Summary

It is completely inappropriate for corporations to have unfettered access to their employees’ email.

A framework is necessary within which suitably balanced solutions can be found, which reflect the needs of both employers and employees.

National, social and economic concerns, such as public safety and the protection of critical infrastructure, are matters for government, not for corporations. Appropriate, and appropriately controlled, powers must be in the hands of specialist investigative agencies, and not in the hands of corporations.

Strong commitments to positions by Ministers, and bold pronouncements in the media, are not the way to go about complex topics like these.

In order to establish a workable framework, and to achieve appropriate balances in the myriad of practical circumstances that arise, it is essential that consultations take place among the relevant parties, including representatives of employees, employers and investigative agencies, and privacy advocacy organisations such as APF and EFA.


Background

Some employers claim absolute power over their employees’ use of company Internet facilities. In 2000, the then Privacy Commissioner issued an utterly weak-kneed ‘guide’, which merely recommended that employers publish their policies to their employees. In 2008, the then Attorney-General floated the possibility of providing statutory authority to employers to monitor their employees’ communications without consent.

Those positions are utterly anti-privacy, and utterly unjustified.

Employees are not captives in the worplace. They have long had the freedom to make reasonable personal use of the company telephone. They need to be able to make reasonable use of company email and web-browsers for private purposes, without the expectation that their communications are being read by the IT Services Section (or, worse, by some equivalent outsourced organisation).

The issues are even more serious where the employer provides an employee with a mobile phone, or with home-equipment and Internet connections, because company staff could end up monitoring entirely personal activities undertaken in personal time.

A further factor that has to be considered is that emails have both senders and recipients. An employer that intercepts an email is accessing personal data of another person as well as their employee’s email. By doing so, they may be in breach of either or both of the Privacy Act and the Telecommunications (Interception and Access) Act.

Monitoring and recording the sound of people’s voices, and video-surveillance technologies, are both well-developed, and so is telephonic interception. But there are tight legal constraints on what an employer can do in the way of surveillance of telephone conversations, personal conversations and personal behaviour.

Where employees over-step the mark, the employer needs the ability to take steps to control their misbehaviour. That applies to people who are sending abusive emails and subscribing to porn site, just as as much as it does to people who are having frequent or long social telephone calls at work, or using the company telephone to run their own business.

Of course it would be unreasonable to prevent employers from accessing employee’s email under any circumstances at all. But it’s just as unreasonable to provide them with unfettered power. The need is for a reasonable balance to be established between the two sets of interests. That in turn depends on consultations being held among employer groups and privacy advocacy groups, and between employers and their staff.

Some of the aspects that need to be sorted out include the circumstances under which employers may access emails, what use the employer can make of information that they find there, how soon copies must be destroyed, what controls are to be applied over the staff who do the monitoring, and how it will be ensured that the sanctions for abuse by individuals and by companies are actually applied.

See also the Electronic Frontiers Australia site, which provides background information on ‘Workplace Privacy and Surveillance’, and Model Acceptable Use Policy for Employee Use of the Internet (November 2000).

See also the APF’s submission re Workplace Privacy to the Standing Committee of Attorneys-General (SCAG), in July 2007.

It is also vital that Ministers and Parliamentarians appreciate that properly balanced solutions are situation-specific. They must not grant vast powers across vast swathes of activities, when what they really want to target is quite specific.

For example, in the case of the April 2008 furore, it appears that the motivation related to a narrow class of situations in which suspicion may exist, on reasonable grounds, that ‘critical national infrastructure’ in the hands of private sector organisations is likely to be subject to some kind of attack. If such situations are not already addressed by appropriate mechanisms, then privacy advocacy organisations would be very happy to work with legislators to adapt the law.

But it is completely unacceptable for companies to exercise powers that should be in the hands only of skilled investigators. (As the Haneef disaster has shown, investigation is not easy, and even skilled investigators can make a complete hash of it). Companies should certainly not be conducting such investigations, but instead should be calling in suitably qualified agencies that have quick and convenient access to judicial warrants when they have the sufficient grounds to justify them.