Australia: The legal risks arising from electronic storage of work information in the construction industry

The transformation of the contemporary workplace through electronic practices and information technology has led to new challenges for employers and employees, courts and legislatures, policy makers and government. These challenges are extensive and varied. In this article we survey the state of the law relating to the legal risks arising from the electronic storage of work information, particularly in the context of the construction industry.

Background

It is common for principal contractors in the construction industry to use technology to collate and manage information about the workforce on site, particularly in large remote projects. Technology has certainly presented opportunities to gather and manage information in a way that was difficult to achieve previously. Electronic storage of records and documents means that those documents can be retrieved instantly and multiple people can view documents at the same time allowing for better organisation and accessibility.

Often the information stored on those systems relates not only to the employees of the principal contractor, but also the employees of subcontractors on site as well as former workers and sometimes potential workers. The risks of such systems are well outweighed in most cases by the benefits in using such systems particularly in areas such as co-ordinating flights, accommodation, transport and other services. In many instances an organisation may unknowingly violate the employees' right to privacy which may open up the organisation to risks. There are a number of legal issues that need to be considered including:

• issues in relation to the privacy of that information;
• the possibility of adverse action claims being commenced against an organisation; and/or
• the possibility of defamation proceedings being commenced against an organisation.

Electronic communication expansion

The workplace landscape has changed dramatically in the past decade as a result of the proliferation of computer-based communication technologies and the advancement in technology and storage of information. These advances have enabled the worldwide exchange of information, in an increasingly international landscape with more and more Australian organisations, in a number of different industry areas, merging with overseas organisations. The advances in technology mean that there is a full mobility of resources with real time data flows and centralised information access.

It has been said that technology, particularly information and communication technology, is both a significant driver of modern economy and potentially one of its weakest links. ¹² The International Risk Governance Council (IRGC) has stated that "a significant problem for owners, managers and regulators is that the public and many officials in government have limited knowledge of the vulnerabilities of these systems and of the risk factors that have increased during the past several decades". ¹³ Organisations must be proactive in managing the potential risks in this area.

One of the problems with the electronic storage of information is that organisations may not be aware of the risks associated with the storage of that information as electronic communications are permanent and searchable and leave a digital trail of information thereby eliminating conceivable deniability.

Many organisations are harnessing modern technology and putting it to the best use in their workplaces. The issue is what the use of that modern technology by organisations will mean for legal and employment regulation. There is an ever growing sense of concern of how the advances in technology will impact on an employee's right to privacy.

Issues in relation to Privacy

The relevant legislation
Organisations have to be aware of their obligations under a variety of privacy related legislation depending on which jurisdiction is applicable. This article focuses on the Federal legislation.

Privacy Act 1988 (Cth)
The Privacy Act 1988 (Cth) (Privacy Act) broadly regulates the collection of personal information. Personal information is any information that relates to an identifiable individual. If a private organisation collects personal information, it is bound by the National Privacy Principles (NPPs). Private organisations must have an approved privacy code, or in its absence, comply with the NPPs. The NPPs describe how an organisation may collect and use information about individuals and entitles individuals to access and correct any information held about them. There are some exceptions, the most relevant here being the employee record exemption.

The employee record exception
Section 7B(3) of the Privacy Act grants employers exception from the Privacy Act in certain circumstances. Three elements must be established in order for the exception to apply:

the organisation must be acting in the capacity of a current or former employer;

the dealings with the data must be directly related to that employee/ employer relationship; and

the dealings with the data must be directly related to that employee's employee record held by the employer.

Element 1 – Acting in the capacity of a current or former employer
In the case of principal contractors, often there is not an employment relationship which exists between the contractor and the workers on site. In which case, the employee records exemption will not apply to the records held by a principal contractor in respect of those workers.

In addition, this requirement means that information collected regarding a prospective employee is excluded from the exception. All the data collected would not be covered by the exemption and would fall within the scope of the Privacy Act.

In these circumstances it will therefore be important to ensure compliance with the NPPs or any applicable privacy code.

Element 2 – Related to the employee/employer relationship
If an employer does something with the employee's data that is not related to the employment relationship, the employer is not protected by the employee record exception. Care must be taken to ensure that the data stored electronically relates to the employee / employer relationship.

Private Sector Information Sheet 12, published by the Australian Information Commissioner ¹⁴ , provides that the employee records exemption does not cover contractors and subcontractors when they handle the personal information of the employees of another organisation, notwithstanding those contractual arrangements. In many circumstances, the employee records exemption may not apply to organisations that provide recruitment, human resource management services, medical, training or superannuation services under a contract to an employer.

An organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of NPP 1.

Element 3 – Related to that employee's record held by the employer
This exemption only applies as long as the record is held by the employer. As discussed above, given that there is often not an employment relationship between the principal contractor and the workers on site, if employee information is disclosed from the employer to the principal contractor, the exception from the Privacy Act no longer applies to the information held by the principal contractor.

What is an employee record?
Section 6(1) of the Privacy Act sets out a non-exhaustive list of the types of information that is included in the definition of 'employee record'. Employee record, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:

1. the engagement, training, disciplining or resignation of the employee;
2. the termination of the employment of the employee;
3. the terms and conditions of employment of the employee;
4. the employee's personal and emergency contact details;
5. the employee's performance or conduct;
6. the employee's hours of employment;
7. the employee's salary or wages;
8. the employee's membership of a professional or trade association;
9. the employee's trade union membership;
10. the employee's recreation, long service, sick, personal, maternity, paternity or other leave; and
11. the employee's taxation, banking or superannuation affairs.

Taking into account the nature of these examples, it is clear that information, such as, the content of employees' private emails and the details of what web-sites an employee has visited do not fall within the exemption for employee records, and, therefore, the Privacy Act applies to that information. The Federal Privacy Commissioner has expressly stated that logs of staff web-browsing activities are subject to the provisions of the Privacy Act.¹⁵

National Privacy Principles
Where the data is personal information and is not covered by the employee record exception, the Privacy Act applies to the collection and use of that information. The NPPs set out ten principles that private organisations must adhere to when collecting personal information. In summary, these ten principles are as follows:

1. NPP 1 describes what an organisation should do when collecting personal information, including what they can collect, collecting from third parties and, generally, what they should tell individuals about the collection.
2. NPP 2 outlines how organisations may use and disclose individuals' personal information. If certain conditions are met, an organisation does not always need an individual's consent to use and disclose personal information.
3. NPPs 3 and 4 provide that an organisation must take steps to ensure the personal information it holds is accurate and up-todate and is kept secure from unauthorised use or access.
4. NPP 5 provides that an organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.
5. NPP 6 gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-ofdate.
6. NPP 7 generally prevents an organisation from adopting an Australian Government identifier for an individual as its own.
7. NPP 8 provides that, where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.
8. NPP 9 outlines how organisations should protect personal information that they transfer outside Australia.
9. NPP 10 deals with sensitive information which includes information such as health, racial or ethnic background, or criminal record. Higher standards apply to the handling of sensitive information.

Outsourcing management of employment data
The outsourcing of the management of employment data and information is increasingly occurring with the advancement of technology. Where an organisation outsources the hosting or management of employment data, the organisation will be responsible for ensuring the host partner also complies with the relevant requirements. Where the host partner is Australian based, that host will also be required to comply with the NPPs, however, this does not discharge the organisation's primary obligations under the Privacy Act.

Where the host partner is located overseas, it will not be subject to the Privacy Act. The Privacy Act regulates handling of personal information in Australia and originating from Australia. Under NPP 9, if an organisation's overseas activity is required by the law of the foreign country, then it does not interfere with the privacy of an individual under Australian law.

An organisation may transfer personal information overseas provided that one of the following conditions is satisfied:

• the individual has consented to the transfer of the information;
• it is impracticable to obtain the individual's consent, however, it is likely that consent would be given and the transfer is for the benefit of the individual;
• there is a contract between the individual and the organisation that requires the transfer or where there is a contract between a third party and the organisation in the interest of the individual;
• the organisation reasonably believes a contract or law applies at the destination which delivers privacy standards substantially similar to the NPPs; or
• the organisation has taken reasonable steps to ensure that the information will not be used, disclosed or held by its recipient in a way that is consistent with the NPPs.

Sensitive information
If a person visits certain websites on the employer's equipment, the web-address data recorded may reveal information about their religion, sexual preference, ethnic origin or membership of a union or political organisation. As such, a person's web and email usage data could easily contain information that is defined under the Privacy Act as 'sensitive information' which is defined in section 6 of the Privacy Act. Collection of this form of data attracts increased regulation from the Privacy Act.

Consequences of breach of NPPs
An organisation that is found to have breached privacy laws may find itself in a position where it not only has to pay the aggrieved party a significant amount of damages, but also suffers irreparable harm due to negative publicity and the public's loss of confidence in its ability to properly deal with and maintain their personal and private information.¹⁶

The Australian Information Commissioner has the power under the Privacy Act to investigate a complaint by an individual regarding an alleged breach of a NPP and if the Australian Information Commissioner finds the complaint substantiated the Australian Information Commissioner can make a determination. That determination can include one or more of the following:

1. a declaration that an organisation must not repeat or continue such conduct;
2. a declaration that a respondent perform any reasonable act or course of conduct to redress any loss or damage suffered by an individual; and/or
3. a declaration that the complainant is entitled to a specific amount of damages. Damages can include an amount of loss and damage for injury to a complainant's feelings or humiliation suffered by a complainant.

Should an organisation fail to comply with the determination of the Australian Information Commissioner, an individual or the Australian Information Commissioner can commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce the determination. A Court may, in circumstances where they consider an organisation has interfered with the privacy of an individual, make any order that they consider fit.

An individual may also seek injunctive relief from the Federal Court or the Federal Magistrates Court to enforce his or her rights of access and correction under the Privacy Act. In Smallbone v New South Wales Bar Association [2011] FCA 1145, a barrister was successful in gaining access to certain information about him that the Bar Association had collected in relation to his application for appointment as Senior Counsel. The Court made orders restraining the Bar Association from making any adverse determination of Smallbone's application until the expiry of seven days after the barrister had completed inspecting the information.

Breach of privacy obligations can also be costly for organisations if an award of compensation is awarded against the organisation and the costs involved in defending such proceedings can be significant. For example, the Administrative Appeals Tribunal in Rummery and Federal Privacy Commissioner [2004] AATA 1221 granted an $8,000 award of compensation to a worker for breach of privacy laws.

In addition, if proceedings are commenced against an organisation for breach of privacy obligations, this can have a substantial negative impact on the organisation's business as a result of the negative publicity associated with such proceedings.

Adequacy of Australia's online Privacy Framework
Due to the development of web 2.0 technologies that allow greater online interaction in respect of user generated content, it has become possible to store, share and upload large quantities of personal data onto the web. In addition, it has become easier for website operators to send personal data overseas which, as a result, means that Australian regulators have less control over the manner in which personal data relating to Australians is captured, stored and handled.

There have been questions raised about the effectiveness of the Privacy Act in light of advances in technology. ¹⁷ The Privacy Act has been subject to detailed recommendations by the Australian Law Reform Commission (ALRC). Some of these recommendations have been adopted by the Australian Government in its first stage response. The second stage response will consider recommendations in relation to proposals to clarify or remove certain exemptions from the Privacy Act such as the exemptions for employee records.

Status of employee records exemption
The existence of this exemption has meant that in practice, privacy compliance polices and strategies have not had to address the handling of employee records. This situation may change in light of the recommendations contained in the ALRC report into privacy in Australia (Report 108).¹⁸

The ALRC noted that the employee records exemption was inserted at a time when the legislature envisaged that workplace relations law, rather than privacy, would be more appropriate for addressing privacy as a private sector employment issue. The intended statutory protections in workplace relations legislation never materialised.

The ALRC's final report, released in August 2008, ultimately recommended that the employee records exemption in s 7B(3) of the Privacy Act be repealed and the Office of the Federal Privacy Commissioner should publish guidelines on the application of the model Unified Privacy Principles, which was a key recommendation of the ALRC, to employee records.

The Australian Government issued the first stage of its response to Report 108 on 14 October 2009 (First Stage Response). The Government is still finalising the first stage reforms that came out of Report 108. Once that has been finalised, the Government will consider the remaining 98 recommendations from Report 108 which includes whether the employee records exemption should be removed.

Any change to the employee records exemption may have significant implications for employers. Administrative costs of complying with privacy protection for some aspects of employee records could be substantial. Some employers may find that even limited reform, such as entitling employees to correct records on their personnel file, would adversely affect how employees manage work performance and termination issues.¹⁹

Cross-border data flows
The First Stage Response recommended that the Privacy Act be amended so that a company will be treated as having an Australian link (and thereby caught by the Privacy Act) where it collects information from Australia. There will be no need for the company to be incorporated in Australia or otherwise have any other link to Australia (besides the fact that it collects information).

In respect of cloud computing, the First Stage Response recommended that the Privacy Act be amended so that all Australian organisations transferring personal data offshore are required to be fully accountable in respect of the protection of the privacy of the personal data.

Further, the First Stage Response recommended that the Government consider whether such provisions are enforceable and, if required, strengthen the Privacy Commissioner's powers to enforce provisions related to offshore data transfer.

Possible statutory cause of action for serious invasion of privacy
Statutory and common law causes of action for breach of privacy are found in many other jurisdictions, including the United Kingdom, the United States and New Zealand.

On 23 September 2011, the Minister for Privacy and Freedom of Information, the Honourable Brendan O'Connor, released an Issues Paper titled "A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy". The Issues paper discusses the recommendations by the ALRC in relation to the introduction of a statutory cause of action for serious invasions of privacy. In his media release, Mr O'Connor stated:

Responses to the Issues Paper were requested to be provided by 4 November 2011. If such a statutory cause of action is introduced, this will presumably have a significant impact on the operation of organisations in relation to the electronic storage of information.

In light of the recent News of the World telephone hacking scandal in the United Kingdom, there will no doubt be increased support for this statutory cause of action in Australia.

Other sources of privacy rights – common law breach of confidence
Common law breach of confidence may also give rise to actions against an employer. Although not well defined in the area of employment law, the three elements of an action could conceivably be fulfilled in an employment context. The elements that form the tort are that:

1. the information disclosed is inherently confidential or expressly stated to be confidential;
2. it was imparted in circumstances which created an obligation of confidence either expressly or impliedly; and
3. the employer has threatened or has actually disclosed the information without the employee's authority:

Coco v A N Clark (Engineers) Ltd [1976] RPC 41 at 47.

The possibility of a cause of action being utilised by an individual should also be borne in mind by organisations when electronically storing workplace information.

Legal issues in relation to surveillance
While the employee record exemption may be of assistance to employers, as discussed above, there are definite gaps in the protection particularly in the context of the construction industry. This particularly extends to organisations that conduct electronic surveillance of individuals and keep an electronic record of that information.

Organisations need to consider the regulation of surveillance that is applicable in order to ensure that they are not in breach in conducting surveillance. Problems may arise for organisations where a record of that surveillance is stored electronically and then accessible by the individual in accordance with the NPPs. This may give the individual the evidence to commence action against the organisation.

Workplace surveillance is still a matter that falls within the jurisdiction of the states and territories. There are 11 Acts in operation in Australia that regulate surveillance:

A number of States have enacted legislation specifically dealing with surveillance in the workplace:

• ACT – On 24 February 2011, the Workplace Privacy Act 2011 (ACT) commenced. The Act recognises a right to privacy for workers in the workplace, and requires that employers must inform workers when their right to privacy will be limited through use of surveillance and the reason for the limitation. It seeks to do this in such a fashion that balances a worker's right to privacy with a business owner's right to take reasonable steps to protect their business and monitor their employees.
• NSW – The Workplace Surveillance Act 2005 (NSW) sets out the requirements that an employer must fulfil in order to monitor employees' computer usage (among other things).
• Victoria – In 2005, the Victorian Law Reform Commission made recommendations regarding policies for electronic workplace surveillance, genetic testing in the workplace and drug and alcohol testing in the workplace. To date, the only response has been the Surveillance Devices (Workplace Privacy) Act 2006 (Vic), which prohibits the placement of video surveillance in change rooms and bathrooms.
• WA – The Surveillance Devices Act 1998 (WA) makes it an offence for employers (or employees) to use, install or maintain listening devises to record a private conversation; optical surveillance devices to record visually or to observe private activity; and tracking devices to determine the geographical location of a person. There is no provision for restrictions on computer surveillance.
• Queensland, SA, Tasmania and the NT – These states and territory have no specific workplace surveillance legislation.

There is certainly a trend emerging of States and Territories enacting surveillance legislation specific to the workplace. In addition, surveillance laws in some states started to consider and regulate electronic surveillance, for example, in New South Wales, email and internet usage surveillance is regulated. Organisations need to be aware of the regulation of surveillance in the particular applicable jurisdiction.

Adverse Action Risks

Adverse action prohibition
As is now well-known the Fair Work Act 2009 (Cth) (FW Act) prohibits adverse action against a person for an unlawful reason. In particular, those reasons arise on the basis of workplace rights, industrial activities or for a discriminatory reason. Adverse action includes conduct such as termination of an employee's employment or a contractor's contract of engagement or refusing to employ a potential employee.

Prospective employees covered
It is important to note that prospective employees, employees and contractors are taken to have workplace rights pursuant to section 341(3) of the FW Act. This means that to the extent that information is stored on a database which is then subsequently relied on by a prospective employer, a principal contractor or subcontractors in determining whether or not to engage an employee or subcontractor or to renew a contract, such conduct could amount to adverse action and the information that is stored in the system would be available to the worker under the terms of the NPPs.

The use of the internet to obtain information about current employees and job applicants creates risks for employers. These searches can result in incorrect or false information that might lead to overreactions and adverse employment decisions harmful to both the individual and the employer or contractor.

An organisation's knowledge or possession of cyber-based information may constitute material evidence for a claim of unlawful discrimination, violations of privacy, or infringements upon legal rights to engage in certain protected activities.

Reverse onus of proof
A reverse onus of proof will apply in proceedings alleging breach of the general protections except an application for an injunction. What this means is that if an employee or prospective employee or contractor or prospective contractor alleges that an employer's or contractor's conduct was taken for a particular reason or intent in breach of the provisions, a court will presume that the conduct was taken for that reason or intent unless the employer or contractor satisfies the court, on the balance of probabilities, that the conduct was not taken for that reason or intent.

Consequences of breach
A court may make an order it considers appropriate if it is satisfied the general protections have been breached. The orders a court may make include:

• An injunction, or interim injunction, to prevent, stop or remedy the effects of the breach;
• Awarding compensation for the loss suffered because of the breach (noting that there is no cap on the amount of compensation that can be awarded);
• An order for reinstatement; and/or
• Imposing a maximum penalty for each breach of $33,000 for an incorporated employer or $6,600 for an unincorporated employer.

Therefore in managing such information systems it is important to ensure that only current and relevant information is stored and not otherwise irrelevant information such as union membership, race or cultural origins.

Risk of defamation proceedings

Electronic storage of work information means that information can be accessed in an instant and if that information is defamatory, that could expose the organisation that published that information to a potential action being brought against it for defamation. If a report (whether verbal or written) includes defamatory material, the publisher may be liable for an action in defamation.

Vicarious liability
Where an employee acting within the scope of his/her employment publishes a defamatory matter, an employer may prima-facie be liable. Ultimately, liability will be determined by reference to the question as to whether there is a close connection between the employment and the publication, whether it be authorised or not.²⁰

Elements of defamation
Four threshold conditions must be met by the person alleging defamation:

• the matter complained of is capable of being defamatory of that person;
• the defamatory meaning is in fact conveyed by the words used;
• the matter complained of was published by the organisation; and
• the matter complained of was published of and concerning that person.

Possible defences
The defences that may be relevant in relation to an action for defamation commenced as a result of the electronic storage of work related information include:

• Justification: where the publication is substantially true;
• Qualified interest: for example, where an investigation is conducted in relation to an employee's conduct, where the recipient of the information has an interest in receiving the defamatory material, and the organisation's conduct is reasonable. What is reasonable depends on the circumstances, including by having regard to the public interest, the seriousness of the defamation, whether it is suspicion or proven fact and whether the defamed person was provided with natural justice; and
• Honest opinion: where the statement is opinion (as opposed to fact), is in the public interest and based on proper material.

Consequences of breach
Compensatory damages can be awarded by a Court if an action for defamation is established and there are no available defences. It is therefore important to ensure that the information held in any database is accurate and not defamatory.

Limiting risks
Although the electronic storage of information may open organisations to a number of risks, as discussed above, organisations can take steps to limit their potential liability. There are a number of steps that can be taken by organisations. This article is limited to discussing three key steps.

Limit collection of personal information
Employers should ensure that the information they collect about their employees contains a minimum of personal information and that the collection of sensitive personal information is avoided wherever possible.

Limit disclosure of employee personal information
Only authorised personnel should have access to the personal information of employees. Safeguards, such as passwords or encryption should be used to limit access to electronic records. Consent should be obtained before disclosing employmentrelated information to third parties. Appropriate processes should be used to properly dispose of computer equipment or documents containing personal information.

Implement workplace privacy polices
Informing people about the personal information that is collected, held and what is done with it is an important NPP. The Australian Information Commissioner encourages organisations to develop in consultation with staff, a clear privacy policy in relation to staff use of computer networks, particularly with regard to the use of email and the internet.

Workplace privacy and data protection policies should expressly prohibit employees from accessing the personal information of others unless they have authorisation and a legitimate business purpose to do so. The policies should warn employees that they may be subject to disciplinary action, up to and including termination of employment, for violating the policies.

If an organisation currently had a workplace privacy policy in place, it should review the policy to ensure that it is up to date with modern technology.

Training should be provided to ensure employees understand: how the employer may collect, use, and disclose their personal information, the nature and scope of workplace monitoring, their obligations to safeguard the privacy of others and the consequences of violating polices and the privacy of others.

Conclusion

Whilst the advances in modern technology have led to substantial benefits for organisations, organisations need to be aware of the potential risks in relation to the electronic storage of work information. Even though the legal risks associated with the electronic storage of work information are vast, organisations can implement a number of practices and procedures in order to avoid and mitigate the organisation's potential exposure to those risks. Prudent business practice suggests that organisations should undergo regular audits in order to ensure compliance with the applicable laws as discussed above.

¹² N Wilson, 'Regulating the information age – How will we cope with technological change?' (2010) 22 Australian Bar Review 119 at 120.
¹³ International Risk Governance Council, Managing and Reducing Social Vulnerabilities from Coupled Critical Infrastructures, White Paper No. 3, 2006, n3, p 12.
¹⁴ On 1 November 2010 all of the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.
¹⁵ Office of the Federal Privacy Commission Guidelines on Workplace E-mail, Web Browsing and Privacy (30 March 2000).
¹⁶ Dr Dan Svantesson, "Privacy in the e-workplace – employers beware!", Privacy Law Bulletin (2009) at 18 – 21.
¹⁷ Australian Law Reform Commission, Review of Privacy, Issues Paper No. 31 (2006).
¹⁸ Australian Law Reform Commission Report 108: For Your Information: Australian Privacy Law and Practice.
¹⁹ Dianne Banks and Michelle Rowland, Statuts of the "employee records exemption" under the Privacy Act 1988 (Cth), Privacy Law Bulletin (2009) May, 85 – 86.
²⁰ Colonial Mutual life Assurance Society Ltd v The Producers and Citizens Co-operative Assurance Co of Australia (1931) 46 CLR 41.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.