A former employee of US-based Verizon Wireless had thousands of her personal emails read by her employer after returning a phone provided to her by the company.
Although it was found that Kulmatycki acted unlawfully, the same conclusion might not be reached in Australia.
“Commonwealth privacy and telecommunications interception legislation would not prevent an employer accessing and reading the personal emails of a former employee stored on a company-owned smartphone,” Joel Zyngier, senior associate and specialist in Workplace Relations at Holding Redlich, told HC. “However, if the employee was employed in NSW, such conduct would be unlawful pursuant to the Workplace Surveillance Act, unless the employer had previously warned the employee that the employer might monitor or access the private emails.”
Despite this, there are other precautions employers must be aware of in regards to both current and former employees. If the information gathered revealed an attribute or activity of the employee protected from unlawful discrimination – such as sexual preference or trade union affiliation – and the employee was then treated differently by the employer, the employee may allege the treatment was due to the information gathered, and claim it was thereby discriminatory.
Some states, such as Victoria, may prohibit the collection (such as reading emails) of information that can be used for discriminatory purposes.
“An employer would be vicariously liable for an employee’s unlawful disclosure of personal information or discriminatory conduct unless it took reasonable steps to prevent the employee’s disclosure/conduct,” Zyngier explained.
The disclosure of any information collected that does not directly relate to ‘employee records’ is unlawful, as well.
Zyngier confirmed that the employer owns the information stored on a company-issued device. This does not include information stored on non-company servers that the smartphone can access.
As the legal and moral obligations of the employer when dealing with this situation are complex and difficult to navigate, a robust IT policy that is easily adhered to is all important.
What do you think of the US case? Do you issue devices to employees? If so, how do you ensure privacy of information?