Background

In the decision of Jurecek v Director, Transport Safety Victoria, 1 the Supreme Court of Victoria (Court) considered issues relating to a complaint by a public sector employee that her employer breached the Victorian Information Privacy Principles (IPPs) contained in the Privacy and Data Protection Act 2014 (Vic) (Victorian Act) by collecting personal information about her through Facebook.

The complainant was experiencing alleged workplace bullying, stress, and other complaints. She had online conversations with a work colleague over Facebook (using an account under a pseudonym), in which she made references to the employer and other employees. She also posted a lengthy and abusive post on her work colleague’s Facebook wall. The colleague reported the conversations and posts to the employer. The employer investigated the matter by conducting Google and Facebook searches for the Facebook account and posts. The employer also accessed the posts and chats from a Facebook friend’s page. This investigation resulted in the complainant being given a final warning for the disciplinary offence of misconduct.

The complainant alleged that the employer unfairly, intrusively, and secretly obtained and used personal information relating to her from her Facebook page without it being necessary for the performance of the employer’s functions and activities, without notice to her, and without attempting to obtain the information from her first.

The decision

The Court found that social media posts using a pseudonym may constitute “personal information” if the person is reasonably identifiable. In this case, the employer was able to ascertain the identity of the individual.

Social media posts may not be a “generally available publication” (which is exempt from the Victorian Act). The term only covers information which can be accessed by most of the general public and information only accessible by those with particular skills in searching for information on social media was not within the exemption.

In relation to the alleged breaches of the IPPs, the Court found that:

• the conduct of the employer in obtaining personal information through Facebook was necessary to carry out the misconduct investigation and therefore not in breach of IPP 1.1 which provides a purpose limitation;

• the employer did not breach its obligations under IPP 1.3 and 1.5 which relate to notifying the individual of the collection and use of their information. It was not practicable for the employer to notify the complainant while they were obtaining the information, as to do so could have jeopardised the integrity of the disciplinary investigation; and

• it was not reasonable and practicable for the employer to ask the complainant directly and, therefore, they did not breach IPP 1.4 which provides that if it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

Bottom line for employers

• This decision is a reminder that privacy legislation can apply in a wide variety of circumstances.

• Although it was not considered in this case as it is not available in the Victorian Act, most private sector employers must comply with the Australian Privacy Principles in the Privacy Act 1988 (Cth) which contains the “employee records” exemption. “Employee records” is defined to mean “a record of personal information relating to the employment of the employee” and is therefore more limited.

• Whether Facebook posts of an employee “relate to” their employment will depend on the circumstances. Therefore, employers should exercise caution when undertaking workplace investigations to ensure compliance with their obligations under privacy legislation. 

Key points

• Most private sector employers must comply with the Australian Privacy Principles in the Privacy Act 1988 (Cth).

• The “employee records” exemption under the 1988 Act is quite limited, and employers should consider the application of the privacy legislation when undertaking workplace investigations.