Employer monitoring or hacking?

Remember the recent reports of employers asking employees (and job applicants) for Facebook passwords? While such a tactic may be overbearing, a local incident reported in a recent Privacy Commissioner Case Note went even further.

In the case, Case note 229558 [2012] NZ PrivCmr 1 : Employer uses monitoring software to collect personal information, the employer installed monitoring software to record the employee’s activities on his work computer. That in itself is not particularly unusual, and is often provided for in employment contracts.

However, the employer also used a keylogger to record the employee’s password for his personal webmail. The employer then accessed the webmail and copied a number of emails. The Commisioner said:

When the employer accessed the man’s personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.

This went well beyond any information that may have been relevant to the employment investigation. We formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer’s needs.

What about employment policies and the like? In this case, the employment contract did specify that computer use could be monitored. However the Commissioner said:

We were also satisfied that the employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer. We formed the view that this also breached principle 3.

There would need to be a high level of detail and notice before an employer could legitimately install a keylogger to secretly capture the password to a personal email account, and then unilaterally access that personal account and download emails.

In the end, the matter settled at mediation. Reading between the lines, the case probably involved the not uncommon situation of unauthorised copying of work information, and the employer may have felt justified in doing what he/she did.

However, employers must be very careful about attempting to “hack” employee’s personal email accounts not held on company equipment (even where access is made via a work computer). Besides the potential for breaching the Privacy Act, there is also the risk of criminal prosecution for accessing a computer system without authorisation (s 252 of the Crimes Act). This will not be an issue when it is the company’s own computer system, but it may well be an issue when accessing another computer system, such as a web-based email account.