Australia: Private eye: using Facebook to discipline an employee

The Supreme Court of Victoria's decision of Jurecek v Director, Transport Safety Victoria [2016] VSC 285 clarifies the application of privacy law to an employee's social media account, specifically in relation to an employer collecting and using information gathered from an employee's Facebook account when investigating misconduct.

Facts

Ms Jurecek commenced employment with the Victorian Office of the Director of Transport Safety (TSV) in 2012. She experienced ongoing issues with alleged workplace bullying, stress and other complaints.

Ms Jurecek had engaged in a number of private message conversations with a colleague and also made public posts on Facebook during which she made a number of employment-related remarks. Ms Jurecek's Facebook account was in a different name. Ms Jurecek made a particularly abusive post on the colleague's Facebook "wall". The colleague reported the abusive post to TSV, and also provided the employer with copies of the private message conversations. Following an investigation by TSV, Ms Jurecek was found guilty of misconduct for breaching TSV's Social Media policy and given a final warning.

She complained to the Privacy Commission that her employer had breached the Information Privacy Principles (IPP) contained in the Information Privacy Act 2000 (Vic). The complaint was dismissed by both the Privacy Commissioner and the Victorian Civil and Administrative Tribunal. Ms Jurecek appealed to the Victorian Supreme Court.

Ms Jurecek complained TSV breached the IPPs by accessing information on her Facebook that was password protected, and by not making her aware that they were collecting information about her as soon as practicable.

TSV argued the IPPs permitted it to collect (and therefore use) the information gathered from Ms Jurecek's Facebook account as the collection and use was for the purpose of workplace disciplinary investigation which was necessary for one or more of the organisation's functions and activities. Conducting investigations into allegations of misconduct was a necessary function of TSV (and any employer).

Employer's surveillance lawful

The Court dismissed Ms Jurecek's appeal, holding that:

• Ms Jurecek's social media posts constituted personal information. Although information may be accessible on Facebook or elsewhere on the internet, that does not mean it is a generally available publication.
• What is considered necessary for the functions and activities of an organisation is to be interpreted broadly. "Necessary" does not mean essential or indispensable, but means reasonably appropriate and adapted. Here, the misconduct investigation was a legitimate purpose and the collection of personal information about Ms Jurecek was justified.
• It was appropriate for TSV to conduct the investigation without approaching Ms Jurecek for the information, up to a certain point, as it could have undermined the integrity of the investigation itself.
• The notification requirement of the relevant IPPs can be achieved without necessarily providing the employee with access to a copy of the document, so long as the employee is made aware of the contents and form of the information.

No free pass under privacy legislation – for employees or employers

Although this decision involved legislation targeted towards the public sector, it is also relevant to private sector employers. The Privacy Act 1988 (Cth) contains the Australian Privacy Principles (APP) which are similar to the IPPs and apply to private sector employers with an annual turnover greater than $3,000,000, and Commonwealth agencies.

The Privacy Act contains an exemption from the APPs for employers where the relevant conduct relates to a "employee record". An "employee record" is "a record of personal information relating to the employment of the employee". It remains unclear whether an employee's social media account will be an employee record as it is unclear whether such information is personal information relating to the employment of the employee. Without clear judicial direction as to what this includes, it is recommended that employers continue to comply with privacy obligations when conducting investigations involving monitoring an employee's internet or social media activity.

Whilst the decision confirms that privacy laws extend to an employee's social media accounts, including public posts and private chats or messages, it would be wrong to assume the decision gives employers carte blanche to monitor all employee social media activity.

An employer should keep the following in mind where an employee's social media account or activity is relevant to workplace issue:

• Employers should assume that privacy legislation will apply to any monitoring of employees' social media accounts, emails or internet activity.
• Employers should be aware of their obligations to notify employees about the collection and use of personal information when conducting investigation into employee conduct.
• Employers should have clear policies regarding expected standards of conduct or behaviour with respect to activity on social media and that the disciplinary policy may apply to their activities on social media.
• Compliance with privacy obligations does not have to result in compromising the integrity of an investigation itself. An employer is not required to disclose the collection of information during the investigation process.
• The requirement to provide an employee with natural justice will usually mean informing the employee of all information collected during an investigation when putting the allegations to them for their response.
• An employer can use information gathered during an investigation for the purpose of taking disciplinary action against an employee, where such use is reasonably appropriate and adapted to the investigation. What is reasonably appropriate and adapted will depend on the specific circumstances of each case.