Workplace Privacy - Recommendations

Chapter 3

1.       The legislation should provide that an employer must not engage in acts or practices that unreasonably breach the privacy of workers engaged in work-related activities.

2.       An employer unreasonably breaches the privacy of workers if it engages in acts or practices:

  • for a purpose that is not directly connected to the employer’s business;
  • in a manner that is not proportionate to the purpose for which those acts and practices are being used;
  • without first taking reasonable steps to inform and consult workers about the relevant act or practice;
  • without providing adequate safeguards to ensure the act or practice is conducted appropriately, having regard to the obligation not to unreasonably breach the privacy of the worker.

3.       An act or practice is ‘proportionate’ under Recommendation 2 if it is the least privacy-invasive measure by which the intended purpose can be achieved.

4.       The obligation to take reasonable steps to inform workers under Recommendation 2 requires provision of information to workers about:

  • the nature of the act or practice and the reasons for introducing it;
  • the number and categories of worker likely to be affected;
  • the time when, or the period over which, the employer intends to engage in the act or practice;
  • the alternatives considered and the reasons why the alternatives were not considered appropriate;
  • the safeguards used to ensure the acts or practices are conducted appropriately.

5.       The employer must take reasonable steps to give workers a genuine opportunity to influence the decision to introduce the act or practice.

6.       The regulator should have the power to issue advisory codes of practice to provide practical guidance to employers about how to fulfil the obligation imposed by Recommendation 1.

7.       Advisory codes may cover acts or practices which affect the privacy of workers or prospective workers while they are engaged in work-related activities other than:

  • acts or practices to which mandatory codes apply under Recommendation 14;
  • acts or practices which require authorisation under Recommendations 19, 22 and 25.
  • acts or practices which are prohibited under Recommendation 30.

8.       An advisory code of practice prepared by the regulator must be consistent with the principles in Recommendation 2.

9.       Compliance with an advisory code is conclusive evidence that the employer has complied with the obligation imposed by Recommendation 1.

10.     If an advisory code is in operation, contravention of the code is a contravention of the obligation imposed by Recommendation 1 unless the employer complies with that obligation in some other way.

11.     The regulator should have the power to approve codes of practice (approved codes) prepared by employers that deal with acts or practices that affect the privacy of workers while they are engaged in work-related activities, other than:

  • acts or practices to which mandatory codes apply under Recommendation 14;
  • acts or practices which require authorisation under Recommendations 19, 22 and 25;
  • acts or practices which are prohibited under Recommendation 30.

12.     The regulator may only approve a code which is consistent with the principles set out in Recommendation 2.

13.     An employer must comply with an approved code of practice.

14.     The regulator must issue mandatory codes of practice about the following acts or practices:

  • covert surveillance of workers in the workplace (including covert use of optical surveillance devices and of listening or tracking devices and covert surveillance or monitoring of emails or internet use);
  • the taking of bodily samples from workers or prospective workers for the purposes of drug and alcohol testing;
  • any other acts or practices that are prescribed by regulation for the purposes of this section.

15.     A mandatory code of practice must be consistent with the principles in Recommendation 2.

16.     In deciding whether to issue a mandatory code the regulator should consult with relevant organisations and persons.

17.     A mandatory code of practice, or a variation or revocation of a mandatory code of practice, must be approved by the relevant minister.

18.     An employer who fails to comply with a mandatory code breaches the obligation imposed by Recommendation 1.

19.     The legislation should provide that an employer must not engage in acts or practices that breach the privacy of a worker when the worker is engaged in non-work-related activities without an authorisation from the regulator.

20.     The regulator may authorise the employer to engage in an act or practice which affects the privacy of a worker engaged in non-work-related activities, if the regulator is satisfied that:

  • there are reasonable grounds for believing the worker’s out-of-hours activity may have a direct and serious impact on the business or reputation of the employer;
  • the employer’s act or practice affecting privacy cannot reasonably be undertaken while the worker is engaged in work-related activities;
  • the act or practice is a proportionate response to the protection of the employer’s interests;
  • the employer will inform and consult workers concerning the act or practice and ensure the act or practice is conducted appropriately;
  • adequate safeguards have been put in place to minimise breaches of workers’ privacy.

21.     An employer may seek a review by VCAT of the regulator’s decision to authorise or refuse to authorise.

22.     An employer must not use acts or practices which affect workers’ privacy while they are working at home, unless the act or practice is authorised by the regulator.

23.     The regulator may authorise an employer to use acts or practices which affect the privacy of workers while they are working at home if the regulator is satisfied of the matters set out in Recommendation 20.

24.     An employer should not be required to seek an authorisation to monitor a worker’s email or internet use when the worker is using the employer’s communication system, wherever the worker is situated.

25.     An employer must not conduct genetic testing of workers or prospective workers unless genetic testing is authorised by the regulator.

26.     The regulator may authorise an employer to undertake genetic testing of workers if the regulator is satisfied that:

  • workers have consented to being genetically tested;
  • there is substantial evidence of a connection between the working environment/workplace hazard and the existence or predisposition to a condition which may be detected using genetic testing;
  • the condition or predisposition which may be detected has the potential to seriously endanger the health and safety of the worker or a third party;
  • there are no other reasonable means by which the hazard, which genetic testing seeks to eliminate or reduce, can be eliminated or reduced;
  • there are no other reasonable means of detecting a condition;
  • the proposed genetic test is scientifically reliable;
  • the employer has put in place adequate safeguards to ensure tests are conducted appropriately;
  • the employer has taken appropriate steps to ensure any information obtained as a result of the test will be adequately protected from disclosure;
  • the employer has taken reasonable steps to inform and consult with workers about the conditions under which the genetic testing will be undertaken.

27.     Genetic testing means the use of samples obtained from the body of a worker, or prospective worker, for the purposes of obtaining genetic information about the worker or prospective worker.

28.     The legislation should provide for regulations to be made requiring other acts or practices which have a serious effect on workers’ privacy to be authorised before they can be used by employers.

29.     The regulator should establish a system for expediting authorisation applications in urgent cases.

30.     An employer should be prohibited from using any device to observe, listen to, record or monitor the activities, conversations or movements of a worker in toilets, change rooms, lactation rooms, wash rooms or in any other prescribed circumstances.

31.     Acts or practices of employers which involve installation, use or maintenance of surveillance devices in relation to their workers should be regulated by the Workplace Privacy Act. The Surveillance Devices Act should be amended accordingly.

32.     The Department of Justice should consult with government agencies and statutory entities to determine whether statutory provisions in other legislation which affect workplace privacy should be repealed or retained.

 

Chapter 4

33.     A statutory office of the workplace privacy regulator should be established.

34.     The workplace privacy regulator should be appointed by the Governor in Council for a term not exceeding seven years and should only be able to be removed from office for misbehaviour or incapacity.

35.     The office of the workplace privacy regulator should be a ‘special body’ and the workplace privacy regulator should have the functions of an agency head in relation to employees according to the Public Administration Act 2004.

36.     The workplace privacy regulator should be required to report annually to parliament.

37.     The workplace privacy regulator should also have the power to report to the relevant minister on matters relating to his or her functions under the workplace privacy legislation. The minister should be required to table these reports in parliament.

38.     The main functions of the workplace privacy regulator are to:

  • promote understanding of and compliance with the workplace privacy regime;
  • provide educational programs to promote understanding of the workplace privacy regime;
  • provide advice to any person or organisation on compliance with the legislation;
  • issue guidelines on the development of approved codes of practice prepared by employers or groups of employers;
  • receive complaints about an act or practice of an organisation that may contravene the workplace privacy legislation and investigate, conciliate and make rulings on complaints;
  • conduct audits of acts or practices of an employer to ascertain whether the employer is complying with obligations under the workplace privacy legislation;
  • monitor and report on the adequacy of equipment and system safeguards put in place to minimise the effect of acts or practices on workers’ privacy;
  • conduct an investigation beyond the terms of a particular complaint;
  • conduct an inquiry into acts or practices which affect workers’ privacy;
  • assess any proposed or existing legislation that may adversely affect the privacy of workers or otherwise contravene the provisions of the Act, including reporting to the minister the results of assessment;
  • make public statements in relation to any matter affecting workplace privacy;
  • undertake research into and monitor developments affecting workplace privacy.

39.     The regulator should have the power to investigate acts or practices of an employer which come to the regulator’s attention while dealing with a complaint, in order to deal with privacy breaches of the same or a different kind as the breach which is the subject matter of the complaint.

40.     In exercising the function to conduct an inquiry, the regulator should have the power to obtain information and documents and examine witnesses.

41.     In exercising the function to audit and monitor, the regulator should have the power to obtain information and documents, examine witnesses and to enter premises.

42.     A worker or prospective worker should be able to complain to the regulator about an act or practice that may be a breach of the legislation.

43.     Where an act or practice breaches the privacy of two or more workers, any one of them should be able to complain to the regulator on behalf of all workers who are affected, with their consent.

44.     A representative body should be able to complain to the regulator on behalf of a worker or workers if that body has sufficient interest in the complaint.

45.     A representative body should be regarded as having sufficient interest in the complaint if the conduct is a matter of concern to the body because of its effect on the interests of the body or the privacy of the person it represents.

46.     The regulator should have the power to receive complaints about possible breaches of the legislation and to decline or accept them.

47.     If the regulator decides to accept a complaint it may attempt to resolve it informally.

48.     The regulator may decline a complaint if:

  • the act or practice about which the complaint has been made is not a breach of the individual’s privacy;
  • the complaint is made on behalf of a complainant by a person not authorised to do so;
  • the complaint to the regulator was made more than 12 months after the complainant became aware of the act or practice;
  • the complaint is frivolous, vexatious, misconceived or lacking in substance;
  • the act or practice is the subject of

(i) an application under another enactment; or

(ii) a proceeding in a court or tribunal

and the subject-matter of the complaint has been, or is being, dealt with adequately by that means;

  • the act or practice which is the subject of the complaint could be more appropriately dealt with under another enactment;
  • the act or practice is subject to an applicable code of practice or authorisation and mechanisms available for seeking redress under that code or authorisation have not been exhausted;
  • the complainant has complained to the respondent about the act or practice and either

(i) the respondent has dealt, or is dealing, adequately with the complaint; or

(ii) the respondent has not yet had an adequate opportunity to deal with the complaint.

49.     If the complaint is accepted the regulator may:

  • attempt to resolve the matter informally;
  • conciliate the complaint if appropriate;
  • investigate the complaint and, if appropriate, make a ruling as to whether there has been a breach of privacy and set out any action which the regulator requires the employer to undertake to remedy the complaint.

50.     A ruling may provide that:

  • the employer must not repeat or continue the conduct;
  • the employer must perform any reasonable act or undertake a course of conduct to redress any loss or damage suffered by the worker;
  • any existing authorisation the employer possesses be revoked, or revoked until the employer takes specified action;
  • the employer publish, at the employer’s expense, an advertisement as specified in the order (the regulator may also publish details of the employer’s conduct and/or number of complaints in its annual report).

51.     Where the act or practice affects people other than the person making the complaint, the regulator may make a ruling to protect the privacy of people other than the person making the complaint, if having regard to the circumstances it is appropriate to do so.

52.     If the respondent fails to comply with a ruling and does not seek to refer the matter to VCAT for hearing, the complainant can register the ruling with VCAT. On registration, the ruling is to be taken as an order of VCAT and can be enforced accordingly.

53.     The legislation should prohibit victimisation of workers (including prospective workers) by the employer.

54.     An employer victimises a worker (including prospective workers) if the employer subjects or threatens to subject the worker to any detriment because the worker, or a person associated with the worker:

  • has made a complaint against the employer under the Act;
  • has given evidence or information, or produced a document, in connection with any proceedings under the Act;
  • has attended a conciliation conference;
  • has alleged that the employer has contravened the Act, unless the allegation is false and was not made in good faith;
  • has refused to do something that would contravene a provision of the Act;
  • because the worker has reasonable cause to believe the employer has done or intends to do any of the above.

55.     The legislation should impose a civil penalty for:

  • performing an act which is prohibited;
  • failing to report to the regulator about action taken in response to a ruling;
  • not seeking an authorisation for an act or practice which affects the privacy of workers while they are engaged in non-work-related activities;
  • breaching an authorisation for an act or practice that affects the privacy of workers while they are engaged in non-work-related activities;
  • not seeking an authorisation or breaching an authorisation for genetic testing.

56.     Where an employer fails to comply with a ruling made by the regulator or the employer has performed an act or used a practice which is a serious or flagrant contravention of the workplace privacy legislation, the regulator should have the power to serve a compliance notice on the employer.

57.     The compliance notice may require the employer to refrain from an act or practice or to take specified action within a specified period of time and to report the taking of that action to the regulator.

58.     A civil penalty should apply for failure to comply with a compliance notice.

59.     The regulator should have the additional power to view premises and equipment where a ruling has been made or a compliance notice issued to ensure the employer is satisfying its obligations.

60.     VCAT should have jurisdiction to hear a complaint when:

  • the regulator declines to entertain a complaint and the complainant requires the regulator to refer the matter to VCAT for a hearing of the complaint;
  • the regulator decides that conciliation is inappropriate and decides not to further entertain the complaint and the complainant requires the regulator to refer the matter to VCAT;
  • conciliation fails and the complainant requires the regulator to refer the matter to VCAT;
  • the regulator makes a ruling and a complainant or respondent requires the regulator to refer the matter to VCAT.

61.     Where, after a hearing, VCAT finds that a complaint is substantiated, it may make an order that:

  • the employer must not repeat or continue the act or practice;
  • the employer must perform any reasonable act or undertake a course of conduct to redress any loss or damage suffered by the worker;
  • the worker is entitled to a specified amount not exceeding $100,000 as compensation for any loss or damage suffered, including injury to the worker’s feelings or humiliation suffered by the worker as a result of the employer’s act or practice;
  • the employer publish, at the employer’s expense, an advertisement as specified in the order;
  • any existing authorisation the employer possesses be revoked, or revoked until the employer performs another specified act.

62.     Where the act or practice affects people other than the person making the complaint, VCAT may make a ruling to protect the privacy of people other than the person making the complaint if, having regard to the circumstances, it is appropriate to do so.

63.     VCAT should have the jurisdiction to review a decision by the regulator to issue a compliance notice.

64.     VCAT should have the jurisdiction to make interim orders to prevent a party to a complaint from acting in a way which is prejudicial to conciliation or to any decision or order VCAT may subsequently make.

65.     The Supreme Court’s jurisdiction to hear appeals on questions of law from VCAT should apply to decisions under the workplace privacy legislation.

Related Project: 
Publication Process: 
Publication Status: 

Timeline

Related links

Main menu

Back to top