privacy in the workplace€¦ · privacy.4 all vps employees must also adhere to binding codes of...

INFORMATION FOR AGENCIES

1300 00 6842 | ovic.vic.gov.au

Privacy in the workplace

Freedom of Information | Privacy | Data Protection

Introduction 2 Privacy in the workplace 2 Promoting a culture of privacy in the workplace 2 How employers can promote a good privacy culture in the workplace 3 Privacy during recruitment 3 Collecting personal information from applicants 3 Providing notice of collection to applicants 4 Sharing information collected as part of a reference check 4 Contacting someone who has not been nominated as a referee by the applicant 4 Sharing personal information about former or current employees to prospective employers 5 Background checks 5 Online profiling during recruitment 5 Minimising the privacy risks of online profiling 6 Privacy during employment 6 Protecting employees’ personal information 6

Restricted access 7 Protective Markings 7

Disclosing information about employees 7 Investigating suspected unlawful activity 8

Employee monitoring and surveillance 8 Monitoring email, phone and internet use 9 GPS tracking 9 Surveillance cameras 10

Drug and alcohol testing 10 ‘Bring your own device’ programs 10 Biometric systems 11 Working remotely 12 End of employment 12 Retention of employees’ personal information 12 Conclusion 12

Freedom of Information | Privacy | Data Protection 2

Introduction

Individuals have a reasonable expectation of privacy in the workplace that needs to be balanced with the legitimate requirements of employers to collect, use, and disclose personal information about their employees for a range of purposes.

This information sheet aims to provide general guidance to employers in Victorian public sector (VPS) organisations about balancing these interests.1 It outlines the importance of a privacy culture in the workplace, and looks at how VPS employers can uphold employees’ privacy during recruitment, within the workplace, and at the conclusion of an individual’s employment.

Privacy in the workplace

Victoria does not have specific privacy laws in relation to the workplace. While Victoria’s main privacy law, the Privacy and Data Protection Act 2014 (PDP Act), contains information privacy protections for personal information (including that of VPS employees), the PDP Act only applies to Victorian public sector organisations.2

The privacy protections in the PDP Act are enshrined in 10 Information Privacy Principles (IPPs) that govern how VPS employers must handle any personal information they hold, including that of their employees.3 Examples of personal information may include employees’ names, dates of birth, addresses, financial details, criminal records, and education and employment histories.

In addition to the PDP Act, there may be privacy provisions in other state or federal legislation that are relevant to the workplace. VPS employers should ensure they are aware of the different privacy obligations that may apply to

1 For the purposes of this information sheet, the term ‘VPS employer’ or ‘employer’ refers to organisations within the Victorian public sector that are subject to the Privacy and Data Protection Act 2014 (PDP Act). 2 Public sector organisations include public sector agencies, local councils, courts and tribunals, and in certain circumstances, contracted service providers – see section 13 of the PDP Act.

them. Other applicable Victorian legislation may include:

• the Health Records Act 2001 (HR Act), where health information is involved;

• the Surveillance Devices Act 1999 (SD Act); and

• the Charter of Human Rights and Responsibilities Act 2006 (the Charter), which provides for a general right to privacy.4

All VPS employees must also adhere to binding Codes of Conduct issued by the Victorian Public Sector Commission. The Codes of Conduct set standards of expected behaviour for VPS employees, including in relation to privacy.5

Promoting a culture of privacy in the workplace A workplace culture that respects privacy has benefits for both employees and the employer. A culture of privacy can:

• enhance employees’ trust and confidence in their employer’s commitment to protecting their privacy, contributing to a positive working environment;

• encourage employee access to health and wellbeing schemes (such as personal or mental health leave), if employees are confident that their personal or sensitive information will be kept secure and not disclosed to others unnecessarily; and

• reduce the risk of a data breach, which could result in harm to employees and

3 The Information Privacy Principles are contained in Schedule 1 of the PDP Act. 4 Section 13 of the Charter of Human Rights and Responsibilities Act 2006 (Vic). 5 For more information see the Victorian Public Sector Commission’s website www.vpsc.vic.gov.au.


financial or reputational harm to employers.

A good culture of privacy in the workplace can also enhance employees’ confidence that their personal information will only be collected and used where there is a genuine and justifiable business need.

How employers can promote a good culture of privacy in the workplace

One way that VPS employers can demonstrate their commitment to protecting employees’ privacy – and upholding their obligations under the PDP Act – is by adopting a privacy by design approach. This can be achieved, for example, by undertaking a privacy impact assessment (PIA) for business practices and initiatives that involve personal information, including employee information.6

PIAs assist organisations to identify the potential privacy risks of a practice or initiative, identify measures to mitigate these risks, and evaluate whether the practice or initiative complies with the IPPs.

Examples of processes or initiatives that may warrant a PIA include internal programs such as payroll systems, the use of an electronic messaging service for internal communication, the use of GPS tracking in company vehicles, or a new recruitment process. While PIAs generally cover information privacy, organisations may also need to consider other broader elements of privacy, such as bodily, territorial or locational privacy.

Another way that VPS employers can promote privacy in their workplace is to provide privacy training to employees upon commencement of their employment, as well as ongoing training to ensure employees continue to be aware of any privacy obligations they need to uphold in carrying out their roles.

6 A PIA template and accompanying guide is available on the OVIC website at https://ovic.vic.gov.au/privacy/for-agencies/privacy-impact-assessments/.

Privacy during recruitment

There are a number of steps that VPS employers can take to protect the privacy of applicants during the recruitment process.

Collecting personal information from applicants

As part of the application process, employers will generally require applicants to provide a range of information, including personal information such as the applicant’s name, contact details, and employment history.

Under IPP 1.1, VPS employers may only collect personal information if it is necessary for one or more of their functions or activities. As such, employers should initially request no more personal information from applicants than is necessary to assess their suitability for a position or progression to the next stage of the application process.

IPP 1.2 requires collection to be done by lawful and fair means, and not in an unreasonably intrusive way. Employers should therefore ensure that they collect the minimum amount of personal information necessary at the appropriate time, as collecting too much information too soon may be considered unreasonably intrusive. For example, applicants may be asked to provide additional personal information once they have been successfully selected for a position, such as banking details, a tax file number, and emergency contact details. However, this information should not be collected from all applicants at the time of submitting an application, if it is not necessary for the initial assessment of applicants’ suitability for a position.

Similarly, employers will usually ask applicants to provide details of nominated referees, in order to confirm their suitability for a position. However, to minimise the risk of unnecessary collection, referees’ personal information should be collected at an appropriate stage during the


application process, such as after an interview and where an applicant has been shortlisted or selected for a position.

Providing notice of collection to applicants

Under IPP 1.3, VPS employers must take reasonable steps to tell applicants about certain matters regarding the collection of their personal information, such as the purposes for which the information is collected, and the main consequences (if any) if all or part of the personal information requested is not provided. This is usually referred to as a collection notice.7

Collection notices should be provided to applicants before or at the time of collecting their personal information, or if that is not practicable, then as soon as practicable after the collection. IPP 1 does not prescribe how notice must be provided, so it is up to the employer to decide the most appropriate way to provide a collection notice to applicants. For example, notice could be provided in writing in the initial job advertisement or on an application form, or verbally during an interview if additional personal information is being collected at that time.

Employers must take reasonable steps to provide notice to applicants for each new collection of personal information during the recruitment process, regardless of whether that same information has been collected previously. For example, an employer may provide a notice for personal information collected at the time an application is submitted, and then again when collecting the successful candidate’s banking details, even if some of the personal information collected in the latter instance is the same as in the first collection.

This requirement also applies throughout the course of an employee’s employment – if personal information is collected from employees at various times, reasonable steps to provide notice must be taken each time. This is particularly important if the personal information

7 See IPP 1.3 for the full list of matters that must be contained within a collection notice. For more information about collection notices, see the Collection notices

collected subsequently will be used for a different purpose than the original collection.

Sharing information collected as part of a reference check

At the time of giving a reference, a nominated referee might request that the information they provide about an applicant remain confidential. However, employers should not guarantee confidentiality as applicants may request documents relating to the recruitment process, which may include information provided by referees during a referee check. Requests for access may be made to VPS employers informally, through the Freedom of Information Act 1982 (Vic) (FOI Act) or under IPP 6, where applicable.

Regardless of the avenue through which the request is made, whether a request for access to documents relating to the recruitment process is granted will depend on the circumstances of each matter and should be determined on a case-by-case basis. For example, certain exemptions under the FOI Act or exceptions to IPP 6 may apply to restrict access to some or all of the information requested.

In every case, employers should be very clear about what information is being recorded and note that the applicant may request access to recruitment documents. This will enable the referee to understand what could potentially be released to an applicant, should they make a request for access.

Contacting someone who has not been nominated as a referee by the applicant

An employer may wish to seek a reference from a person who has not been nominated by the applicant. For example, the applicant may not have nominated the most appropriate person to provide information about their suitability for a job (such as their current or most recent employer), or the nominated referee may not

information sheet, available on the OVIC website at https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/short-guides/.


work closely enough with the applicant to give sufficiently detailed information.

If an employer decides that it is necessary to speak to an unlisted referee, they should always seek an applicant’s consent before doing so. Discussing this matter with the applicant provides them the opportunity to explain why they provided their chosen referees and did not list others. It also provides the employer with the opportunity to ensure adherence to IPP 1.5, which requires that notice of indirect collection be provided to individuals when personal information about them is collected from third parties.

Sharing personal information about former or current employees to prospective employers

In some cases, VPS employers may be reluctant to share information about a current or former employee when asked to give a reference to a prospective employer. When applying for a position, applicants should be encouraged to ensure they advise any nominated referees that they may be contacted to provide a reference, and that they (the applicant) consent to their personal information being shared.

This permits the VPS employer to disclose personal information about the applicant to a prospective employer under IPP 2.1(b).

Background checks

Under IPP 4.1, VPS employers are required to take reasonable steps to protect the personal information they hold – including employees’ personal information – from misuse, loss, and unauthorised access, modification or disclosure.

The reasonable steps taken by VPS employers should involve measures across different security areas: governance, information, personnel, ICT and physical security. One area that is particularly relevant to the recruitment process is personnel security, which involves ensuring only eligible and suitable people are engaged and employed and

8 The Australian Standard 4811: Employment Screening provides advice on background checks that should be

given access to information.

One personnel security measure that an employer may decide to adopt is pre-employment screening, to ensure prospective employees meet the organisation’s security requirements. Pre-employment screening may involve conducting different background checks, such as a police check or criminal record check. Background checks can be used to confirm the applicant’s eligibility or identity and to determine their suitability for the position.8

In some instances, background checks (for example, Working with Children checks) may be required by legislation, depending on the nature of the role and the employer in question. In other cases, background checks may be conducted at the discretion of the employer.

Before requesting an applicant undergo a background check, the employer should first determine whether it is necessary for the position, or for the wider organisation’s security requirements. This can help to eliminate the unnecessary collection of personal information (including sensitive information) where an individual’s background history is not relevant to the performance of the job.

Employers should also ensure the type of check conducted is proportionate to the position, as some checks may require individuals to provide a substantial amount of sensitive and delicate information.

Further, background checks should only be conducted at an appropriate stage of the recruitment process – for example, once an applicant has been selected for the position.

Online profiling during recruitment

Searching for information about an applicant on social media and other online sources and using that information to inform recruitment decisions is often known as online profiling. This practice can range from reviewing a blog, to a social media review, to conducting a systematic search

undertaken and the National Identity Proofing Guidelines provides advice on confirming identity.


to uncover every aspect of an individual’s online presence.

Employers who choose to search online for information about an applicant without their knowledge need to do so with caution, as there are a number of risks associated with relying on social media to screen potential employees. For example, information found online may not be accurate, complete or current, as content posted by an applicant may be out of date or no longer relevant, or third parties may post information about the applicant that is inaccurate or false. Online information may also not be available for all applicants.

If an applicant is not aware that online profiling will occur, they do not have the opportunity to correct potentially inaccurate or out of date information about themselves that could be used to inform the recruitment process.

Additionally, online profiling carries the risk of over collection of personal information, including that of third parties. Employers can quickly lose control over the quantity and nature of personal information collected from online sources.

Online profiling may not always occur as part of a formal selection process; employers may conduct informal social media checks on applicants without actually collecting any personal information. However, even informal checks can carry a risk of introducing bias into the selection process and impacting a decision, regardless of whether this is done consciously or not. If accessing personal information about an applicant online – both informally and formally – organisations should ensure that they are transparent in their practices and record any instances of doing so.

Minimising the privacy risks of online profiling

VPS employers who decide to conduct online profiling as part of a recruitment process should keep the IPPs in mind – in particular IPP 1. In this context, IPP 1 requires that only personal information necessary for the recruitment activity is collected, regardless of how or from where it is collected. Prior to conducting a social

media search, employers should set clear parameters regarding what information they will collect to ensure they do not collect more information than is necessary for decision making, nor collect third party information.

IPPs 1.2 and 1.4 are also relevant in this context. IPP 1.2 requires VPS employers to collect personal information by lawful and fair means, and not in an unreasonably intrusive way – as such, employers should carefully consider whether the collection of personal information through online profiling aligns with this principle. Employers should also consider whether online profiling that results in the collection of personal information complies with IPP 1.4 which, if reasonable and practicable, requires personal information to be collected only from the individual whom the information is about.

Employers should also be transparent, and if online profiling is a standard practice for all applicants, they should advise individuals as such, for example in an application form. This will ensure potential applicants know to expect that profiling will occur, and provide them an opportunity to correct inaccurate or supplement incomplete information.

Privacy during employment

The collection of personal information from applicants does not end once the recruitment process is complete; new personal information will be collected from employees for different purposes over the course of their employment. VPS employers have an ongoing responsibility to handle this personal information in accordance with the IPPs.

Protecting employees’ personal information

VPS employers are required to take reasonable steps to protect the personal information they hold (including of employees) from misuse and loss, and unauthorised access, modification or disclosure, in accordance with IPP 4.1.

Determining what is reasonable will depend on the context of each organisation, however as noted above, the measures that employers


implement should cover all security areas: information, personnel, ICT and physical security, and governance.9 Some examples of security measures that employers can take to protect personal information are outlined below.

The Victorian Protective Data Security Framework (VPDSF) under Parts 4 and 5 of the PDP Act, which is the overall scheme for managing protective data security risks across the Victorian public sector, also applies to many VPS employers. The VPDSF includes the Victorian Protective Data Security Standards (VPDSS), which require organisations covered by Parts 4 and 5 of the PDP Act to adhere to a minimum set of protective data security requirements.10

Restricted access

One information security measure that can be implemented to protect employees’ personal information is role-based access. Access to information about employees should be limited to those individuals who hold positions that are relevant to the handling of that information. For example, human resources management staff will require access to employee information for payroll purposes, however other staff members should not be able to see this information without a clear need to do so. Access may be restricted in a number of ways, including password protections for electronic data, locked cabinets for physical files, or swipe card access to restricted areas.

Protective Markings

Another information security measure that may be implemented to protect employees’ personal or sensitive information is a protective marking system. Protective markings indicate to individuals accessing the information the handling measures expected to be applied during the use, handling, storage, transfer and disposal of that information.

For example, applying a protective marking to emails or documents containing sensitive

9 For more information about ‘reasonable steps’, see the IPP 4 chapter of the Guidelines to the Information Privacy Principles at https://ovic.vic.gov.au/book/ipp-4-data-security/.

information about employees informs the level of protection that should be applied to that information.

Disclosing information about employees

When disclosing an employee’s personal information, employers should ensure they have the appropriate legal authority to do so, under enabling or other legislation, or IPP 2.

Under IPP 2, VPS employers must not use or disclose employees’ personal information for purposes other than the original purpose of collection. However, IPP 2 contains eight exceptions that permit secondary use or disclosure, including where:

• the secondary purpose is related to the primary purpose of collection and the employee would reasonably expect their personal information to be used or disclosed for the secondary purpose (IPP 2.1(a));

• the use or disclosure is required or authorised by law (IPP 2.1(e));

• the employee has given their consent for the secondary use or disclosure (IPP 2.1(b)); or

• the employer reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, safety or welfare of an individual or the public (IPP 2.1(d)).

Employers should communicate to employees what the organisation’s practices are for routine disclosures of personal information, as required by IPP 1.3, and in the interest of openness (IPP 5). This can be done through a privacy policy, and

10 More information about the VPDSF and VPDSS is available at https://ovic.vic.gov.au/data-protection/for-agencies/vpdsf-resources/.


through a collection notice provided when collecting personal information.

Investigating suspected unlawful activity

Where an employer has reason to suspect that unlawful activity has been, is being, or may be engaged in, IPP 2.1(e) may allow an employee’s personal information to be used or disclosed:

• as a necessary part of the employer’s investigation of the matter; or

• in reporting the employer’s concerns to relevant persons or authorities.

Where an employer proposes to use or disclose personal information in order to investigate a matter itself, any suspicion of wrongdoing should be based on reasonable grounds, and the use or disclosure must be considered necessary after due consideration of alternatives.

If an employer decides to report suspected unlawful activity by an employee, it should be done only to those organisations that need to know the information in order to carry out the necessary investigation(s). Employees should be informed that their information may be used or disclosed for these reasons, for example in the organisation’s privacy policy.

Complaint handling

Employees may complain to their employers about a range of issues, including sensitive matters such as bullying in the workplace. Some considerations for VPS employers to keep in mind when collecting, using and disclosing employees’ personal information in the context of a complaint include:

• Anonymity: IPP 8 states that where lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation. Depending on the nature of the complaint, it may be possible or

11 For examples of ‘reasonably expected’ and ‘excessive disclosure’ in the context of complaints, see Case Studies 2F, 2G, 2I, 2J and 2K in the IPP 2 chapter of the Guidelines to the

appropriate for employees to make complaints anonymously.

However, in other cases an employer may need to collect personal information about the employee making the complaint, and subsequently use or disclose that information, in order to investigate, handle, and resolve the complaint.

• Disclosure: some complaints may require the disclosure of personal information of the employee making the complaint – for example, to a colleague who may be the subject of the complaint, in order to afford that individual natural justice and give them a right of response as part of investigating the complaint; or to a different part of the organisation or an external body that is more appropriate to deal with the complaint.

Regardless of who personal information is disclosed to, the disclosure must be permitted under IPP 2, whether for the primary purpose of collecting the information, or a permitted secondary purpose such as those listed above. If relying on IPP 2.1(a), employers will need to consider whether the proposed disclosure would be reasonably expected by the complainant.

Employers should also avoid excessive disclosures of personal information, and only share what is necessary for the purposes of handling and resolving the complaint.11

Employee monitoring and surveillance

Employers may conduct monitoring and surveillance of employees for a number of reasons. Whatever the purpose, these activities will likely involve collecting personal information about employees, or information which may reveal the identities of employees. There are

Information Privacy Principles, at https://ovic.vic.gov.au/book/ipp-2-use-and-disclosure/.


many different types of technologies that can be used for the surveillance and monitoring of employees, both within and outside of the workplace. Some methods and technologies, and key considerations for VPS employers, are outlined below.

Regardless of the technology or device used, employers planning to conduct employee surveillance and monitoring should seek legal advice regarding their obligations under the SD Act and other relevant legislation. Employers must also ensure that any monitoring and surveillance of employees is authorised under the PDP Act, or other enabling legislation.

Conducting a PIA before implementing a surveillance or monitoring program is crucial to identifying any privacy impacts and risks associated with the proposed practice.

Monitoring email, phone and internet use

An employer may decide it is necessary for its functions and activities to monitor employees’ email, phone or internet use. For example, it may be necessary for an employer to:

• have access to an employee’s work emails when the employee is absent for an extended period of time, or for security reasons;

• monitor employees’ internet use to ensure appropriate use, or to track any viruses or malware that threaten systems or networks; or

• listen to or record work-related telephone calls for quality and assurance purposes, or for training other staff.

Monitoring activities involving the collection of personal information that is not necessary for an employer’s functions or activities would contravene IPP 1.1, or could be considered unreasonably intrusive or unfair under IPP 1.2 if

12 For information about privacy risks associated with monitoring employees’ social media accounts, see OVIC’s Social Media and Privacy FAQs, available at

done covertly where there is no legal basis for doing so.12

Clear communication between employers and staff about what monitoring practices are in place within the organisation, under what circumstances staff may be monitored, and for what purposes they will use any information collected will help mitigate the risk of complaints and prevent an erosion of trust between employer and employee, and satisfy the notice requirements of IPP 1.3.

Employers may wish to develop an appropriate use policy so that employees are aware of how they are expected to use business tools such as emails or internet access. For example, if personal calls are not to be made during business hours, the policy should clearly state this.

GPS tracking

Technology provides more and more opportunities for employers to track the movements of their employees. For example, GPS tracking in vehicles enables employers to monitor the movements of employees travelling in company cars, and location services in work mobile phones can pinpoint an employee’s location. Some employers may decide it is necessary to track and collect information about the movements of their employees. Whether or not the use of these technologies is reasonable or intrusive will depend on the purpose for which the information is used, and how it is tied to the organisation’s functions or activities.

Employees should be notified when GPS tracking will occur (such as whether it is only during business hours or also includes out of office hours), what information is being collected and why, what it will be used for, and the consequences if employees object to being tracked.

Where there is no legitimate purpose for tracking employees, employers should make sure that

https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/short-guides/.


GPS tracking is disabled where possible before issuing a device with this capability to employees.

Surveillance cameras

CCTV cameras are often used as a security measure (for example to enhance safety or deter crime), or to monitor employees or the activities within a workplace during business hours.

As the use of surveillance cameras will likely involve the collection of personal and potentially sensitive information (for example, images or footage of identifiable individuals), employers should be able to identify a legitimate purpose for the surveillance, and only collect personal information via the cameras if the information is necessary for the employer’s functions or activities, in accordance with IPP 1.

Where employers identify a legitimate purpose for surveillance or monitoring, they should ensure that the use of cameras is proportionate to achieving that objective – surveillance cameras should not be used simply because they are cost effective or convenient. There may be other equally effective but less intrusive means to achieve the organisation’s objective.

Where personal and potentially sensitive information is collected through CCTV cameras, employers must ensure they handle the captured information in accordance with the IPPs. For example, employers must notify employees that they could be under surveillance while in the workplace, and employees should be provided with details of their employer’s practices based on the matters set out in IPP 1.3.

In some cases, it may be appropriate to layer the collection notice by displaying signage advising employees and visitors that they may be under surveillance, and including a link to the relevant surveillance or privacy policy. As with any personal information, employers must ensure that the personal information captured via surveillance cameras is used only for the

13 For guidance on surveillance best practice, see OVIC’s Guidelines to surveillance and privacy in the Victorian public

purposes for which it was collected, unless an exception applies.13

Drug and alcohol testing

In some workplaces, employers may test employees for drugs or alcohol. Such tests may be necessary for the organisation’s functions and activities – for example, if an employee is required to operate a vehicle or heavy machinery, having drugs or alcohol in their system could pose a serious safety risk. However, where such testing is not relevant or required for the specific role, the collection of employees’ information from these tests may be considered unreasonably intrusive or unfair.

As with other personal information collected from or about employees, the IPPs will apply to personal information collected via drug or alcohol testing. IPPs 1 and 2 are particularly relevant in this context – for example, employers must ensure employees are aware of the matters listed in IPP 1.3, particularly the purposes for which the information will be used, and the consequences for employees if they refuse to take the test. In accordance with IPP 2, employers should not use or disclose personal information obtained from the tests for purposes other than the original purpose for collection, unless authorised under the PDP Act or other legislation.

VPS employers should note that the results of a drug or alcohol test may be classed as health information. As such, employers should check their obligations under the HR Act where health information may be collected via such tests. Before implementing drug and alcohol testing programs, employers should complete a PIA to avoid the potential over collection of personal information and identify any privacy risks that may arise from the practice.

‘Bring your own device’ programs

‘Bring your own device,’ or BYOD, is an arrangement that enables employees to use personal devices for both personal and business purposes. While there are benefits to BYOD

sector, available at https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/guidelines/.


programs, there can be significant privacy and data security risks for both the corporate information and the personal information contained on a device, if inadequate procedures and controls are in place. For example, as it expands the number of networks, applications, and end points through which an organisation’s data may be accessed, BYOD can increase the vulnerabilities in an organisation’s ICT system and threaten its information assets, including personal information holdings.

Before implementing a BYOD program, employers should conduct both a PIA and a security risk assessment to ensure that the measures put in place to protect official information (including personal information) are commensurate with the potential impact if the information were compromised.

Organisations with a BYOD program should also have specific BYOD policies, including terms of use for employees to follow. For example, it might be a condition of use that employees protect their devices with a password, and that they offer their devices to their organisation’s ICT professionals to configure the appropriate security settings.

While it is important to ensure the security of business information, the privacy of personal information of those employees participating in a BYOD program should be considered, particularly given that many individuals’ personal lives are entwined with their mobile devices. A clear BYOD policy that outlines what personal information an organisation can collect from the device, and in what circumstances, will help to protect employees’ privacy and promote trust between the employer and its employees.

Work devices used for personal use

In contrast to BYOD, employees may be provided with a work-issued device, which may then also be used by an employee for personal purposes. This could potentially result in the employer

14 The PDP does not distinguish between solicited and unsolicited collection of personal information. The IPPs therefore apply to personal information regardless of whether it was solicited or unsolicited by an organisation.

collecting personal information about the employee that is contained in the device, for example during a backup of the device. The collection of any personal information would then attract obligations under IPP 1 and the other IPPs, including, potentially, notice requirements.14

As with BYOD, employees should be provided with any policies or terms of use relating to the use of work devices for personal use. If there is potential for an employer to collect personal information from work devices, such collection should be authorised and the IPPs applied to any personal information collected.

Biometric systems

Some workplaces may use biometric systems for a variety of purposes, such as verifying employees’ identities to enable access to a building or office. While biometrics offers many benefits, employers should be aware of the limitations and privacy risks arising from the use of biometrics in the workplace – for example, function creep (employees’ biometric information is used for a different purpose than the original purpose of collection), or the potential for biometric information to reveal secondary information about an employee.

While the definition of sensitive information under the PDP Act does not include biometric information (unlike the Commonwealth Privacy Act 1988), some biometric characteristics may reveal sensitive information as defined under the PDP Act, the collection of which may breach IPP 10. Given the inherently personal nature of biometric information, employers should consider treating such information they collect as delicate, and be cautious with how this information is handled.15

15 For more information about biometrics and the interaction with the IPPs, see OVIC’s information sheet Biometrics and privacy, available at https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/short-guides/.


Some biometric information may also fall within the definition of health information under Victoria’s HR Act.

Working remotely

VPS employers may allow employees to work remotely, such as from home, on an ad hoc or regular basis, or as needed in certain circumstances (for example, where doing so is part of an organisation’s business continuity plan).

A remote work environment can present unique information and cyber security risks, so employees need to ensure they take appropriate steps to protect any public sector and personal information they access when working remotely, and continue to uphold their privacy obligations under the PDP Act and other applicable legislation. Organisations should ensure that employees are also aware of any relevant workplace policies that may apply, and promote good privacy and security practices for working remotely.2

End of employment

The IPPs apply to all personal information collected and held by VPS employers regardless of the employment status of the individual involved. Employers therefore continue to have responsibilities to protect an individual’s personal information at the end of their employment, and after they have left the organisation.

Retention of employees’ personal information

IPP 4.2 requires VPS employers to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. An organisation’s enabling legislation, or other relevant legislation such as the Public Records Act 1973 (PR Act), may

contain requirements in relation to the retention of personal information, including of employees specifically. VPS employers must retain relevant personal information of employees in accordance with any applicable retention and disposal requirements issued by the Public Record Office Victoria.16

Beyond this, an employer may only keep the personal information of its former employees where it can identify a relevant purpose for doing so; for example, where it is required by law or as part of an ongoing investigation.

Conclusion

VPS employers are bound to comply with the 10 IPPs throughout all stages of employment – during recruitment, throughout and after employment. This means that VPS employers should act in accordance with the IPPs in relation to employees’ personal information they collect and handle. This can include taking measures such as:

• advising potential job applicants and employees what personal information it collects from them, the purpose of the collection, and what the information will be used or disclosed for;

• only collecting personal information of applicants and employees that is necessary for a stated purpose, by fair and lawful means;

• only disclosing information for the purposes for which it was collected, unless otherwise authorised;

• keeping personal information accurate, complete, and up to date; and

• allowing employees to access and correct their personal information.

2 For useful tips see OVIC’s information sheet How to respect privacy and protect public sector information when working remotely, available at https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/short-guides/.

16 For more information contact Public Record Office Victoria at http://prov.vic.gov.au.


Further InformationContact Us

t: 1300 00 6842 e: [email protected] w: ovic.vic.gov.au

Disclaimer: The information in this document is general in nature and does not constitute legal advice.

Version: April 2020 – D19/8111

privacy in the workplace€¦ · privacy.4 all vps employees must also adhere to binding codes of...

Documents