Dated January 2003
This document is at http://www.privacy.org.au/Papers/SubmnVLRC0212.html
The Australian Privacy Foundation fully supports the introduction of legislation to protect the privacy of workers. We have voiced strong opposition to the exclusion of private sector employee records from the personal information that the Privacy Act 1988 (Cth) covers. We welcome the attention that the Commission is giving not only to information privacy but also to surveillance, testing, and searching in the workplace. The lack of protection from these types of invasive activities is a community-wide problem that is becoming more acute as boundaries shift between the workplace and home, and between work time and leisure time.
The discussion of how to define privacy provides a useful examination of the concepts and language associated with debates about privacy. We have long argued that privacy is a right and a social value, and we agree with the Commission that this should be underpinned by law. The debate is too often presented as a need to trade-off individual interests against community interests, even when the legislation specifies otherwise.[1]
However, while the definition produced provides a baseline description of privacy, we are not sure that it will be sustainable as the Commission develops its recommendations for law reform.
We suggest that the definition recognise more directly the importance of the person's expectations and wishes. Rather than - or in addition to - the negative right of not being treated as an object, perhaps the definition could also incorporate the individual's right to determine the boundaries between the public and private realms of his or her life. When someone else is involved in drawing those boundaries, the person should know who is drawing them and where they are.
As the paper points out, determining what is an invasion of privacy depends on the context. It is unlikely that any definition will suffice and the real task becomes to determine which aspects of the context are significant.
The tests that the paper proposes for assessing whether a particular workplace practice is an invasion of privacy are a reasonable start but not complete. They include the need to consider the context in which the practice occurs, but do not discuss which aspects of the context are important.
The privacy principles on which information privacy legislation has been based for many years both in Australia and overseas can be applied when trying to ascertain whether any practice is privacy-invasive. While the wording and strength of the privacy principles vary from one jurisdiction to the next, the underlying elements are consistent. Many are encompassed by the broad principles set out in Chapter 5 of the paper, but the most important appears to be overshadowed: the primacy of purpose. The purpose of the activity is the reference point for determining what is reasonable, proportional, fair, and an acceptable balance of interests. When considering `context', this should come first.
For example, the fundamental questions should include: Why is this activity necessary? Can the purpose be served in another, less privacy invasive, way? Will this activity continue to take place only for this purpose or will it serve another purpose as well? Is the purpose lawful? Do the other purposes meet the same tests of necessity, lawfulness and proportionality? What safeguards are there to prevent the activity serving unauthorised purposes? Does the individual know not only about the activity but the purpose as well? Is the purpose ongoing or is there an end-date?
The Australian Privacy Foundation believes that privacy protections should not depend on the employment status of the individual.
We also consider that distinctions do need to be made between overt and covert surveillance. While all instances of surveillance must be justified in the circumstances and subject to minimal controls, covert surveillance in particular should be regulated by law. It is an extreme form of privacy invasive activity and the law should recognise it as such.
The case studies set out in the paper are all privacy-invasive. Each can theoretically be justified and also condemned. They all illustrate the need for privacy law to provide the framework to put theory into practice in a variety of circumstances and regardless of the technology being used. As noted above, we consider the starting point for the framework to be the privacy principles that already exist in legislation.
We consider the Privacy Act 1988 (Cth) is a flawed piece of legislation for a number of reasons, not least of which is the exemption of employee records. However, it is in place and has provided a model for subsequent State and Territory privacy legislation as well. For this reason, we believe any new laws for workplace privacy should complement existing laws for information privacy.
While the National Privacy Principles do require information to be collected lawfully, fairly and not in an unreasonably intrusive way, this is not adequately defined or regulated in current legislation. New laws on surveillance, testing, and searching could complement and strengthen the principles in this regard. They could also clarify and regulate how information collected as a result of these activities may be used. For example, they could address the problem of coerced consent, whereby employees (and consumers) effectively are given no choice but to agree to certain action being taken.
We support regulation to protect privacy. Privacy is a right that must be respected across the community. It should not depend on where the person lives, what type of employment they undertake, their employment relationship or even whether they are employed. Privacy protection for `workers' should apply equally to permanent, casual, full time and part-time, temporary and volunteer workers. Minimum standards should apply in all cases to ensure that the objectives of introducing new laws are not subsequently lost by negotiation, intimidation or disinterest. We agree that there are some minimum privacy rights which should not be allowed to be `bargained away'. All individuals should have access to an objective and accessible complaint-resolution service, such as could be provided by the privacy commissioners were they sufficiently resourced.
We agree with the broad principles of balance; minimum standards; transparency; proportionality; flexibility and certainty. Of these, proportionality is particularly important as the need for balance will often justify some privacy intrusion or surveillance. A strong proportionality principle is necessary to ensure that only the minimum level of intrusion or surveillance is applied to the minimum number of workers on as few occasions as possible.
The form of the new laws could vary, from amendments to existing laws to the creation of new ones, but we maintain that regulation is necessary. We note that, even in excluding private sector employee records from coverage of the Privacy Act 1998 (Cth), the federal government was not suggesting that there was no need for workplace privacy to be protected by law. The government merely asserted that it was better dealt with under employment and workplace relations law, but as the paper demonstrates there is no sign of this being the case or in prospect. In the absence of action by the federal government we believe that individual States and Territories should legislate for workplace privacy protection.
Go to the APF Home Page.
Created: 7 February 2003
Last Amended: 7 February 2003
APF thanks its site-sponsor: