In the case of Madzikanda v Australian Information Commissioner [2023] FCA 1445, the Federal Court addressed the employer's rights to lawfully access employees' personal accounts through their work devices.

Facts

  • An employee was suspended from his employment and required to surrender his work laptop as part of an investigation into alleged misconduct.
  • Over the course of several years, the employee had used the work laptop for both professional and personal purposes, storing sensitive information including passwords to online banking, private email accounts, and his personal OneDrive and iCloud accounts.
  • The employee claimed the employer assured him that his personal information would not be accessed until 11 June 2019 once he had the opportunity to obtain legal advice.
  • Despite these assurances, on 7 June 2019 the employee received a notification that his iCloud account had been accessed from the work laptop and he also noticed unauthorised access to his personal email accounts.
  • On 13 June 2019, the employee received a letter of allegations referring to a conversation in a private email which apparently demonstrated that he was working on other projects in competition with the employer during company time. He was subsequently dismissed on 17 July 2019.

Complaint to Australian Information Commissioner

The employee lodged a complaint with the Australian Information Commissioner (the Commissioner) under the Privacy Act 1988 (Cth) (the Act), alleging that his former employer had interfered with his privacy under the Act by accessing his personal information on his work laptop.

As part of his complaint, he sought:

  • access to the personal information from his laptop;
  • deletion of the information retained by his former employer; and
  • compensation for the inconvenience and distress caused.

The employer denied it had used personal information saved on the laptop to access his online accounts. The employer also said the laptop was later stolen in an unrelated incident.

The Commissioner ultimately declined to investigate the complaint further, with their investigator stating:

"An employee record means a record of personal information relating to the employment of the employee. Examples include records about the employee's personal contact details and records about the employee's performance or conduct. To the extent that the personal information involves records of sites or accounts that you visited, using the work computer, I am satisfied that this amounts to a record of personal information relating to your conduct during your employment.

I consider that you were aware that the work computer was not your private property, and that any data saved to the computer may have formed part of your employee records, as it was subject to routine monitoring and review.

[The Employer] does not require your consent to access or use the equipment that it issued to you to perform your employment duties. As the computer was a tool the respondent provided to you to carry out your employment duties, it remains the property of the respondent.

Additionally, you say that the respondent used your password to access your personal email account. I am satisfied that the acts or practices relate to employee records 'held' by the respondent relating to you.

Therefore, I consider the respondent's acts and practices, in relation to the records it held, are not covered by the [Australian Privacy Principles (APP)] in the Privacy Act, and that the respondent has not interfered with your privacy under APP 6, APP 11 or APP 12 in this instance."

Appeal to the Federal Court

The employee sought a judicial review in the Federal Court regarding the Commissioner's decision to close the investigation into his complaint.

The grounds of appeal were dismissed on the basis that:

  • the employee failed to demonstrate that the Commissioner's delegate did not follow fair processes or provide a full opportunity for the applicant to present their case; and
  • there was no error of law in the Commissioner's delegate's decision not to investigate further on the basis that "further investigation of the complaint was not warranted having regard to all the circumstances".

Consequently, the Court was not required to consider the "employee records" exemption, which was one of the factors relied upon by the investigations officer to justify declining to consider the employee's case further. Section 7B(3) of the Privacy Act provides that, in certain circumstances, an employer's handling of current and former employees' records is exempt from the APP.

It is likely that the "employee exemption" in the Privacy Act will be modified – or removed entirely – in the future. The Commonwealth Attorney General's February 2023 review of the Privacy Act recommended greater transparency regarding employers' collection and use of employee's personal information. You can read more about the "employee exemption" via this link.

In conclusion

This case illustrates the grey area in Australian privacy law and the limitations on employees to pursue legal action for alleged breaches. It also serves as a reminder for employers to ensure that they have appropriate policies and procedures in place to enable them to, when necessary, access information held on employees' devices, such as work laptops and mobile phones.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.