An Employer´s Right to Protect the Privacy of its Employees

• Employers now have an alternative means to protect the privacy of their employees who might otherwise not have the resources individually to seek a remedy if their privacy is breached.

The recent decision in Seven Network Operations Limited v Media, Entertainment and Arts Alliance and ACTU Member Connect Pty Ltd [2004] FCA 637 has now opened the way for employers to protect the privacy rights of their employees where another party misuses their personal information. Clayton Utz acted for Seven Network in this proceeding.

The Federal Court of Australia has recognised the right of an employer, in this case the Seven Network, to seek an injunction under the Privacy Act 1988 (Cth) to restrain a breach of its employees' privacy. The decision also clarified the role of the Federal Court to enforce the Privacy Act, and in particular, to prevent a breach of the National Privacy Principles ("NPPs") which came into force in December 2001 by means of granting injunctions.

Seven also brought proceedings under the Copyright Act 1968 (Cth) and the Workplace Relations Act 1996 (Cth) ("WR Act") with respect to the conduct engaged in by a union and a call centre. Seven was successful in its Copyright Act claim against both parties and was also awarded its costs of the proceeding in respect of the claims under the Copyright Act and the Privacy Act.

Seven and the Media, Entertainment and Arts Alliance ("MEAA") had been negotiating for a new certified agreement for some time before Seven decided to make an agreement directly with its employees under section 170LK of the WR Act ("170LK Agreement"). In order to do so, it proposed to conduct a vote of its employees on the 170LK Agreement.

In the week prior to the proposed vote by Seven's employees, MEAA commenced a telephone polling campaign of all Seven's employees. It engaged ACTU Member Connect Pty Ltd, a company that provides call centre services, to conduct the telephone polling campaign ("the Polling"). Each employee contacted by Member Connect on behalf of MEAA was asked a series of questions, including how they proposed to vote on the 170LK Agreement. In order to conduct the Polling, MEAA obtained a copy of Seven's internal telephone directory and forwarded this to Member Connect to enable it to contact each of Seven's employees. Justice Gyles found that, in the absence of any evidence led by MEAA, he was able to infer that MEAA had taken active steps to obtain Seven's directory from Seven without Seven's permission.

Member Connect then used the telephone directory to create a database, which included the names and contact information for each employee at Seven along with their answers to each question asked during the Polling.

Seven brought the proceedings in the Federal Court of Australia under section 98 of the Privacy Act against MEAA and Member Connect for an injunction to prevent breaches of the NPPs. Seven argued that the information contained in the Seven directory about its employees was personal information under the Privacy Act. Furthermore, the information collected by Member Connect during the Polling constituted both personal and sensitive information under the Privacy Act. Seven argued that MEAA and Member Connect had not complied with the obligations imposed by the NPPs when it collected the information. This included failing to inform the individual employees that they had collected their personal information, using and disclosing the personal or sensitive information in breach of the Privacy Act and failing to inform each employee about the right they had to access the information held about them.

Seven relied on the wording in section 98 to argue that it, as "any other person", could apply to the court for an injunction to restrain a third party from breaching the Privacy Act with respect to its employees.

MEAA and Member Connect argued that the Federal Court had no power under the Privacy Act to enforce the National Privacy Principles. Instead, the court was only to be used to enforce determinations of the Federal Privacy Commissioner. Justice Gyles rejected this argument.

In relation to Seven's standing to bring the claim on behalf of its employees, Justice Gyles stated that Seven was entitled to bring proceedings pursuant to section 98 of the Privacy Act. His Honour did not analyse the circumstances in which an organisation or person could bring a proceeding under section 98 to protect the privacy of a third party, and consequently, did not expressly limit the circumstances in which this kind of action could be brought.

His Honour granted permanent injunctions against MEAA and Member Connect with respect to the breaches of the Privacy Act that he found proved.

MEAA were held in breach of NPP 1 when it received the results of the Polling conducted by Member Connect as the information was not necessary for one of its functions or activities. MEAA were also found in breach of NPP 1.5 by failing to make the required disclosures, such as informing the employees that it had collected their personal information, when it collected the results of the Polling from Member Connect.

Member Connect was found to be in breach of NPP 1.3 when, during the Polling, it failed to disclose the matters required in NPP 1.3, including its identity and how the Seven employee could contact the organisation.

Before this decision, employers had limited rights to protect the privacy of their employees. One method was to seek to enforce a common law duty of confidence if one existed. However, enforcing a duty of confidence between an employer and a third party under the common law requires that a number of elements be satisfied, including that the information was imparted in circumstances that would attract the duty of confidence, and that the information being protected was capable of falling within the scope of "confidential information" as established in law. This common law test of what is confidential information is not an easy one to satisfy and is quite different to the statutory question of what is personal information or not.

The right to seek an injunction from the Federal Court or Federal Magistrates' Court, under section 98 of the Privacy Act, represents an alternative means by which an employer can seek to protect the privacy rights of its employees where the relevant information fits within the definition of personal or sensitive information.

There are a range of circumstances in which an employer might want to take an action under section 98 because the dissemination of the personal information of an employer's employees both offends the privacy rights of the employees and also impacts on the business operation of the employer.

This decision is the first substantial consideration of the power of the Federal Court to grant an injunction restraining a breach of privacy under section 98 of the Privacy Act. Employers now have an alternative means to protect the privacy of their employees who might otherwise not have the resources individually to seek a remedy if their privacy is breached.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.