The Australian information commissioner refused to investigate an employer that allegedly accessed an employee’s personal emails, on the grounds the information was accessed on the employee’s work laptop.
The decision of a delegate of the information commissioner, who holds responsibility for enforcing the Privacy Act, was revealed this month in a federal court of appeal ruling that rejected an appeal against the decision.
Shayano Madzikanda was suspended from his job at the mining industry company Mecrus in June 2019 and was ordered to surrender his work laptop.
Madzikanda had used his work laptop for personal activity, including saving his passwords for online banking, emailing from his personal account and accessing his online cloud storage.
In a complaint to the information commissioner made in 2019, he alleged that his iCloud and personal email accounts had been accessed by his employer.
Madzikanda said he received a letter from his employer after he was suspended accusing him of working on personal projects and contacting Mecrus’s rivals during work hours. He was suspended on that basis.
But Madzikanda claimed his employer could only have known that by reading the contents of his personal emails and accessing information from his iCloud account.
As part of his complaint, Madzikanda requested access to the personal information from his laptop, for the information held by the company to be deleted and for compensation.
Separately, he settled with his employer through the Fair Work Commission, including a provision that his personal property be returned.
The employer told the information commissioner that the information investigated by the company had been data stored on a company laptop, which was in line with company policy.
Madzikanda claimed the company did not have a policy on storing personal information on company computers, or if it did it wasn’t used in his five years working in the company’s IT department.
The company denied it had used personal information saved on the laptop to access his online accounts and provided IT policies dating back to 2013. The company also said the laptop was later stolen in an unrelated incident at the company.
A delegate for the commissioner in September 2021 informed Madzikanda that the employer had not interfered with his right to privacy due to the “employee record” exemption in the Privacy Act.
“To the extent that the personal information involves records of sites or accounts that you visited, using the work computer, I am satisfied that this amounts to a record of personal information relating to your conduct during your employment,” the delegate said.
He also said the employee handbook stated that all data created, stored or transmitted on its systems amounted to a “work product”.
after newsletter promotion
“I consider that you were aware that the work computer was not your private property, and that any data saved to the computer may have formed part of your employee records, as it was subject to routine monitoring and review,” the delegate said.
“The [employer] does not require your consent to access or use the equipment that it issued to you to perform your employment duties. As the computer was a tool the respondent provided to you to carry out your employment duties, it remains the property of the respondent.”
As such, the delegate said, it was not in breach of Australian privacy law. The investigation was closed off the same month.
Last week the federal court dismissed an appeal against the decision without considering the interpretation of the meaning of “employee records”.
Legal experts Guardian Australia spoke to said it was difficult to interpret any wider ramifications of the case itself, given the federal court did not examine the employee records justification in the commissioner’s delegate declining to hear the case.
David Vaile, the privacy and surveillance stream lead at the University of New South Wales’s Allens Hub for Technology, Law and Innovation, said: “The judgment is [unhelpful] for settling the law on this point – a consequence of the fact that a victim can’t directly litigate their legal claim, and that, as the court confirms, at present Australians still thus don’t have a ‘right’ to privacy, only a right to complain to a regulator who can, as this judgment confirms, take advantage of a wide range of justifications to do nothing if they feel like it with minimal court oversight.”
Guardian Australia has sought more information about the information commissioner’s position. The website of the commissioner’s office notes that “if your employer monitors staff use of email, internet and other computer resources, and they’ve told you about the monitoring, this would generally be allowed”.
Since the privacy complaint commenced, Mecrus has gone into voluntary liquidation.