work or at home. It’s quicker and often more effective than traditional letters or a phone call which can remain between two people.
Most employment agreements will contain provisions regarding an employee’s use of the employer’s IT systems. These provisions generally allow employers to monitor employees’ emails at any stage. There can be many genuine reasons for this such as quality control, staff management, and ensuring security of company and client information.
Generally speaking, an employer’s IT systems and the information contained in them belong to the employer. However, most employment agreements also allow limited personal use of the email system.
What happens, however, when you use your work computer to send personal emails to friends and family? Is it a breach of your privacy if your employer accesses those emails?
Earlier this year, the European Court of Human Rights considered this issue of privacy and work emails. Bogdan Barbulescu, a Romanian engineer, was fired from his job in 2007 after his employer found dozens of messages he had sent to family members while at work. The emails were sent from a Yahoo account that Mr Barbulescu had set up on his employer’s instruction. Mr Barbulescu argued that his right to private correspondence had been violated.
Mr Barbulescu’s employer relied on its company policies which banned the use of office resources for anything that wasn’t work-related. It argued there were clear rules about the use of email for personal reasons during work hours.
After various appeals, the European Court of Human Rights ruled that Mr Barbulescu’s employer had breached Article 8 of the European Convention of Human Rights when it accessed his emails. Article 8 provides the right to respect for private and family life, and correspondence.
What about New Zealand?
In this country, there is no law that’s equivalent to Article 8. However, the Privacy Act 1993 protects and promotes individual privacy. It prevents the collection of personal information in a way that intrudes on an individual to an unreasonable extent.
There are 12 principles in the privacy legislation that must be observed when it comes to collecting, using, storing and disclosing an employee’s personal information. These include restrictions on how people and organisations can use or disclose personal information.
Employees are entitled to privacy of their personal details. Any information obtained by an employer when accessing an employee’s personal email cannot be used to breach the employee’s right to privacy, but it can be used in respect of disciplinary actions.
Most emails and other correspondence can be monitored in the workplace provided the employment agreement refers to this. The communications are the property of the employer. All employees should be aware that anything they send or receive can be seen, or accessed, by their employer.
This may not apply if the employee uses a personal Google mail or Yahoo account. If the employment agreement doesn’t allow using the work IT system for personal email, it may be argued an employee should not be logging into these accounts during work hours.
There are some limits though
There are limits to an employer’s right to access personal information. In March 2015, the Human Rights Review Tribunal awarded $168,000 to Karen Hammond, a former employee of NZ Credit Union Baywide. Ms Hammond left the company in 2012. Several days later she baked a cake for a colleague who she believed had been unfairly dismissed by the company. The cake was iced with crass comments about the employer. After a dinner party, photos of the cake appeared on Ms Hammond’s private Facebook page. It was only accessible to her chosen Facebook friends although the employer persuaded another staff member to copy the photos. These images were distributed by her previous employer to employment agencies and Ms Hammond’s new employer.
The Tribunal concluded that NZ Credit Union Baywide had interfered with Ms Hammond’s privacy by disclosing personal information about her. The award of $168,000 was an expensive lesson for her previous employer.
Care with confidential information
Employers also need to ensure they have policies in place to ensure staff don’t breach the privacy of colleagues or clients by passing on confidential personal information. This is not just in the context of technology, but also in personal conversations and at social functions.
In some circumstances, employees may face criminal charges for accessing personal information. In July 2017, former police officer Jeremy Malifa was sentenced after admitting to illegally accessing the police national intelligence system. Mr Malifa had accessed personal information of women in whom he had a romantic interest and he used that information to contact the women. Not only was this a breach of his employment agreement, but it was also a criminal offence.
In another case, a university student union president complained to the Privacy Commissioner after excerpts of a written warning letter regarding her performance appeared in a student magazine. The student president’s complaint was against both the magazine and the vice president who had given the letter to the magazine. The Commissioner said that the Privacy Act did not apply to the student magazine and the investigation looked at the person who gave the letter to the magazine. The Commissioner decided there had been a privacy breach. The case went to the Human Rights Review Tribunal. The complainant was awarded $18,000 in compensation for her humiliation, loss of dignity and injury to her feelings. The other party was ordered to undertake training on the Privacy Act.
The protection of personal information is important for any organisation. Employment agreements should address these matters. Any breach may well lead to disciplinary action. Of course, both parties should remember a key principle of employment law is that the relationship should be one of good faith.
In a world where technology is constantly developing, employers should regularly review their organisations’ processes to make sure they’re up to date. Employees need to be mindful of the consequences of information shared via email and other forms of communication.
We should all remember that within minutes private information can be sent around the world with the click of a mouse. Once the information is in cyberspace, the original sender can quickly lose control of it.
If you don’t want someone to see something or for information to be leaked, think again before writing or typing. The same rules apply whether it’s an old-fashioned letter written with a fountain pen or an email sent from the 21st century office.
Despite advances in technology and our more ‘tell all’ society, privacy is an important legal right. If you hesitate before sending something, perhaps it’s not a good idea to share.
 Hammond v Credit Union Baywide  NZHRRT 6
 Case Note 253397