Australian decision highlights privacy risks in staff investigations

As the use of social media grows in the workplace, an employer risks a potential breach of privacy laws when it obtains information about an employee through social media channels. An important decision by the Supreme court of Victoria explores the connection between privacy, human rights and social media use. With the majority of privacy cases resolved by conciliation, not many get to court, so this case offers interesting insights into how the court interprets Australian privacy law. A lesson for businesses is that they should prepare for potential breaches of the law by creating and enforcing robust privacy policies.

The case in question

In Jurecek v Director, Transport Safety Victoria [2016] VSC 285, the court ruled on whether Transport Safety Victoria breached the privacy of employee Laura Jurecek by collecting personal information from her Facebook page and using it in a disciplinary action.

Jurecek had a dispute on Facebook with her colleague Paula Ferronato, the exchange ending with an abusive post. Ferronato shared the chats and posts with her manager and after an investigation, Jurecek was given a final warning. Jurecek complained to the Privacy Commissioner on the grounds of breach of information privacy principles in the Information Privacy Act. The Commissioner dismissed the complaint but referred it to the Victorian Civil and Administrative Tribunal, where it was again rejected.

Jurecek then appealed to the Supreme Court of Victoria, where she was granted leave to appeal since the case “raised important, novel and reasonably arguable questions about the application of the Information Privacy Act in the social media context and in particular about the application of the Information Privacy Principles to personal information on Facebook”. Jurecek complained that she had not been made aware that during the investigation, personal information about her was collected which was then used in the course of disciplinary action without her consent.

What the court considered

In its decision, the court considered whether:

  • the collection of information for an investigation was necessary for the company’s functions or activities;
  • the collection of information was fair and not unreasonably intrusive;
  • Jurecek was made aware of the collection of information as soon as practicable by a notice of investigation; and
  • it was reasonably practicable to get information from Jurecek’s Facebook page instead of directly from her.

The court also considered the Charter of Human Rights and Responsibilities Act on the nature and importance of the purpose of collection and if the extent of the interference was done in a reasonably proportionate way.

Court’s decision

Jurecek’s appeal was dismissed in the end because the court found that:

  • the investigation was a necessary function for investigating employee misconduct;
  • the information collected was done lawfully;
  • the employer took reasonable steps in ensuring Jurecek was aware of the purpose of the information collected by a notice of investigation; and
  • it was not reasonable to get information directly from Jurecek to conduct the investigation.

“The case confirms and clarifies privacy principles,” says Veronica Scott, special counsel in the media and communications group of Minter Ellison. “The decision was well reasoned, considered carefully, and applied the facts in context.”

Social media and privacy policies

Veronica Scott

The lesson from the case is the importance of setting clear privacy and social media use guidelines so that employees and employers are both aware of the consequences. “Employers should have policies on bullying and social media use, so that there are reasonable expectations in disciplinary actions,” says Scott.

“Companies should be aware of the nature of the social media usage and the range of personal information obtained,” says Scott. “For example, if a company makes a copy of a Facebook post, there is information on the account holder and the people that are talked about in the post. The company can be potentially gathering information it is not sure about and beyond what it aimed to collect initially. Businesses need to decide what and why information is collected and ensure that there is privacy compliance and the risks of getting what is reasonably necessary,”

When information is given to third parties, businesses should be aware of the rules and arrangements of the third party and ensure that the third party is complying with rules that the company has. “The company needs to be make sure that the way to access the information is lawful as social media can be a valuable source of information for marketing and information collection,” says Scott.

“It would be useful to include collection notices in recruitment for example, so that job applicants know that information from social media might be used for recruitment purposes in assessing suitability of a candidate for a role,” says Scott.

This important case serves as an important reminder to businesses of the importance of having clear guidelines on social media use and potential risks of breaching privacy laws in accessing information about employees. Companies should also be aware of the risk of breaching privacy laws when information is provided to third parties.