The recent Facebook-Cambridge Analytica privacy scandal has thrust issues relating to use of personal information into the mainstream – and there’s plenty of lessons for employers.

In this feature article, AREEA Director Workplace Relations Amanda Mansini and AREEA Graduate Rais Meer, explore everything from regulation to effective processes.

IN MARCH this year, global news was dominated by the breaking story of British data analysis firm Cambridge Analytica using the personal information of 50 million Facebook users for its work on the 2016 Trump Presidential Campaign. Facebook demanded that the data be destroyed, but it was already too late.

The scrutiny surrounding Facebook’s privacy breach is a stark and timely reminder to employers regarding the protection of the personal information of their employees.

Rapid technological change in the past two decades has been embraced by employers for recruitment, workplace surveillance and monitoring purposes. In turn, placing a spotlight on the fine balance between the right and necessity to manage a business with the right of employees to privacy. In addition, an increasing focus on privacy regulation and greater penalties.

Refusing to engage available technology to achieve best practice operating standards for fear of interference with privacy is not a feasible defence in any boardroom or courtroom. It is imperative that employers are able to utilise technology to run a business as safely, efficiently and compliantly as possible, whilst also protecting privacy of individuals in the workplace.

Understanding the regulatory framework

Commonwealth privacy laws regulate the collection and handling of personal information, largely through the Australian Privacy Principles (APPs) set out within the Privacy Act.

The APPs apply to all private sector businesses with an annual turnover of more than $3 million.

Some states have additional workplace surveillance or general surveillance laws, and each state has specific legislation dealing with monitoring telecommunications, which can have applications in the workplace.

Personal information typically means information or an opinion about an individual that identifies the individual, or from which the identity of the individual can be ascertained.

Uses directly related to the employment relationship are generally allowed under Commonwealth laws.

Employers should think carefully about any personal information that they collect and systems for managing this consistent with the APPs.

Employers should take steps to protect personal information from:

• Misuse, interference and loss; and
• Unauthorised access, modification or disclosure.

When can you give information to third parties?

Instances will arise in an employment relationship where you may be required to divulge information to a third party.

In line with the APPs, an employer may disclose employee records to third parties if the information is requested by the following:

• A Fair Work Inspector: Under the Fair Work Act, employers are required to provide this information.
• Other government agencies: Some agencies such as the Australian Tax Office have the power to do so.
• Permit holder: The Fair Work Act allows a permit holder to inspect or copy documents, given its relevance to the suspected contravention. However, a permit holder will not be able to inspect or copy documents if it contravenes a federal law, including the Privacy Act, or any state law.
• Information collected from a protected action ballot.
• Information for reference purposes: Providing information that directly relates to the employment relationship will not be in breach of the Privacy Act. Employers should generally seek the employee’s consent before disclosing personal information.

Employers are strongly encouraged to seek professional advice on whether employee information should be provided to third parties if unsure of the legality of the request.

Why is it so important?

There are three common legal issues pertaining to a breach of employee privacy: unfair dismissal claims, protections against discrimination, and WHS and workers’ compensation.

An increasing number of unfair dismissal cases involve alleged misconduct by employees using various forms of employer-provided or personally-owned technology (e.g. to access social media sites) — often outside the workplace or regular work hours.

Anti-discrimination laws place restrictions on employers around the acquisition and use of employees’ personal information as part of recruitment and management processes.

Various privacy issues arise in the operation of WHS and workers’ compensation legislation, for example in relation to employers’ handling of employees’ sensitive health information.

It’s clear that larger Australian employers with operations across State/Territory boundaries face an array of overlapping – and at times conflicting – laws imposing obligations in relation to employees’ personal information.

The absence of uniform regulation in this area also means that individual employees’ expectations of the level of privacy protection in the workplace do not accord with the actual legal position.

Best practice for employers

Clear workplace policies can help to ensure both employees and employers understand the expectations and responsibilities that apply to the use of technologies and privacy.

When collecting data, employers should determine the purpose of the information, ensuring that the information collected is lawful, clearly communicated and only what is strictly necessary for that purpose.

When using the information, it is good privacy practice for employers to tell employees when they collect their personal information and where that information is likely to end up.

Employees should be allowed to access their own personal information held by their employer and when sensitive information is no longer needed, it should be appropriately destroyed.

Furthermore, employers should consider the necessity to collect information, ensure that information is stored securely, restrict access to information and require anyone with access to sign a confidentiality agreement.

As a general approach, the following five steps can ensure an effective system for privacy protection:

1. Identify potential risks associated with personal information held.
2. Ensure workplace policy aligns with standard of practice and legal requirements.
3. Ensure adequate training of all employees on appropriate workplace procedures as well as code of conduct.
4. Implement appropriate technological controls to minimise risks.
5. Continuous and ongoing monitoring of compliance to policy and legal standards.

While the Cambridge Analytica-Facebook case may seem far removed from the average workplace, the issues at play are wide-reaching and only set to intensify as technology becomes more sophisticated and pervasive in all employment systems.

Even those employers with small numbers of employees or those slow to adopt new technologies should have protecting employee privacy at front of mind.

You cannot afford to wait for a breach or suspected breach to get on-top of privacy considerations – in this case prevention is not just the best approach, but the only approach.

AREEA’s experienced Workplace Relations team can assist with any policies or procedures relating to protecting employee privacy. This includes investigations into incidents and auditing existing systems against best practice. For assistance, contact your local AREEA office.