How do the Information Privacy Principles apply during a social media misconduct investigation? - Data Protection

In Jurecek v Director, Transport Safety Victoria [2016] VSC 285 (11 October 2016) (Jurecek), the Supreme Court of Victoria (the Court) clarified the application of the Information Privacy Principles (IPPs) to an investigation of employee misconduct on Facebook.

In Jurecek, the Supreme Court of Victoria confirmed that the IPPs operating under Victorian privacy legislation may apply to information on an employee's social media account.

However, the findings of the Court indicate that the IPPs need not be interpreted by employers in a manner that jeopardises an investigation into misconduct on social media. The Court took a practical approach, largely adopting the assessment of the factual circumstances by the Victorian Civil and Administrative Tribunal (VCAT) at first instance.¹

Ms Jurecek was employed by the Department of Transport, but was seconded to assist the Office of the Director, Transport Safety Victoria (the Respondent) (TSV).

This case concerns a series of exchanges that occurred on Facebook between Ms Jurecek and a colleague, both on a Facebook 'wall' and in private messages.

The nature of these exchanges was the subject of much dispute between the parties, including:

whether Ms Jurecek actually wrote some of the impugned posts and messages;
how Ms Jurecek and her colleague's Facebook profile pages were accessed; and
the privacy settings of the respective Facebook profile pages at the relevant time.

However, as TSV considered the posts and messages sent by Ms Jurecek to her colleague to be abusive in nature, it considered an investigation into her conduct was warranted. After an initial internal investigation, TSV engaged an external investigator who concluded that the allegations of misconduct on social media were substantiated.

TSV accepted the findings of the external investigator and issued a formal warning to Ms Jurecek, noting that another investigation would be conducted into an allegation that she had lied during the investigation process.

Ms Jurecek made an application to the Victorian Privacy Commissioner complaining about her treatment by TSV. After rejecting these complaints, the Commissioner referred the matter to VCAT, which also found (for the most part) that the complaints were not proven.

Ms Jurecek claimed that TSV breached the IPPs set out in Schedule 1 of the Information Privacy Act 2000 (Vic) (Privacy Act) (the predecessor to the current Privacy and Data Protection Act 2014 (Vic)) by arguing, in summary, that:

TSV's collection of the personal information from her Facebook account for the purposes of a workplace disciplinary investigation, or without her knowledge or consent, was not 'necessary for one or more of TSV's functions or activities', in breach of IPP 1.1;
TSV did not collect the personal information only by 'lawful and fair means and not in an unreasonably intrusive way', in breach of IPP 1.2;
TSV did not make Ms Jurecek 'aware' that the personal information had been collected, in breach of IPPs 1.3 and 1.5; and
TSV did not collect the personal information from Ms Jurecek directly, in breach of IPP 1.4.

TSV argued, amongst other things, that some of the information obtained from Facebook was not 'personal information' for purposes of the Privacy Act.

The decision of Justice Bell of the Supreme Court of Victoria confirmed that:

information on Facebook may be 'personal information' for the purposes of privacy laws, even if it is accessible to anyone online – that is, information on Facebook does not necessarily constitute a 'generally available publication';
TSV did not breach IPP 1.1 as the collection of the personal information was necessary for a misconduct investigation, which is a legitimate purpose;
TSV did not breach IPP 1.2 as the collection of the personal information was not by unauthorised means (nor unreasonably intrusive) - the information was located through Facebook searches (or provided to TSV by the employee who was the target of Ms Jurecek's posts and messages);
TSV did not breach IPP 1.3 and 1.5, as these principles impose an obligation to take reasonable steps to ensure the individual is made aware of the specified matters, but does not stipulate how this is to be done – therefore, for example, TSV was not required to immediately notify Ms Jurecek of the collection of the information as this would have jeopardised the investigation;
TSV did not breach IPP 1.4 as it was not 'reasonably practicable' for TSV to obtain the personal information from Ms Jurecek directly - this would also have jeopardised the investigation.

THE JURECEK CASE: IMPLICATIONS FOR EMPLOYERS

The Jurecek decision will have different implications for employers, depending on the privacy legislation which is applicable in a particular employment context.

The IPPs under the Privacy and Data Protection Act 2014 (Vic) apply to the handling of employees' personal information in the Victorian public sector. Similar legislation applies in NSW and Queensland.

At the federal level, the Privacy Act 1988 (Cth) sets out Australian Privacy Principles (similar to the IPPs) applying in the public sector and to private sector businesses with an annual turnover of at least $3 million. 'Employee records' are exempt from the privacy obligations imposed under the federal legislation.

Records of employee email and internet use may in some circumstances constitute an 'employment record' falling with this exclusion. However, it is safer for employers to assume that any monitoring of employees' email or internet activity (and possible misuse) is subject to the federal privacy law. Several decisions support the carrying out of such monitoring as being legitimate and for a lawful purpose under the Privacy Act.²

The decision of the Supreme Court of Victoria in Jurecek has confirmed that while state or federal privacy protections may apply to information on an employee's social media account, compliance with these laws does not prevent an employer from conducting a robust disciplinary investigation.

However, employers should be aware of their obligations under the applicable privacy legislation – particularly in relation to the requirement that employers notify an employee that his or her personal information has been collected.

Footnotes

¹ See Jurecek v Director Transport Safety [2015] VCAT 253.

² See e.g. Griffiths v Rose (2011) 192 FCR 130.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.