|Privacy in the Workplace
Faculty of Law
University of Otago
Privacy law and employment law seem naturally to go hand in glove with each other. On one level, this is because both deal with the rights of the vulnerable, and both have a strong human rights aspect to them. Both are also subject to internationally recognised minimum standards.
On another level, the interplay between the two areas raises some interesting and often challenging issues. These issues will arise more frequently as we go into the future. This is because, firstly, technological developments have opened up new possibilities in the way we work and the ways in which workers can be monitored both within and outside the workplace. The introduction of new and converging technology has also blurred the lines between working life and private life, since the office can now be transported anywhere via laptops, the internet, and mobile phones.
Secondly, changes in our economic life have also meant that employers have more reason to be concerned about the conduct of their workers both on and off the job. As in many developed economies, manufacturing is increasingly moving offshore where labour and materials are cheaper. We have instead a growing service industry sector and an increase in professionalisation of a wide variety of tasks. Both of these developments rest on the foundation of public image.1 This means that employers are increasingly concerned with how workers conduct themselves in both their working and their private lives.
A basic question to ask, of course, is to what extent there are any rights to privacy in the workplace context. A workplace is more of a public place than the worker's own personal space. There is a much more limited expectation of privacy in the workplace than in other places. A workplace is not an individual worker's personal domain. Moreover, by entering into an employment relationship, the worker has agreed to concede inroads into his or her civil rights, including those rights associated with privacy. For example, under an employment contract, workers must provide certain information about themselves when asked by their employers, and they cannot complain about having their conduct at work scrutinised. Employers, therefore, have certain rights that can be viewed as privacy invasive.
Workers, however, also have rights. As with many legal issues, the tricky part is determining where to draw the line in individual cases. But on balance, employers generally enjoy the upper hand in this area. There are a whole raft of legitimate interests that employers have that can be viewed as being intrusive to a greater or lesser extent into workers' privacy. These include the following areas of employer concern in particular:
Employee selection and vetting. An employer is entitled to evaluate potential workers to see whether they are qualified and fit for the employment being offered.
Monitoring work performance and conduct at work. An employer is entitled to see that it is getting a good day's work in exchange for the pay and that the standard of work is up to standard.
Health and safety in the workplace. An employer has legal obligations to ensure that a worker does not pose a hazard to him or herself or to others.
Connected to the preceding (work performance, conduct at work, and workplace health and safety) is some degree of concern with lifestyle and lifestyle choices. For example, drug and alcohol use off the job can affect work performance, work efficiency, and safety on the job. Drug and alcohol use, as well as hazardous outside activities (e.g., horse riding) can also affect attendance at work.
Security. An employer is entitled to ensure that workers are not acting dishonestly in relation to it, fellow workers, or customers.
The privacy interests of employees normally must take a back seat to the above matters because of overriding practical, contractual, and statutory obligations. While there is some regulation around the fringes, the legal limits that are imposed on the privacy intrusive actions of employers are neither extensive nor particularly clear.
There are two further factors that tend to favour employers’ interests over those of employees in the workplace privacy stakes. One is the dynamics of most workplaces. As might be expected in an institutional setting such as the workplace, the individual as job applicant or employee tends to be in a position of relative weakness in relation to an employer who demands or proposes a new workplace practice involving personal information. While individuals may in law consent to intrusions into their personal sphere, it is usually because refusal is not a readily exercisable option.
The other factor that tends to favour employers’ interests over the privacy interests of employees is that privacy tends to be a relative, as opposed to an absolute, value. The importance of upholding privacy as a value in any given situation often depends on what other value is balanced against it. For example, drug testing in a safety sensitive area such as forestry work or air transport can be justified on the basis that failure to do so might otherwise put lives at risk. Where all things are equal, however, there is always the possibility that some individuals are more "privacy sensitive" than others. The issue is then whether the law should defer to managerial prerogative or to individual preference. In some cases, individual privacy sensitivity may simply reflect class war or a union/management struggle carried out on a different level, and in other cases it may be the result of cultural factors. The law has tended so far to largely ignore the preferences of the particularly privacy sensitive individual worker unless there is an additional legitimising factor involved, such as in the OCS finger scanning case,2 where the employer was legally required under statute to take cultural considerations into account when making workplace decisions.
The Privacy Act 1993
While there are a few areas where the Privacy Act is effective in protecting workers' interests, it has been largely a disappointment for workers, who are increasingly subjected to privacy-intrusive practices in the workplace as in other spheres of their daily lives. New Zealand’s Privacy Act has hardly affected the balance of power in relation to workplace privacy matters. The irony is that those who are best placed to take advantage of the legislation in the employment setting are unsuccessful job applicants and dismissed employees -- that is, people who are not actually in a subsisting employment relationship at all. The prospective job applicant is entitled to not being asked for personal information that is irrelevant to the job on offer, while the dismissed employee is entitled to access personal information relating to the dismissal.
Some of the information privacy principles in s 6 that might be expected to be important for privacy protection in the workplace make provision for derogations, so that, for example, individuals can expressly or impliedly waive their application. These are principles 2 and 3, which relate to the collection of information about individuals, and principles 10, and 11, which deal with the use and disclosure of personal information. The benefit of protection by the other principles, however, cannot by waived or contracted out of by individuals. Therefore, it is these non-derogable principles that should have the strongest effect in the workplace. Unfortunately for workers, the principles are framed so loosely, and have so many exceptions, that flexibility has arguably been bought at the price of enforceability.
The Privacy Act imposes some limits on the collection of personal information. These limits are mainly effective in relation to job applicants, since without some legal protection, job applicants are ordinarily not in a position to refuse to disclose information requested by an employer or employment agency.
The Privacy Act provides limited protection in relation to pre-employment inquiries. Principle 1 (“Purpose of collection of personal information”) is non-derogable and requires that a collection of personal information must be for a lawful purpose connected with a function or activity of the agency, and that the collection is necessary for that purpose. Since collecting information for the purposes of discrimination is unlawful, principle 1 supplements existing human rights protections in that regard.
For example, in the employment law case of Attwood v Imperial Industries,3 the Employment Relations Authority found that an employer’s pre-employment form was drawn too widely and therefore was likely to have breached principle 1.4 The employee had been dismissed because she allegedly misrepresented her medical condition on a pre-employment form when she applied for a sales position. The form included a question about whether she had medical problems of any kind. In completing the question, she referred only to a condition that affected her hip joint. Once she was employed, her employer thought she was taking an excessive number of days off sick. In dismissing her, the employer accused her of having failed to disclose at least two pre-existing medical conditions that had a serious impact on her ability to perform her job. The Authority determined that the applicant’s failure to refer to the two pre-existing medical conditions on the pre-employment form did not amount to misrepresentation because the employer was not entitled to collect this information in the first place because of principle 1 of the Privacy Act. The scope of the information that was sought went beyond what was relevant to the employer’s compliance with its health and safety obligations or the employee’s ability to do the job. The Authority’s determination was upheld on appeal to the Employment Court, which remarked that the company’s question was “inappropriate” and imposed no obligation on the job applicant to disclose all of her medical problems. Therefore, the employee could not be justifiably dismissed because of this failure to disclose the information concerned.5
Employers also have a great thirst for information that is not necessarily caught by discrimination law. Whether or not the collection of particular information is "necessary" in terms of principle 1 in the employment context has in practice involved an assessment of its reasonableness, and due allowance has been made here, as elsewhere in employment matters, for the exercise of managerial prerogative. The views of the Privacy Commissioner on a number of complaints indicate that non-derogable or not, the “necessary to collect” test in principle 1 involves a low threshold that is not difficult for an employer to satisfy.
In Case No 2418,6 the Privacy Commissioner found that personality testing of job applicants was permissible under the Privacy Act. The complainant had applied for a sales position and was asked to complete a form containing 200 questions. She claimed that the questions were too personal considering the nature of the position sought. The Privacy Commissioner considered that in terms of principle 1, the collection of information about a prospective employee’s personality and attitudes was a lawful purpose connected with the employer’s function. He noted that other agencies used such tests, and that “the use of such extensive questions could probably be justified only in the context of obtaining the information as part of a comprehensive personality test to assess aptitude for a particular position.” On the facts of the case, the Privacy Commissioner could not say that the test was unnecessary or that the information collected was excessive.
The Privacy Commissioner did not address the intrusiveness of the test or its relevance to the particular position sought by the applicant. The employer, however, ought to have borne the burden of proving that the test was indeed “necessary”. This case illustrates that the Privacy Act tends to be ineffective in substantively limiting the amount and extent of information collected, and that it is more easily invoked where there has been a technical failure to comply with the proper procedure for collecting personal information. In this case, the Act required that the individual concerned be informed of the intended recipients of the information. This is cold comfort, however, where there are loose restrictions on the extent of information that is collected.
The Privacy Commissioner's "margin of appreciation" approach to the standard of necessity has been recently followed by the Human Rights Review Tribunal.7 The Tribunal observed that:
The use of the word 'necessary' in Principle 1(b) is not qualified. Taken at face value, the word might convey a sense of that which is essential; something but for which the purpose cannot possibly be achieved. If interpreted in that way, Principle 1 imposes a very high standard indeed for agencies to have to achieve before it can be said that the collection of personal information is justified within Principle 1.8
The Tribunal accepted that in the case at hand the collection of personal information was not "necessary" in this strict sense. At the same time, however, the Tribunal accepted that from a practical point of view, it was reasonable for the defendant to wish to collect the information concerned. The Tribunal commented that: "Principle 1 is intended to set a standard that is workable and achievable, having regard to the circumstances of each case."9 Principle 1 is thus taken to set a standard of reasonable rather than absolute necessity, which in practice works itself out as something that is "high desirable". This important information privacy principle, although non-derogable, therefore offers little protection for people such as employees who are not in a strong position to object to the collection of their personal information.
In New Zealand, there are few legal controls on surreptitious video or audio recording in the workplace -- or elsewhere for that matter. There is a prohibition against the carrying out of surveillance by private investigators without the subject’s written consent,10 and a prohibition against the surreptitious use of video cameras that also have audio recording capabilities.11 Although the Privacy Commissioner has long assumed that surreptitious recording is covered under the Privacy Act,12 this view is arguably mistaken.
The Privacy Act does not limit the use of surveillance cameras or surreptitious audio recording because of a loophole in the legislation, whereby personal information obtained through such practices is not actually “collected” in terms of the Act. The term “collect” in the Privacy Act is defined as excluding the “receipt of unsolicited information”.13 Information obtained through surveillance or other forms of surreptitious recording is not solicited from the subject.14 Video cameras, for example, are focussed on particular physical areas and capture on film whatever takes place within that space. Since what is captured is unsolicited, it is not “collected” in terms of the Privacy Act. Therefore, the various requirements and limitations relating to the collection of information that serve to promote individual autonomy cannot apply to surveillance techniques.
The Court of Appeal took this approach to the concept of “collecting” information under the Privacy Act in Harder v Proceedings Commissioner,15 which dealt with surreptitious audio recording. In that case, a woman rang her former partner’s lawyer to discuss the settlement of a dispute. The lawyer recorded what the woman had to tell him. The Tribunal that heard the woman’s complaint at first instance found that the lawyer was collecting information in terms of the Privacy Act from the moment he switched on the tape recorder. The Court of Appeal disagreed, finding that the information volunteered by the woman was not “collected” in terms of the Act. From the lawyer’s point of view, the information disclosed by the woman was unsolicited, and so in terms of Privacy Act, the lawyer was merely in “receipt of unsolicited information”. The Court of Appeal majority remarked that “The unsolicited nature of the information was not affected by the fact that it was recorded or the way it was recorded.”16
The Privacy Act is technologically neutral. Accordingly, there is no difference in principle under the Privacy Act where information is obtained by human eyeball and retained in one’s memory, or whether it is obtained by an automated eyeball and retained on tape: so long as the information received is not “solicited” from the subject (which arguably is always the case when surreptitious or continuous recording is carried out), there is no “collection” of personal information in terms of the Privacy Act.
The omission of specific coverage for surveillance activities is consistent with the limited scope originally contemplated for the legislation, as indicated by the debates in the House of Representatives. The chairman of the subcommittee considering the original Bill remarked to the House that the legislation was not intended to cover the entire area, and stated that “snooping or prying into people’s private affairs, whether by electronic eavesdropping or by entry on to private property by telephoto lenses or other technological devices probably at some time would need further consideration by the House.”17
Although the Privacy Act principles that relate to the collection of personal information do not apply to surreptitious recording, the principles relating to the holding, use, and disclosure of personal information thereby obtained (principles 5 – 11) will still apply. However, it is the actual collection of such information -- the fact that it is done and the manner in which it is done -- that raises the greatest privacy objections.
Even if surreptitious surveillance were covered under the Privacy Act, the legislation would be of little avail in the workplace, to judge by the one reported case on workplace surveillance where the Privacy Commissioner found it to be a permissible practice.18 The case dealt with an employee’s complaint about the surveillance of a work changing room in order to detect theft. The Privacy Commissioner found that the employer was not obliged to take reasonable steps to ensure, in accordance with principle 3 (“Collection of information from subject”), that the employee was aware that the surveillance was being undertaken. This was on the basis of a number of exceptions to that principle that illustrate its ineffectiveness for imposing any kind of control over surveillance activities. The Privacy Commissioner found that:
“it was not reasonably practicable to draw the fact of filming to the complainant’s attention as the video surveillance was intended to film covert and unlawful behaviour” (principle 3(4)(e));
“it would have prejudiced the purpose of collection if the complainant had been told that he was being filmed prior to the surveillance taking place” (principle 3(4)(d));
“non-compliance with Principle 3 was necessary to gain sufficient evidence of theft to enable prosecution of an offender before a Court” (principle 3(4)(c)(iv)).
Moreover, the Privacy Commissioner found that the way the information was collected did not breach principle 4 (“Manner of collection of personal information”) because:
“the use of the video camera to collect information was lawful;
the agency had taken steps to minimise the extent of surveillance;
the locker room was not a private space intended for the removal of clothing;
in the videotape viewed the complainant had only been recorded removing his outer clothing therefore this limited amount of filming without the use of sound was not an ‘unreasonable’ intrusion upon the complainant’s personal affairs; and
given the need to identify the source of the stolen property and that the video camera was used solely for this purpose the covert surveillance was not unfair.”
In contrast to the lack of provision in the Privacy Act for any meaningful controls over surveillance activities, employment law provides for standards of due process that regulate how the employer ought to conduct itself once adverse information obtained though surveillance is proposed to be used. Thus, in one case decided by the Court of Appeal, a dismissal was found to be unjustifiable where an employee was surreptitiously observed shirking her duties and then entrapped into providing the employer with false information as to her work performance.19 In another case, an employee’s resignation in response to being the subject of surveillance was found to amount to an unjustified (constructive) dismissal.20 The employer had failed to explain to the employee why he was being investigated following its botched attempts at surveillance (which included a high-speed car chase). The Employment Tribunal held that although the employer was entitled to carry out the surveillance, once the employee detected it, he:
… was entitled to know the depth of the respondent’s suspicions and distrust so that he could see whether there was some reassurance he could give to clear up any simple misunderstanding, or whether a more deep seated reason lay behind the distrust. An explanation, if given, may have gone some way to repairing the loss of confidence and trust caused to [the employee] by the respondent’s actions. [The employee] was also entitled to a proper opportunity to explain why the respondent’s apparent distrust of him was unfounded.21
Employee bag and vehicle checks
The Privacy Commissioner’s handling of a union complaint concerning bag and vehicle checks illustrates that the privacy principles have a minimal, but still some effect, on such practices.22 The union complained that the checks were inconsistent with the relevant employment contract, which provided that company personnel “shall not search cars, lockers, bags or any other items belonging to an employee without his/her consent and in his/her presence.” The inspection policy provided that all individuals entering or leaving the site were invited to allow a security guard to inspect bags and vehicles. The security guard was only permitted to view the contents, not rifle through belongings. Where there was good reason to suspect that a person had company property, the vehicle or bag would be searched. The search would only take place if the individual consented, in accordance with the employment contract.
The company explained that its policy complied with health and safety legislation, and that there was a need to maintain security. These concerns were based on a bomb threat that involved an evacuation of the workplace and the consequent loss in production. The employer was advised by the police to improve its security measures. There were also concerns about drug and alcohol use where heavy machinery was being operated; weapons being brought into the workplace; and thefts of company property over a number of years.
The Privacy Commissioner’s investigation indicated that there were no longer any serious threats to the safety of those at the workplace. Accordingly, the company decided that inspections of people entering the site would no longer take place. The Privacy Commissioner found, however, that the inspection of workers leaving the site was necessary in terms of principle 1 to ensure the security of company and staff property. Nevertheless, the Privacy Commissioner formed the view that the searching of handbags raised concerns about the manner in which information was being collected (principle 4). If the company was particularly concerned about the theft of large and expensive items, such as laptops, it was not acceptable that handbags should be searched if such items could not fit in them. Otherwise, the Privacy Commissioner found the practice acceptable, as the company had notified the policy to staff and explained why it was implementing it, as well as the consequences of non-compliance. The company regarded the search process as voluntary, with individuals having the option of leaving bags and cars outside the site if they did not want to be searched.
Monitoring of e-mail and internet use
There are several New Zealand employment law cases dealing with employees who have been dismissed for inappropriate use of internet facilities.23 The Privacy Act, however, has not played any significant role in these cases. In the earliest case,24 an employee was dismissed for allegedly harassing a female fellow staff member. The employer relied, in part, upon the employee’s e-mail correspondence with the woman as evidence. The dismissed employee sought an interim injunction to continue work pending the outcome of the case. He contended that the dismissal was improper and contravened the Privacy Act. The Court held that there was “an arguable case for procedural unfairness in this particular context.”25 Subsequent cases, however, have turned not on the Privacy Act at all, but on such factors as employer training and policies regarding internet use,26 the nature of the use (messages containing sexual innuendoes and surfing the net for pornography being particularly frowned upon),27 length of service,28 and rights of free expression during industrial negotiations.29
There are no obvious privacy rights per se in respect of employees’ e-mail or other internet use, but the justifiability in terms of employment law of any disciplinary action turns on whether the employee had a reasonable expectation of privacy, and the extent to which the employer has set clear bounds. The emphasis is on fairness and due process, rather than any rights stemming from the Privacy Act.
Adding to the irrelevance of the Privacy Act in this context is the technical issue whether an employer who gathers information about an employee’s internet use is actually “collecting” information in terms of the Privacy Act. This is because the employer already holds this information in its computer system. The information will also likely to be “unsolicited” information (and so it falls outside the Act’s definition of “collect”). Therefore, the rules relating to individual notification, and the requirement that the retention, use and disclosure of such information must relate to the original purpose for collecting it, do not apply. Any rights that an employee has in this area stem from employment law, not from the Privacy Act.
Drug and alcohol testing
As a privacy advocate, the Privacy Commissioner has been at the forefront in opposing random drug testing in the workplace.30 There have been no reported Privacy Act complaints, however, arising from either drug or alcohol testing,31 and it is doubtful whether the Act could be invoked to limit such testing in any case. So long as the testing is for a lawful purpose connected with a function or activity of the employer and is necessary for that purpose (principle 1), and is carried out fairly and does not intrude unreasonably into the individual’s personal affairs (principle 2), then testing could not be impugned under the Privacy Act. For better or worse, workplace testing can generally be viewed as reasonable simply on the basis that it is already a widespread practice, and that it ostensibly addresses productivity and health and safety issues. Moreover, in principle at least, testing is a consensual activity, despite the likelihood that an unreasonable refusal to undergo testing will mean losing one’s employment.
In New Zealand, therefore, the permissibility of drug and alcohol testing turns on employment law rather than on privacy law. Unless specifically provided for in an employment agreement,32 an employer would be faced with real difficulties if an employee refused to submit to a test, particularly random testing where there is no reasonable cause for conducting it in the first place. The employer cannot physically compel the worker to undergo testing, and could only take disciplinary action if a refusal to be tested was unreasonable in the circumstances. If the employer decides to dismiss the worker, the issue then becomes whether or not the employer was substantively and procedurally justified in doing so. The Privacy Act does not provide any guidance as to what would be fair and reasonable in such circumstances. Like employment law, it simply requires that any collection of personal information be undertaken in a fair and reasonable manner (principle 4). No new substantive rights can emerge from such circularity.
In an interim injunction case where the employee sought reinstatement pending substantive determination of his unjustifiable dismissal case,33 the Employment Court did not find anything amiss where drug testing was carried out in a procedurally fair manner and in a safety-sensitive context. The Privacy Act was not cited.
Inquiries into employee misbehavior
Where an employer collects information in connection with the investigation of employee misconduct, much leeway is permitted as to what is “necessary” to collect in such circumstances in terms of principle 1. Thus, the predecessor body to the Human Rights Review Tribunal did not find any fault in a case where it was claimed that the employer was collecting information that was not necessary for the investigation of a sexual harassment allegation against an employee.34 The information concerned included information about the drinking habits of the employee’s father and the employee’s sexual preferences and dating habits. The Tribunal found no breach of principle 1 because the employer’s inquiry was informal and preliminary in nature. It was intended merely to determine whether the sexual harassment allegation was vexatious or not. The Tribunal commented that “Informal inquires such as these will often elicit information which is irrelevant to the purpose of the inquiry because information will be volunteered which would otherwise not be sought.”35
The Tribunal found that the collection of personal information about the employee was necessary for the employer’s purpose of investigating the allegation of sexual harassment, which the law required the employer to address. The Tribunal stated that once it was satisfied that a collection of information was necessary for fulfilling this purpose, it could inquire no further into the matter, determining which bits of information should have been received, and which not.
Disclosure of personal information
Employment law is probably just as effective as the Privacy Act, if not more so, in protecting employees’ privacy interests against inappropriate disclosures by employers to third parties. In one employment law case,36 the employee, a homosexual, had been inadvertently “outed” by his employer. The employee successfully proved a sexual harassment grievance against his employer on the basis that he was subsequently harassed by others because of the disclosure. Moreover, the employee also succeeded in establishing his claim for unjustified dismissal on the basis that he had been constructively dismissed: he resigned because he had been placed in a highly vulnerable position by his employer, who then failed to mitigate the effect of the disclosure. In the result, the employee’s compensatory award was exceptionally high by New Zealand standards. In another case,37 the employee was successful in her grievance for unjustifiable disadvantage because her home telephone number was given out in error to creditors of her employer without her consent.
The one reported complaint under the Privacy Act concerning an employer disclosure of employee information was not resolved in the employee’s favor.38 The complainant alleged that management started a rumor in the workplace that she was about to leave her employment in a Government department. The employer acknowledged that a conversation between a manager and a supervisor was overheard, but it was not certain whether or not this was the origin of the rumor. The Privacy Commissioner, found, however, that “the nature of the information that was disclosed during this incident was information other staff members were entitled to know.” He went on to comment that “Managers need to inform staff members when an employee is leaving as it may have implications for the workload of other staff.”
Access to personal information
Under the Privacy Act, employers have an obligation to grant individuals access, upon request, to their own personal information (principle 6), unless one of the “good reasons for withholding” in the Act applies. This has proved to one of the most valuable aspects of the Privacy Act for workers, particularly those who wish to collect information about themselves from a former employer when contemplating legal action for unjustifiable dismissal. This right is quite useful for assessing whether there is sufficient evidence to proceed against one’s employer before actually committing oneself to commencing proceedings. Thus, employees can seek access to the employer’s diary notes, internal memoranda, performance appraisals, details of personnel decisions, and the like.
The right of access to personal information is subject to a number of “good reasons” for refusing disclosure.39 However, only two of these “good reasons” are likely to arise in the ordinary employment context.
1. Protection of another person’s privacy
One very important exception to an individual’s right of access to personal information arises where disclosure of the information “would involve the unwarranted disclosure of the affairs of another individual”.40 In employment complaints concerning disparity of treatment, information concerning the treatment of others in similar situations would be “warranted” so the individual can see whether or not there has been fair treatment.
The disclosure of information about another person may also be warranted where another individual has informed upon or has otherwise provided information (such as a performance assessment) about the individual concerned. Information about successful job applicants may also be made available.41
The disclosure of another person's wages, salary, or redundancy payment is normally "unwarranted", but in some circumstances (particularly in the interests of public sector accountability) may be disclosed in a non-specific way, such as in $10,000 bands.42
2. Employment references
In New Zealand, confidential references can normally be withheld from the individual concerned on the basis that they constitute “evaluative material” supplied under an express or implied promise of confidentiality.43
The balance between managerial prerogative and workers’ privacy interests in New Zealand is largely determined against a backdrop of the usual dynamic of employer superiority. The employer’s requirements tend to function as the “default” position, so that it can normally rely on its right within the employment relationship to make its business run effectively and profitably. This right may allow it to do such things as open employee's mail, monitor e-mail communications, and carry out searches of desks, lockers, and bags. The employer will also have the right, based on the employee's duty of fidelity and obedience, to demand accountability for the employee's actions and activities, both on and off the job, where that affects a legitimate interest of the employer. Privacy legislation in New Zealand generally tends to reinforce this position. With a few notable exceptions, such privacy rights as do exist are more likely to stem from employment law itself than from the Privacy Act.
Where its activities are likely to breach the information privacy principles, the employer may be able to procure the authorization or acquiescence of the individuals concerned. In practice, therefore, the information privacy principles do not form a very effective bar to privacy intrusions. Experience with the Privacy Act has shown that job applicants who have failed to obtain employment and employees who have been dismissed tend to be the main beneficiaries of the rights conferred under the legislation. It is for this reason that privacy rights in the workplace need to have express protection and be non-derogable if they are to have much potency in the workplace.44 There is no indication, however, that such a rebalancing of employment relationships in favour of such privacy rights is a realistic prospect at present in New Zealand.
This is not to say that the Privacy Act has had little practical impact on employee's workplace privacy interests since its enactment. It appears to have functioned largely ad terrorem, with employers generally being reticent to take bold initiatives that might fall foul of the Privacy Act. The possibility of incurring expense or loss of goodwill through the breach of untested legislation has acted as a powerful deterrent. In truth, however, the legislation’s bark is worse than its bite.
In the final analysis, it is employment law that is probably best suited to deal with employment issues, though of course it can be informed by privacy law and standards as to what is a reasonable or unreasonable practice.