14 October 2016

Privacy, Procedure and Social Media

In Jurecek v Director, Transport Safety Victoria [2016] VSC 285 the Supreme Court of Victoria has dismissed the appeal of a public servant who complained against the alleged breach her employer Transport Safety Victoria of the state's information privacy principles. The employer had collected information from her Facebook account without her knowledge, used in an investigation which resulted in Jurecek being charged and found guilty of the disciplinary offence of misconduct.

The judgment states
This appeal raised important, novel and reasonably arguable questions about the application of the Information Privacy Act in the social media context and in particular about the application of the Information Privacy Principles to personal information on Facebook. Therefore leave to appeal will be granted.
However, the appellant has not established that the tribunal made any legal error in (substantially) dismissing her claim against the respondent for failing to observe its obligations under those Principles. For the reasons given in this judgment, the tribunal did not err in law in deciding that the respondent had (substantially) complied with those obligations. Therefore the appeal must be dismissed.
The appeal considered whether there was an error of law in the decision of Victorian Civil and Administrative Tribunal under the Victorian Civil and Administrative Tribunal Act 1998 (Vic), whether the information was personal information covered by the Information Privacy Principles under the Information Privacy Act 2000 (Vic), whether collection was necessary for the functions or activities of Transport Safety Victoria and carried out in lawful, fair and not unreasonably intrusive way, whether that body ensured Jurecek was made aware of collection as soon as practicable, whether it was reasonably practicable to obtain information from Jurecek directly, whether the information was exempt from the IPP by reason of being contained in document that was generally available publication, and the interaction between privacy protection and other human rights.

Jurecek initially complained, in an application to the state Privacy Commissioner, that during the course of her employment the Director of Transport Safety Victoria (TSV) collected personal information about her without first attempting to obtain it from her directly and then used it without making her aware of what had been obtained. She alleged that TSV had thereby breached the Information Privacy Principles in sch 1 of the Information Privacy Act 2000 (Vic). The Commissioner dismissed the complaints and, at the appellant’s request, referred them to the Victorian Civil and Administrative Tribunal for hearing and determination. The tribunal found the complaints not to be proven and, under s 43(1)(c) of the Act, made orders dismissing the application. Jurecek sought leave to appeal to the Supreme Court and, if leave was granted, to appeal upon grounds of error of law pursuant to s 148(1) and (2) of the Victorian Civil and Administrative Tribunal Act 1998 (Vic) against the orders.

Jurecek was employed in 2012 in the Office of the Director of Transport Safety. There were ongoing difficulties in the nature of alleged workplace bullying, stress and other complaints. The judgment states that
she engaged in chats and posts on Facebook with a workplace colleague in which she made a number of employment-related remarks. These chats and posts were disclosed to officers of the respondent by the appellant’s colleague, which led to an investigation. ... In the investigation, officers or agents of the respondent accessed the appellant’s Facebook, which she operated under a pseudonym (Lora Otto), without her knowledge. The investigation resulted in the appellant being charged and found guilty of the disciplinary offence of misconduct in respect of which she was given a final warning.
Without legal assistance, the appellant made two complaints to the Privacy Commissioner under the Information Privacy Act that the respondent had breached the Information Privacy Principles. In substance, her complaints were that, in the investigative and charging process, the respondent unfairly, intrusively and secretly obtained and used personal information relating to the appellant from her Facebook without it being necessary for the performance of the respondent’s functions and activities, without notice to her and without attempting to obtain the information from her first.
Upon the basis that the respondent had not interfered with the appellant’s privacy or breached the Information Privacy Principles, the Privacy Commissioner rejected these complaints. The Commissioner referred the complaints to the tribunal on the appellant’s request pursuant to s 29(5) of the Information Privacy Act.
Jurecek appears to have made what the Supreme Court  unsurprisingly characterised as an "abusive post" on a colleague's Facebook page.

The judgment states
The Information Privacy Principles relevantly apply in relation to the collection, notification and use of personal information. In the application of the Principles, it is important to identify the information, collection, notification (if any) and use that are in question. It is especially important to identify the relevant personal information and the collection, for these are foundational to the application and discharge of the obligations imposed. There may be different items of personal information and multiple collections and these may raise different issues as regards the application and discharge of the obligations. As a self-represented complainant or applicant cannot be expected to appreciate all this, it will often be necessary for the commissioner or the tribunal to give what assistance is due in this connection.
In the present case, the appellant’s complaints, and the tribunal’s determination of those complaints, were organised by reference to chats and posts as modes of social communication rather than by reference to the relevant obligations in the Information Privacy Principles. This reflected the way that the complainant organised her complaints, and understandably so. They were initially prepared by her without legal assistance, as would normally be the case. It was perfectly natural for her to express the complaints in a general way by reference to chats and posts and also perfectly proper for the commissioner and the tribunal generously to interpret the complaints so expressed, as they did.
But the relevant Information Privacy Principles involve the application of standards expressed by reference to collections and notifications (see below) of personal information. At least after the complaints were referred to the tribunal and the parties became legally represented, it would have been better for consideration of the issues to be organised by reference to the information, and the collections and notifications (and other standards), that were in question rather by reference to the chats and posts, for that is what the application of the standards in the Information Privacy Principles ultimately required. I note that the tribunal did attend to the detail of the relevant information and collections in the course of its determination, despite the way in which the appellant put her case (see above). In the appeal, the appellant provided the court with particulars of the personal information, collections and notifications that were in issue. The summary was disputed by the respondent. I deal with the issues that arise in this connection below.
It was common ground in the appeal that the tribunal was correct beneficially to interpret the Information Privacy Principles as human rights legislation and pursuant to s 32(1) of the Charter of Human Rights and Responsibilities Act 2006 (Vic).