Employer monitoring or hacking?

Remember the recent reports of employers asking employees (and job applicants) for Facebook passwords? While such a tactic may be overbearing, a local incident reported in a recent Privacy Commissioner Case Note went even further.

In the case, Case note 229558 [2012] NZ PrivCmr 1 : Employer uses monitoring software to collect personal information, the employer installed monitoring software to record the employee’s activities on his work computer. That in itself is not particularly unusual, and is often provided for in employment contracts.

However, the employer also used a keylogger to record the employee’s password for his personal webmail. The employer then accessed the webmail and copied a number of emails. The Commisioner said:

When the employer accessed the man’s personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.

This went well beyond any information that may have been relevant to the employment investigation. We formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer’s needs.

What about employment policies and the like? In this case, the employment contract did specify that computer use could be monitored. However the Commissioner said:

We were also satisfied that the employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer. We formed the view that this also breached principle 3.

There would need to be a high level of detail and notice before an employer could legitimately install a keylogger to secretly capture the password to a personal email account, and then unilaterally access that personal account and download emails.

In the end, the matter settled at mediation. Reading between the lines, the case probably involved the not uncommon situation of unauthorised copying of work information, and the employer may have felt justified in doing what he/she did.

However, employers must be very careful about attempting to “hack” employee’s personal email accounts not held on company equipment (even where access is made via a work computer). Besides the potential for breaching the Privacy Act, there is also the risk of criminal prosecution for accessing a computer system without authorisation (s 252 of the Crimes Act). This will not be an issue when it is the company’s own computer system, but it may well be an issue when accessing another computer system, such as a web-based email account.

Employee vs contractor – IP implications

Computerworld reports on an employment dispute involving a web developer:

The case, heard by the Employment Relations Authority late last year, hinged on whether Michael Oliver, who did development work for Palmerston North firm Autoweb Solutions, was an employee or a contractor. The Authority determined he was an employee.

The employee/contractor distinction is an important one, and has been the source of a number of court disputes. While the Autoweb case was simply a wage dispute, the employee/contractor distinction could also potentially have intellectual property implications.

The default position under section 21 of the Copyright Act is that (most) copyrightable works created by an employee “in the course” of employment – e.g. software – are owned by the employer (whether or not the employee is actually paid). This is not the case if the person creating the work is a contractor. In that case, the so-called commissioning rule applies (see Copyright ownership and software development). If a developer had been “hired” (as an employee or contractor) to write some specific code, then the employer/hirer will likely have commissioned the work and will therefore own in.

But the situation could easily become more murky, with the possible result that a non-employee developer owns copyright in code they produced for their principal (though not in a “commissioning” situation) – for an example, see “Free design” and the commissioning rule. This cuts both ways: contractors should be careful not to be deemed employees in order to avoid the risk of IP created in the course of a project being inadvertently owned by their “employer”. Note that the words “in the course” are important, as discussed in the recent ERA case of Abbott v Chief Executive, Whitireia Polytechnic [2010] NZERA 766.

As is often the case, a proper contract is the answer – though as the Autoweb case makes clear, it is the substance of the relationship not the labeling of it that is determinative. In the case of employees, it is a legal requirement that there be a written employment contract. Contracts with contractors should clearly state which party retains any resulting IP.

Tech Law news 26 March 2010

Restraints of trade in employment

Computerworld reports on an Employment Relations Authority decision upholding a restraint of trade clause for a former IT account manager. Restraint clauses are common in the IT industry, as in others, and can be particularly important given the significance of IP and know-how in the IT sector. The article notes that the decision “belies the commonly-held belief that restraint of trade clauses are difficult to enforce”. It is true that the ERA and the Courts will strike down or limit unreasonable restraint clauses, but in recent years the Courts have tended to uphold restraint clauses. The conduct of the parties post-termination is also likely to be relevant, with “bad behaviour” on either side likely to be taken into account by the relevant authority.

Website terms

My latest Computerworld article is now online: Analysis: Cases clarify requirements for website terms of use

Facebook privacy investigation

The EU is investigating whether posting photos and other information about people on Facebook without their consent is a breach of privacy law. Privacy is a rapidly developing area, and the EU (for better or worse) leads the world in this area. The policies adopted in the EU are likely to influence privacy policy in other jurisdictions, including New Zealand where the Law Commission recently recommended leaving privacy to develop at common law (i.e. develop “organically”). It is reasonable to expect that with privacy, where Europe goes, the UK will go; and where the UK goes, New Zealand will eventually go.