Media has been overflowing with breaches of privacy lately; the GCSB; Buller District Council dumping (in public view) financial records about ratepayers; client files/information lost on public transport; and the release of private information relating to earthquake-damaged homes.
The workplace is not immune from the present scrutiny about how we manage private information. Tensions arise about where the balance fairly sits regarding the employer’s “right to know” and employee’s “right to privacy”. This is particularly pertinent when considering the many ways in which employees can be monitored during employment relationships, such as the use of covert surveillance, drug testing and keystroke technology.
People care about privacy; about what personal information is in the public domain; about whether that information is accurate; and about the consequence of that information being compromised or misused. Employers can be privy to incredibly sensitive material, from information about health conditions of their staff, to their financial details. It is critical that this information is kept safe and secure.
The Privacy Act provides protection from invasion of personal privacy. Employers have an obligation to ensure that personal information is managed correctly and that responsibility should include providing guidance to employees about good privacy practices.
Where an Employer is Collecting Personal Information:
- Employees should be aware of this and the purpose of collection.
- Processes/security to protect that information should be in place, such as the use of locked files and password protections.
- Employees should be aware of the right to access (view) and correct information if it is inaccurate. Accordingly, personal information should be stored in a way that is organised, and easily retrievable.
- When personal information is no longer required, it should be disposed of securely.
Despite the best of intentions, mistakes can be made and employers should consider how any breach would be managed, including notification to those whose privacy may have been compromised. By law, every business is required to appoint a privacy officer. It should be the officer’s role to ensure good policies are in place to handle personal information, queries in relation to privacy and be alert to potential risks arising with personal information.
Common Privacy Queries Include:
- whether an employee has privacy rights in respect of emails at work (generally no, this is work property and therefore the employer will ordinarily have the right to monitor and control its use);
- whether an employer can make some “general enquiries” about a potential employee from “business associates” prior to an offer (generally no, and a previous employer should ensure the employee has provided consent before a reference is given); and
- whether an employer can request a credit check as part of its pre-employment enquiries (generally no, unless a job a job involves significant financial risk to the employer).
Employers and those employees acting on behalf of employers in handling personal information in the workforce are well placed to consider the old adage that you should treat others as you would like to be treated. If in doubt: take a conservative view; and seek advice. Breaches of privacy not only give rise to potential liability for an employer, but can damage the relationship of trust and confidence with employees, be detrimental to morale and to the company’s reputation.
This article was first published in the Waikato Times, 24 June 2013.
Content from: www.dtilawyers.co.nz/news-item/dont-risk-breaching-privacy