Privacy in the workplace – answering the burning questions for employers

It is the Employment Law Team’s favourite time of year – no, not Christmas, summer or going away to the family bach. It’s Privacy Week, duh!

To celebrate, we took the opportunity to answer four burning questions that we often get from employers about privacy-related matters in the workplace. 

Can I put up surveillance cameras in the workplace? 

There are a number of reasons why an employer may wish to use surveillance cameras in the workplace – for example, for health and safety reasons or to deter theft.  As expected, where an employer utilises video surveillance in the workplace it must comply with the Privacy Act 2020 (Act).

The Act contains 13 information privacy principles (IPPs), which govern the use of personal information collected by an agency.  Using video surveillance touches on nearly all the IPPs, but will certainly include:

  • IPP 1: Personal information may not be collected unless it is done for a lawful purpose and collection is necessary for that purpose;
  • IPP 3: The agency must take reasonable steps to ensure the individual is aware of the fact of collection, the purpose of collection, the intended recipients, details of the collecting agency, and the right of correction;
  • IPP 4: Personal information may not be collected by unlawful means; and
  • IPP 10: Personal information obtained for one purpose must not be used for any other purpose.

Failure to comply with any of the IPPs can result in a complaint being made to the Privacy Commissioner; or where footage obtained in breach of the Privacy Act is used to dismiss or discipline an employee, the action could be held to be unjustifiable.  One way to ensure compliance is to implement a surveillance policy in the workplace.  To meet their statutory good faith requirements, an employer should consult with employees prior to implementing such a policy.  The policy should cover off the above IPPs – why the surveillance is being undertaken, what will be recorded, what the footage will be used for, who can access it, and how it will be stored.

If an employer has a policy regarding surveillance cameras, then employees will most likely be aware of the camera’s existence.  This type of overt surveillance is generally less risky for an employer to rely on to dismiss or discipline an employee.  By contrast, covert surveillance (where the employees are not aware of the surveillance camera(s)) contains more legal risk but there may be circumstances it is justified, for example, a thief is operating in their workplace and the employer wishes to catch the culprit red-handed. 

Can I take disciplinary action over an employee’s posts on their social media accounts? 

It is well established that for an employer to justify taking disciplinary action against an employee’s out of work conduct there must be a causal link between the conduct and the employment relationship.  With ever-increasing use of social media blurring the distinction between the workplace and an employee’s private life, we are seeing social media affect the workplace and employment relationships more and more.

Sometimes there may be a clear link between the employee’s social media conduct and the employment relationship.  For example, an employee posting negatively about their manager or the business or where workplace bullying has bled into Facebook messages or Instagram DMs.  But what if there are instances where social media activity is not readily linked to employment?

In the recent Australian case of Corry v Australian Council of Trade Unions, the Fair Work Commission (FWC) upheld the summary dismissal of an employee who posted highly offensive material on his personal Facebook account supporting the 2020 Melbourne anti-vaccination and lockdown protest.  The FWC found that the conduct was in breach of ACTU’s policies, which was serious misconduct and constituted a valid reason for dismissal.  The FWC held that while the employee had the “Right to hold and express a strongly held view that did not however provide the Applicant with the unqualified right to publicly espouse views that were contrary to the interests and values of his employer.”

This seems to be in line with New Zealand’s position where the Employment Court has held that Facebook posts (even if protected by privacy settings) may not be regarded as protected communications “beyond the reach of employment process given that the information or posts can be shared to a near limitless audience.” 

What should I do when the company receives a Privacy Act request? 

IPP 6 of the Act gives individuals the right to ask an agency to provide confirmation of, access to, or correction of, the personal information it holds about them.  An agency must respond as soon as possible, but within 20 working days, and can provide the information, refuse to provide the information, transfer the request to the agency that they believe holds the information (this must be done within 10 working days), confirm it does not hold the information or does not hold it in a way that is easily retrievable, or neither confirm nor deny.  

A request may be refused on a number of grounds.  In an employment context, grounds for refusal may include:

  • Section 49: an employer may refuse the request if the disclosure could cause harm (“serious threat” or “serious harassment”) to another individual;
  • Section 50: an employer may refuse the request if the information is evaluative material (unless the person who supplied the material consents). Note that ‘evaluative material’ has a specific limited meaning in the Act;
  • Section 52: an employer may refuse access to information if it might disclose a trade secret or unreasonably prejudice the commercial position of the employer or the person who supplied the information;
  • Section 53(a): an employer may refuse a request if the information does not exist, or it cannot be found by reasonable efforts;
  • Section 53(b): an employer may refuse the request if the disclosure of the information would involve the unwarranted disclosure of the affairs of another person, including a deceased person; and
  • Section 53(d): an employer may refuse access if the disclosure of the information would breach legal professional privilege.

It should be noted that each of these grounds for refusal has ‘fine print’ that needs to be satisfied before an employer can refuse access to personal information.

Generally, an employer should not charge people to access or correct their personal information.  However, there are some circumstances where it may be appropriate for an employer to charge an individual to access their information, e.g. the amount of material sought is significant or difficult to collate.  Any costs must be reasonable and the applicant must be made aware of the costs before charges are imposed.

Does my workplace need a privacy-related policy? 

While not specifically required under the Act, it is a good idea for employers to adopt a privacy-related policy.  Good reasons to have a policy include: 

  • To identify the company’s privacy officer. The Act requires all agencies to have at least one privacy officer who ensures the agency’s privacy obligations are being met and respond to any requests under the Act.  Privacy officers are also a great mechanism to encourage and upskill other employees around privacy law.  
  • Developing privacy-related policies, which may touch on social media, surveillance in the workplace, and handling personal or confidential information on work systems, helps set out clear expectations and guidelines for employees. This helps provide guidance where an employer may be collecting personal information, protect against misuse of client or employee personal information and outline when disciplinary action may be appropriate.
  • To make clear the employer can access information on their IT systems, including email traffic, web history and other electronic folders.
  • To provide guidance in the event of a privacy breach. Under the Act, a notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual(s) or is likely to do so.  The Office of the Privacy Commissioner’s expectation is that a breach notification should be made to its Office no later than 72 hours after agencies are aware of a notifiable privacy breach.  A privacy policy may help a company assess whether the breach needs to be notified and guide the relevant individual(s) through that process. 

If you have any questions about the Privacy Act or need help developing or amending a privacy-related policy please get in touch with our Employment Team or your usual contact at Hesketh Henry.

Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

Privacy Commissioner to consult on Privacy Rules for Biometric Information
With the increasing use of facial recognition technology (FRT), retinal scans, and voice recognition by an array of different agencies, privacy concerns about its collection and use are set to be form...
24.11.2023 Posted in Business Advice
Fern forest NZ
Bioenergy in New Zealand: Fuels for the Future?
The energy transition from combustion fuels to low carbon alternatives is viewed as critical in the race to cut global CO2 emissions and reach climate targets.  We look at some of the opportunities p...
14.11.2023 Posted in Business Advice & Climate Change & Forestry
Will Wide BW
A well drafted will is a craft
The New Zealand do-it-yourself “DIY” attitude and way of life is not limited to home improvements, but sometimes also extends to wills.  Recently we had a DIY $5.99 fill in the blanks will acros...
07.11.2023 Posted in Private Wealth
rsz large pillars
Health and Safety: The Consequences of Dishonesty
Siddhartha Gautama said that lies are like huge, gaudy vessels, the rafters of which are rotten and worm-eaten, and that those who embark in them are fated to be shipwrecked.  Two remarkable health a...
03.11.2023 Posted in Employment & Health & Safety
Properly sequencing your Construction Adjudications: Henry Construction Projects Ltd v Alu-Fix (UK) Ltd
According to the UK’s Technology and Construction Court (TCC) (in Henry Construction Projects Ltd v Alu-Fix (UK) Ltd [2023] EWHC 2010) valid payment claims must be paid before the underlying merits ...
30.10.2023 Posted in Construction & Disputes
Key change to rules on distribution of surplus assets under the new Incorporated Societies Act 2022
On 5 October 2023, the new Incorporated Societies Act 2022 (2022 Act) came fully into force, replacing the Incorporated Societies Act 1908 (1908 Act). One of the key requirements under the 2022 Act is...
18.10.2023 Posted in Business Advice
Construction Framework Wide BW
Major milestone passed – NZS3910:2023 expected in time to fill Christmas stockings
As the most widely adopted standard form construction contract in NZ, NZS 3910 was more than ready for updated conditions given the changes in the industry since its last review in 2013.  After almos...
09.10.2023 Posted in Construction
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.