07 June 2012

Logging Webmail

The New Zealand Privacy Commissioner has released a new case note under the Privacy Act 1993 (NZ) regarding surveillance that went beyond the workplace.

Case note 229558 [2012] NZ PrivCmr 1 deals with an unidentified employer's use of monitoring software to collect personal information.

As part of "an employment investigation" the employer collected "personal information" from a man's work computer. That information included email sent to and from the work computer, along with key stroke logging for the computer. Importantly the employer used information collected from that logging to access the man's personal web-mail account and copy several emails. The man complained about the information collection.

The Commissioner considered that separate issues were raised for the two different types of information collected; information collected directly from the work computer and information collected from the man's personal email account.

The collection of information directly from the work computer complied with the Privacy Act because the employer in both the employment agreement and employee manual had clearly set out that work computers would be subject to monitoring.

Use of keylogging to access 'external' information "raised issues under principle 3 of the Privacy Act". 

The Commissioner commented that -
Principle 3(1) sets out that where an agency collects information from an individual, the agency must take such steps which are, in the circumstances, reasonable to ensure that the individual is aware of a number of things, including the fact that information is being collected. The policies set out in the agreement and manual were not explicit enough to make staff aware that such detailed information was being collected. On this basis we considered that the employer had breached principle 3 in collecting key stroke information. 
The Commissioner understandably had concerns regarding use of keylogging to obtain the man's webmail password and thence access his  personal email account -
We considered this raised issues under principles 1, 3 and 4 of the Privacy Act. 
Principle 1 
Principle 1 sets out that agencies must not collect personal information unless it's for a lawful purpose connected with the functions or activities of the agency, and collection is necessary for that purpose. When the employer accessed the man's personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years. This went well beyond any information that may have been relevant to the employment investigation. We formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer's needs. 
Principle 3 
We were also satisfied that the employer's policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer. We formed the view that this also breached principle 3. 
Principle 4 
Principle 4 requires that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive. Principle 4 is concerned with the method of collection. We considered that an individual's personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it. In this case we did not consider there were exceptional circumstances, and so this method of collection was unreasonably intrusive and in breach of principle 4. 
The outcome was that the employer and employee "attended mediation, were able to reach a settlement, and the complaint was closed".

Unfortunately there is no indication of the size of that settlement, which might simply have been an apology by the employer and a promise to be good in future. That's the charm of mediation - no washing of dirty linen in public - and its disadvantage from a public policy perspective, ie observers do not get to see how the problem was solved and thus lack a benchmark for future action.