In a Privacy Commissioner case cited, an Employer used key stroke logs from an Employee's work computer to access the Employee's personal Web-based email account and then copied several personal emails which had been sent to and from the work computer.
The Commissioner found that by using a password obtained from key stroke information to access the Employee's personal email account, the Employer had breached privacy principles 1, 3 and 4 of the Act.
Principle 1 requires that the collection of personal information must be necessary for a lawful purpose connected with the functions or activities of the collecting agency (i.e. the Employer). The Commissioner found that the information collected was disproportionate to the Employer's needs. By accessing the Employee's personal email account, the Employer was able to obtain a vast amount of personal information that went back over a period of several years. This information went well beyond any information that may have been relevant to an employment-related investigation.
Principle 3 requires an agency to take such steps as are reasonable to ensure that the individual is aware of the fact that the information is being collected and the purpose for its collection.
The Commissioner found that the Employer's policies were not explicit enough to make an Employee aware that key stroke information was being collected, and that if they entered a password into the computer, the Employer would be able to use this information to collect further information not held on the work computer.
Principle 4 provides that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive. The Commissioner's view was that an individual would have a high expectation of privacy in relation to their personal email account, and therefore it would require exceptional circumstances to justify an Employer accessing that account. No such exceptional circumstances were found to exist in this case.
The decision has significant implications for Employers. Not only does the case clarify the requirements for compliance with the Act, but it also highlights the importance of collecting and using personal information in a fair and reasonable manner where an Employer wishes to use collated information in support of disciplinary proceedings or an investigation.
Source: Privacy Commission