To what extent can employers monitor their employee's communications? It is now commonplace for employers to provide employees with mobile phones, laptops and computers for work purposes. Some employers also pay for home internet connections and mobile telephone plans. Does this give the employer the right to access the communications made and received through the phones and computers it provides?
The answer is not straight forward.
Employers must comply with the privacy principles in the Privacy Act, the terms and conditions of their employees' employment, and also their good faith duties to their employees.
Frequently employers will monitor an absent employee's emails to check that work-related messages are not missed and are diverted to another employee. This would be a legitimate purpose and good reason for monitoring work emails. The employee tasked with monitoring the absent person's emails should be given clear guidance on what he or she should be opening. If there are clearly personal emails in the employee's inbox, the person monitoring should not open those emails (for example, an email from a spouse with a heading suggesting it is not work-related). Where this type of monitoring occurs, employees should be made aware of it and it should be recorded in the employer's policy on computers and telephones.
The ability to access does not give the right to access. Take for example an employee's work computer that the employee has used to do his internet banking. If the computer automatically saved his password and access code, his employer could log into his bank account. Equally this could occur for social media such as Facebook or Instagram where the employer's computer stores the employee's login details. The employer might have a policy that states that information stored on its computer system is its property. However, this does not permit the employer to access new information by using stored login details. Doing so will almost certainly be a breach of the employee's privacy and could also amount to a breach of section 252 of the Crimes Act 1961 for accessing a computer system without authorisation (unauthorised login to a Facebook account has been considered a breach of this section).
What if the employee receives employment related advice via his work email, or medical advice about a work-related injury? Can the employer open and read those emails? Where an email is clearly marked as personal, confidential, or privileged, the employer should consider carefully whether it can lawfully open that communication. In certain circumstances access may be permissible, however consent from the employee should normally be obtained.
Employers should be familiar with their obligations under the Privacy Act and apply the privacy principles to their work practices. The privacy principles and guidance on their use can be found on the Privacy Commissioner's website.
Having a robust, well thought out policy about the use of work devices and work-provided internet is crucial. This policy should set out the employer's expectations about work device use, including whether there are restrictions on the use of the device for personal use, and the circumstances in which the employer may monitor the internet use and communications to and from the device. The policy should be consistent with the privacy principles of the Privacy Act. If monitoring of communications and internet use occurs, the policy should specify the reasons for any monitoring and what the employer may use the information obtained for. Employees should be given a copy of, or easy access to, their employer's IT policy.
This article was written by Susan Rowe and Shaun Brookes for the NBR (August 2019).