Office of the Privacy Commissioner | Case note 229558 [2012] NZ PrivCmr 1 : Employer uses monitoring software to collect personal information
As part of an employment investigation, an employer collected personal information from a man's work computer.
The information collected included emails sent to and from the work computer, as well as key stroke logs for the computer.
The employer used information collected from key stroke logging to access the man's personal web-based email account and copy several emails.
The man complained to us about the information his employer had collected.
We considered that separate issues were raised for the two different types of information collected; information collected directly from the work computer and information collected from the man's personal email account.
Information collected directly from the work computer
We were satisfied that this action complied with the Privacy Act. This was because in both the employment agreement and employee manual the employer had clearly set out that work computers would be subject to monitoring.
However, we considered the collection of key stroke information raised issues under principle 3 of the Privacy Act.
Principle 3(1) sets out that where an agency collects information from an individual, the agency must take such steps which are, in the circumstances, reasonable to ensure that the individual is aware of a number of things, including the fact that information is being collected.
The policies set out in the agreement and manual were not explicit enough to make staff aware that such detailed information was being collected.
On this basis we considered that the employer had breached principle 3 in collecting key stroke information.
Information collected from the personal email account
Using the password it obtained from key stroke information the employer accessed the man's personal email account. We considered this raised issues under principles 1, 3 and 4 of the Privacy Act.
Principle 1
Principle 1 sets out that agencies must not collect personal information unless it's for a lawful purpose connected with the functions or activities of the agency, and collection is necessary for that purpose.
When the employer accessed the man's personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.
This went well beyond any information that may have been relevant to the employment investigation. We formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer's needs.
Principle 3
We were also satisfied that the employer's policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer. We formed the view that this also breached principle 3.
Principle 4
Principle 4 requires that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive.
Principle 4 is concerned with the method of collection. We considered that an individual's personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it.
In this case we did not consider there were exceptional circumstances, and so this method of collection was unreasonably intrusive and in breach of principle 4.
Outcome
We advised the employer of our views. The man and his employer attended mediation, were able to reach a settlement, and the complaint was closed.
June 2012
Collection of personal information - employer - use of monitoring software - Privacy Act 1993; principles 1, 3 and 4