The Privacy Commissioner has issued a Case Note (229588) which advises that an employer should not have used key stroke monitoring to collect personal information from an employee’s (work) computer. The Privacy Commissioner considered that two issues were raised, regarding: information collected from the work computer and information collected from the employee’s personal email account.
Information collected from the work computer wasn’t an issue as such, as both the employment agreement and manual clearly set out that work computers would be subject to monitoring. However, the employer did not advise the employee that specific information from keystrokes would be collected, so this was a breach of Information Privacy Principle 3.
In terms of the employee’s personal email account, the employer had accessed emails in the personal account by using a password that it had collected from the employee’s keystroke information. This was held to have breached the following Information Privacy Principles:
- Principle 1 (purpose of collection) because accessing personal emails that went back over several years was unnecessary and disproportinate to the information that may have been relevant to an employment investigation;
- Principle 3 (collection from subject) because the policies were not explicit enough to make an employee aware that if they entered a password on the computer, the employer would be able to use that information to access information not held on the work computer;
- Principle 4 (manner of collection) becuase the manner of collection was unreasonably intrusive.
The employee’s complaint was resolved at mediation once the Privacy Commissioner advised the employer of these views.