Tabled in Parliament Date:
Long-held assumptions about privacy have been challenged recently by the rapid advance of surveillance and monitoring technologies that can affect everybody in their working and public lives. Employers with access to technology can have unpreciedented access to employees’ activities during work hours, and the law has not kept pace with the changes. In March 2002, the Commission was asked to examine two major issues of public concern in relation to privacy: workplace privacy and privacy in public places.
In the first stage, the Commission was asked to address gaps in privacy protection for Victorian workers, in particular, surveillance by video, audio or tracking devices, e-mail and internet monitoring, physical and psychological testing, searching workers and their belongings, and the handling of personal information. The Commission was also asked how new technologies affect worker’s rights to privacy.
The Commission published several papers to encourage community response: an issues paper in October 2002, an occasional paper in 2002 and an options paper in 2004. Extensive consultation throughout the review was augmented by expert roundtables. The Commission received more than 60 public submissions.
The final report, tabled in Parliament on 5 October 2005, included 65 recommendations for a regulatory model that would open up privacy-invasive practices to scrutiny and ensure both employers and workers knew where they stood.
The second part of this project, Surveillance in Public Places, was finalised in June 2010 with a separate report.
- Terms of reference received
- Submissions and consultations
- Submissions closed
- Final Report
- Tabled in parliament
What was recommended?
Final Report—How the Act will Work
5 October 2005
The Commission is recommending the introduction of a Workplace Privacy Act, which will be overseen by a regulator. The main elements of the scheme include:
- Appointment of a regulator to promote understanding and acceptance of workplace privacy legislation, to provide advice to employers and employees and to oversee the administration of the legislation. This role could be undertaken by an existing regulator, such as the Privacy Commissioner, or by a newly established office.
- The regulator would develop advisory codes or approve codes developed by employers, to cover some workplace practices, for example overt video surveillance and monitoring of workers’ emails.
- The regulator would also develop and oversee mandatory codes of practice to cover practices like drug and alcohol testing of workers. A breach of a mandatory code of practice would be a breach of the Act.
- If the regulator thought businesses weren’t adhering to advisory or approved codes of practice then the regulator could make such codes mandatory.
- A complaints system would be set up to give workers and employers an informal mechanism for resolving disputes about workplace privacy issues. The regulator would be able to conciliate and, in more serious cases, investigate complaints and make rulings on them.
- The regulator could conduct or commission audits to ascertain whether an employer or group of employers are complying with the legislation.
- Privacy-intrusive practices that affect workers when they are not working would have to be authorised by the regulator.
- Surveillance in toilets, change rooms, showers and bathrooms would be prohibited, even if workers consented to it.
- The Victorian Civil and Administrative Tribunal would be able to review a range of decisions made by the regulator and enforce regulator rulings.
Final Report—Drug and Alcohol Testing
5 October 2005
Drug and alcohol testing is currently unregulated by Victorian legislation. Workers must consent to removal of bodily samples, but may feel under pressure to do so to get or keep their job.
Employers typically test for drugs and alcohol to ensure someone operating machinery or who may otherwise pose a risk to fellow workers and third parties is not impaired. Many of the current tests for drugs show the presence of drugs but do not indicate impairment levels.
Some tests may also show that an employee is taking drugs prescribed for an illness, for example anti-depressants. The 0.05 level of impairment for alcohol use is commonly accepted, as tested by breath analysis.
An Australian Standard exists for urine testing for drugs but there are no standards for breath testing or blood testing.
Under the Commission’s recommendations, drug and alcohol testing would be governed by a mandatory code of practice. If an employer breached this code then it would have breached the legislation and an employee could complain. A penalty would apply for breach of the legislation.
The regulator would develop a code of practice that covers a wide range of workplaces to provide guidance to employers on who and how they may test for drugs and alcohol.
The regulator in developing the code may consider:
- whether people who do not pose a physical threat to others should be tested for drugs and alcohol—some employers may argue that office workers should be tested for impairment to ensure they are not making decisions which imperil the company’s reputation or legal obligations
- whether businesses should be testing for certain drugs if the test does not show levels of impairment, eg, marijuana can be detected many days after its use
- how businesses will protect the “health information” they collect during these tests, as per the Health Records Act
- how businesses will ensure they are not discriminating against certain people if they urine test, because some racial groups have more dilute urine than others and so have a better chance of escaping detection
- whether testing should be routine or random, or whether it should only be conducted if impairment is suspected
- the existence of federal industrial agreements that detail how and when drug and alcohol testing can occur in certain industries.
Final Report—Email and Internet Monitoring
5 October 2005
There is confusion about whether existing federal legislation stops another person reading a person’s email or monitoring internet use. The federal government recently excluded ‘stored communications’ from the legislation but if an employer intercepts an email as it’s ‘passing over the system’ then they may have breached the Act.
Present Victorian law does not cover surveillance devices used on computers.
Most employers monitor worker’s emails and internet use—two surveys undertaken in 2000 put the figure at about 76 per cent.
Monitoring involves checking emails and downloads for viruses and worms. It can also involve blocking internet access to certain sites (eg pornographic sites) and filtering emails that contain certain words to block spam email and prevent harassment.
Under the Commission’s recommendations, employers would have to follow an advisory code of practice if they want to read workers’ emails or monitor their internet use.
The Commission has recommended that employers should not be able to intrude into workers homes without an authorisation from the regulator. However, if someone is working from home and is connected to an employer’s communications system, then the employer will be allowed to monitor that system, with the knowledge of the employee, without obtaining an authorisation. This is because the employer will be liable if a worker uses the system to breach copyright laws or to send other workers offensive material, regardless of whether the worker is engaged in non-work related activities at the time.
If a worker thinks an employer is using information gleaned from email monitoring inappropriately then he/she can complain to the regulator.
The regulator can conciliate the complaint or make a ruling which binds the employer. If the regulator thinks businesses are ignoring an advisory code of practice then it can apply to the relevant government minister to make such codes mandatory.
Final Report—Genetic Testing
5 October 2005
There is little federal or state regulation of genetic testing in workplaces. The Australian Law Reform Commission (ALRC) has completed a detailed report on genetic testing but the federal government is still considering its recommendations.
Genetic testing is not commonly used in Australian workplaces, but there is potential for it to increase in frequency. The ALRC report stated that discrimination based on genetic testing was beginning to emerge in workplaces.
When genetic testing is used, it is usually because employers:
- want to know if workers have a predisposition to develop a disease or condition. This may be to reduce the employer’s potential liability to compensate the worker or to protect the worker or a third person from harm
- conduct ongoing health surveillance to ensure workers are not developing a disease or condition as a result of their work environment.
Under the Commission’s recommendations employers who want to perform genetic tests on workers would have to get authorisation from the regulator.
The Commission believes that genetic testing should rarely be allowed for employment purposes. Testing affects workers’ privacy in many ways. In particular, it may give them information about a genetic condition which they may not want to know about.
The regulator would judge each application on its merits, but may consider granting an authorisation where:
- genetic screening of workers may help the employer protect other people
- strong evidence exists of a connection between a working environment and the development of a particular condition that can only be gauged by genetic testing
- a worker with a genetic deficiency might be more susceptible to a particular hazard
- workers are exposed to a workplace hazard, such as a toxic chemical, and genetic testing would reveal if their health had been affected by the exposure.
Employers would need to provide very strong evidence of the need to perform genetic tests and show the regulator that they had tried other methods to achieve the same aims.
5 October 2005
Video surveillance is widely used by employers, especially in retail businesses.
The main reasons for surveillance are the detection and prevention of theft by customers and workers, and for occupational and health safety reasons.
Cameras are usually visible. Some cameras are fixed to film one area and others are able to pan and zoom around an area. Hidden cameras are used when employers suspect specific incidents or theft or dangerous behaviour.
Most businesses that have call centres also monitor phone calls. This is typically intended to monitor responses to customers but in some businesses, such as stockbroking, it can be done to ensure workers are complying with an employer’s legal obligations.
Global Positioning System devices are often placed in company cars and trucks to track a worker’s movements or to locate a vehicle if it’s stolen.
The Commission recommends that video, audio and GPS surveillance be guided by an advisory code of practice.
However, if an employer wants to use one of these practices and it intrudes into a worker’s non-work activities, then the employer will need authorisation from the regulator. For example, a sales representative who receives a company car as part of her salary package may use the car on her own time. If her employer wants to keep the GPS device in her car switched on at all times then it will need to satisfy the regulator there is a reason for this that is proportionate to the risk.
If an employer wants to use covert video surveillance, that is, hidden cameras, then it will need to follow a mandatory code of practice. Any employer that breaches a mandatory code of practice will be in breach of the Act.
The Commission recommends a ban on any video or audio surveillance in toilets, change rooms and bathrooms. This is not currently prohibited if workers consent to it.
Options Paper—Interesting Facts
23 September 2004
The options paper explores privacy concerns involved with medical and drug and alcohol testing, biometric technologies, camera surveillance, email and internet tracking and physical searches.
- The Privacy Committee of New South Wales found Australians were one of the highest per capita spenders on video surveillance in the world. (p18)
- Some video cameras are so sophisticated that they can follow an individual as he or she moves around a room. (p19)
- One survey found 76 per cent of employers monitor their workers’ email content periodically for maintenance and troubleshooting or where email abuse is suspected. About five per cent monitor regularly. (p24)
- A recent industry survey of human resources staff in the public and private sector found 60 per cent of organisations had used psychological testing.
- The only type of alcohol and drug testing which is covered by an Australian Standard is urine testing.
- Retail employers believe that 40 per cent of retail theft is committed by staff.
- Biometric technologies are increasingly being used for security but these systems are not failsafe—four to five per cent of the population cannot use finger-scanning technology. This is because their fingerprints are ‘genetically indistinct’ or they have been worn down through manual work. (p28)
Options Paper—Proposed Models
23 September 2004
The Commission explored a number of possible options for reform of the current laws before settling on two models. These were chosen because they both fulfil the commission’s three goals for this review:
- To ensure minimum standards of privacy protection for workers without unduly limiting the ability of employers to run their businesses.
- To protect workers’ privacy in a way that is sufficiently flexible to accommodate the needs of different workplaces.
- To put in place mechanisms that ensure compliance with the selected regime.
Models proposed during our consultation process or found in another jurisdiction were tested using these goals. The final options chosen achieve the three goals described above but in different ways and to different degrees.
Option One: A separate Act that would require employers to seek authorisation in advance from a regulator before undertaking either some or all surveillance, monitoring or testing practices in the workplace. The Commission makes no recommendation about who the regulator should be.
Option Two: A separate Act that would require employers to comply with a set of principles on how they implement and conduct workplace surveillance, monitoring and testing. This option would put more direct responsibility on employers, and may have less significant resource implications for government.