Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
JIM TEALBY[*]
Email at work is not private. The question is whether it should be.
This paper take a particular fact situation where an employer looks at the email sent and received by an employee in order to provide a defence for a possible baction by the employee for unfair dismissal and applies the regulatory framework presently existing in Australia.
The conclusions reached are as follows:
The voluntary codes (i.e. The Australian Privacy Charter, The Internet Industury Association Code of Practice, National Principles in the Fair Handling of Personal Information) do not provide adequate protection to employees in the private sector. The Telecommunications Act 1997 appears to be limited in its application to eligible carriage service providers. S7 of the Telecommunications (Interception) Act 1997, on one interpretation may be being breached by intermediary computers in a local area network and create a civil cause of action for the employee under s107A. Trespass to intangible property is beset by a number of difficulties including initially establishing personal property in the communication. Internal electronic communication policies are inevitably going to be limited in circumstances where they try to regulate messages received from an external source.
Clear legislation dealing with privacy rights in electronic communication is needed in the private sector so that employees know where they stand.
Privacy has been described as:
The interest of the individual in deciding for himself how much of his personal life he will share with others, that is, to decide for himself whether personal information will be communicated to others, and if so to whom, when, how and to what extent.
...the notion of Privacy extends beyond the concept of preventing a person from going
through one's underwear drawer. It may encompass the ability to deliver information to a colleague without a third person being able to see it, ... [1]
Privacy on the Internet is a concern. And if it is not, it perhaps should be.
The specific privacy concerns individuals have with the Internet are numerous and include at least the following;
1. Concerns with respect to credit card information provided for on-line purchases. Services are now being made available which promote themselves as providing secure methods of conducting financial transactions but the writer is not aware of any of them guaranteeing it. There is an argument that many off-line transactions such as using a credit card over a phone are not secure, as they presuppose the person to whom the details are provided will not misuse those details. The Internet however provides the opportunity for such misuse to take place on a vast scale.
2. Concerns regarding what information are provided via cookies, and in particular what is done with the information once it is obtained.
3 Concerns that hardware manufacturers such as Microsoft/Intel have designed their hardware so that it provides information via the Internet back to the manufacturer which it can then use for marketing purposes;
4. Concerns with what is done with personal information provided over the Internet via on-line surveys or otherwise;
5. Concerns with what information is provided by organisations with which people deal off-line. As an example I conducted a search on the name of a person who I knew did not use the Internet. It turns out this person came 67th in the Noosa Triathlon in 1998 and the information provided included that person’s home suburb. For what possible purpose was the address information provided?
6. Concerns with what information is available to those suitably motivated to try to hack into an organisation with which a person deals, such as a bank or financial institution. Due to the nature of such organisations and the intention of the hackers, such breaches are unlikely to be made public (as opposed to the recent intrusion into the FBI web page).
Concerns 1 & 6 essentially involve legal issues, for which there would be remedies if ever the illegality is discovered.
Concerns 2 to 5 inclusive essentially involve the use of what amounts to marketing information. The Internet is a godsend to direct response marketers. It provides endless opportunities for the collection of demographic and interest-related information at a nominal cost. The potential for businesses that wish to engage in marketing lists are virtually unlimited. Via email it also provides a very low cost method of dealing directly with the market. The regulation of such marketers and spamming is outside the scope of this paper.
Each of the concerns expressed above (apart perhaps from 5) essentially involve what the writer will refer to as ‘patent’ concerns. That is, they are obvious to anyone with some Internet exposure turning their mind to the issue. This paper is concerned with a ‘latent’ concern - one that is not apparent to all with some Internet exposure - Email and privacy at work.
Email at work over a local area network is not private. Even if email is deleted and the ‘trash bin’ is quickly ‘emptied’, that does not mean that the system administrator will not be able to access the message. The technical method by which the administrator would access such files is beyond the scope of this paper and, indeed, varies depending upon the computer software used. Suffice it to say, and for the purposes of this paper it is assumed, that whoever has access to the network server as the system administrator (inevitably an employee of the company) has access to email messages that are sent or received.
Quite often employers will stress to their staff that, when leaving their desks, they should not leave their computers turned on as that may allow others to access their email. Does that give the impression, at least by implication, that if staff do not allow others to access their computer, then the privacy of email contained via that login is preserved?
How many organisations specifically state:
“You should not leave your computer logged on because that will allow others to access your email (and send it in your name) but your email is not private anyway because we can access it via the network server if we wish to”.
...In general, it should be understood that a computer system as the employers property is ultimately under the control of the employer. That said, there is undoubtedly an expectation - as there is an expectation by employees concerning the privacy of their lockers and desk drawers - that an employee’s email will be confidential if the system is established in a manner which represents to its users that it is secure......Most importantly, consultation with employees and unions in relation to email policies and the implementation of well-publicised and understood policies.[2]
The easiest way to look at such an issue is by way of case-study. For that purpose let us assume the following fact situation which is based closely on a situation that actually occurred.
A company decides to dismiss one its employees on the basis of ‘not really fitting in’ with the organisation. The company advises the employee that their services are no longer required, effective immediately. The company does not have a published electronic communications policy. The company then, through its network server (and potentially back-up tapes), examines the email the employee has been sending and receiving in order to find some evidence of misconduct for its own defence if the employee decided to take action against it for unfair dismissal. It is assumed for the purpose of the example that the company has not been monitoring the employee’s email prior to making the decision to terminate his employment and accordingly, the termination was not a consequence of any such email.
Ignoring industrial relations issues, was the company entitled to act in the way it did in examining the email? The employee was using company hardware and software for the purpose of sending the email (let us assume for the moment the employee was not also using company time which again is a separate issue and more to do with industrial relations). Is there any basis upon which the employee might assert that such communications were private and confidential? Were there any rights being breached and if so what were they? If the employee was able to stipulate that the message was private in some way, would that result in some form of action for its breach?
The following paper will look at the common law (briefly), the legislative framework and guidelines in Australia relating to privacy to see whether the employee has any rights[3] in such a situation.
The only reported decision of which the writer is aware resembling the above fact scenario is MICHAEL A. SMYTH -v- THE PILSBURY COMPANY,[4] a decision of the United States District Court for the Eastern District of Pennsylvania.
In that action the plaintiff was an employee of the defendant who claimed he was wrongfully discharged from his position. The defendant had assured its employees that all email communications would remain confidential and privileged and could not be intercepted and used by the defendant against its employees as grounds for termination or reprimand (the fact that those representations were made indicates in itself that an employer’s use of employee’s email for termination of employment was a live issue in the US at least as early as 1994).[5]
The plaintiff exchanged emails with his supervisor from his computer at home in October 1994. On 17 January 1995 the defendant notified him that his employment was terminated for transmitting what it deemed to be inappropriate and unprofessional comments over the defendant’s email system.
The plaintiff claimed that his termination was in violation of public policy, which he argued, precluded an employer from terminating an employee in violation of the employee’s right to privacy as embodied in Pennsylvania common law. In particular, the plaintiff relied upon the American tort of ‘intrusion upon seclusion’ which is defined in the Restatement (Second) of Torts as follows;
One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person. [6]
The plaintiff’s claim failed. The court did not find:
...a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management.[7]
The court found that once the unprofessional comments were communicated over an email system utilised by the entire company any reasonable expectation of privacy was lost. They noted:
the plaintiff voluntarily communicated the alleged unprofessional comments over the company e-mail system. We find no privacy interests in such communications.[8]
The court further stated;
In the second instance, even if we found that an employee had a reasonable expectation of privacy in the contents of his e-mail communications over the company e-mail system, we do not find that a reasonable person would consider the defendant’s interception of these communications to be a substantial and highly offensive invasion of his privacy....by intercepting such communications, the company is not....requiring the employee to disclose any personal information about himself or invading the employee's person or personal effects. Moreover, the company s interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest.[9]
The decision in that case should be confined to its jurisdiction, which suffers from a number of curious laws including;
1. Pennsylvania is an employment at-will jurisdiction and an employer may discharge an employee with or without cause, at pleasure, unless restrained by some contract.[10]
2. In the most limited of circumstances, exceptions have been recognized where discharge of an at-will employee threatens or violates a clear mandate of public policy,[11] though a public policy exception must be clearly defined and is apparently limited to just three which relate to jury duty, prior convictions and reporting violations of federal regulations to the Nuclear Regulatory Commission.
3. The law of Pennsylvania is clear, however, that an employer may not be estopped from firing an employee based upon a promise, even when reliance is demonstrated.[12]
The value in the decision (apart from providing cogent reasons why the writer will never seek to practice industrial relations law in Pennsylvania) is the way the court chose to view messages sent over what they refer to as ‘the company email system’, when the employee forwarded those comments from his computer at home.
The writer suspects the estoppel argument would find more force in Australia given the same fact situation.
The following pieces of Australian legislation and codes of conduct may be relevant to the issue in question:
The Privacy Act 1988 (CTH)
The Australian Privacy Charter[13]
Telecommunications Act 1997 (Cth)
Telecommunications (Interception) Act 1997 (Cth)
National Principles for the Fair Handling of Personal Information[14]
The Internet Industry Association Code of Practice[15]
It is proposed to deal briefly with each of those codes and pieces of legislation in turn.
The Privacy Act 1988 stipulates a number of Information Privacy Principles (or IPPs) under s14, the breach of which is an interference with the privacy of an individual under s13. The Privacy Act is limited however, in that it applies primarily to an agency which is defined in s5 to basically comprise a commonwealth government department or other commonwealth government body. It is understood that it is proposed to extend those information privacy principles to the private sector in legislation to be introduced in the near future.[16]
The Privacy Act also establishes the office of the Privacy Commissioner under Part IV.
The Privacy Act usefully defines personal information in s6 as:
information or an opinion … (including information or an opinion forming part of a database), whether true or not, and … whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Given that its application at present is limited essentially to the commonwealth public sector, it would appear to provide no assistance to the employee in the above fact scenario.
The Australian Privacy Charter was published by the Australian Law Reform Commission in December 1994 and relevantly provides:
7. Privacy of Communications
People who wish to communicate privately, by whatever means, are entitled to respect for privacy, even when communicating in otherwise public places.
8. Private Space
People have a right to private space in which to conduct their personal affairs. This right applies not only in a person’s home, but also, to varying degrees in the workplace, the use of recreational facilities and public places. [17]
That charter, while expressing a number of desirable principles, has no legislative force.
Section 276(1)(a)(i) is contained in Part 13 of the Telecommunications Act 1997 (Cth) and is entitled ‘Protection of Communications’. That section provides that an eligible person must not disclose or use any information or document that relates to the contents or substance of a communication that has been carried by a carrier or carriage service provider.
An eligible person under the act is defined under s271 to be:
(a) a carrier or its employees; or
(b) a carriage service provider or its employees; or
(c) a telecommunications contractor or its employees.
A carrier is defined under s7 to be the holder of a carrier licence granted by the Australian Communications Authority under s56. Under s52, persons who can apply for such a licence are limited to constitutional corporations (as referred to in s51(xx) of the constitution), eligible partnerships (where both of the partners are constitutional corporations) and public bodies.
A carriage service provider is one which provides a listed carriage service (s87) for carrying communications by means of guided and/or unguided electromagnetic energy (s7).
S274 provides that a reference in Part 13 to a Telecommunications contractor is a reference to:
...a person who performs services for or on behalf of:
(a) a carrier ; or
(b) a carriage service provider;
but does not include a reference to a person who performs such services in the capacity of an employee of the carrier or provider.
Pursuant to s246 of the Act each carrier and eligible carriage service provider must enter into a scheme providing for a Telecommunications Industry Ombudsman which scheme has provisions for enforcing the provisions in Part 13.
The gist of the above scheme appears to be that, unless the employee in the above example was employed by an eligible person as defined under s271 and the email in question was an external email - i.e. and therefore been carried by a carrier or a carriage service provider, the Telecommunications Act 1997 (Cth) would have no application in protecting the privacy of the employee in question.
The Privacy Commissioner, Moira Scollay in her article “Information Privacy in Australia - A national scheme for fair information practices in the private sector” referred to ...the substantial areas of the private sector which will already be covered by a statutorily backed scheme. Many businesses, such as retailers and financial institutions, in their capacity as service providers, will be subject to the privacy codes to be developed under the Telecommunications Act.[18] The writer assumes ‘to be developed’ does not mean the commissioner is proposing that such privacy codes already exist under that act - as outlined above, the privacy obligations under the Telecommunications Act are really very limited and, in the writer’s assessment do not extend outside of the eligible persons referred to in s271.
s6(1) of the Telecommunications (Interception) Act 1997 (Cth) provides as follows:
(1) For the purposes of this Act, but subject to this section, interception of a
communication passing over a telecommunications system consists of listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication.
and s7(1)...
...A person shall not;
(a) intercept;
(b) authorize, suffer or permit another person to intercept; or
(c) do any act or thing that will enable him or her or another person to intercept;
a communication passing over a telecommunications system.
Exceptions provided in subsequent subsections of s7 relate primarily to employees of carriers installing equipment or police who have reasonable grounds for suspecting that another party to the communication has done an act which they should probably know about (i.e. kill or inflict serious personal injury, threaten to kill or cause serious property damage or suicide).
Telecommunications system is defined in s5(1) to mean:
(a) a telecommunications network that is within Australia; or
(b) a telecommunications network that is partly within Australia, but only to the extent that the network is within Australia;
and includes equipment, a line or other facility that is connected to such a network and is within Australia.
A telecommunications network is defined to mean a system, or series of systems, for carrying communications by means of guided or unguided electromagnetic energy or both.
A telecommunications service is defined in s5(1) to mean:
[A] service for carrying communications by means of guided or unguided electromagnetic energy or both, being a service the use of which enables communications to be carried over a telecommunications system operated by a carrier but not being a service for carrying communication solely by means of radiocommunications.
Patrick Gunning, in his article “Legal Aspects of Privacy and the Internet” has taken the view:
that ...To determine whether a communication is passing over a telecommunications system, it is necessary to identify the boundaries of that system and the form the communication takes at the time it is intercepted[19].
In particular, Mr Gunning was of the view that all equipment that is in Australia, up to and including the user’s PC, used in the connection of a user to the Internet will fall within this boundary.
The writer does not profess any particular technical expertise, though suspects Mr Gunning is correct, at least in the context of an individual user.
The important question is, does an Internet e-mail service come within the definition of a telecommunication service. Kent Davey is of the opinion that it does:
An Internet e-mail service would be a telecommunication service as it enables e-mail to be carried over the Australian Internet and other networks in Australia operated by carriers and service providers. The host computer which holds the mailboxes of users would form part of the Internet e-mail service as it is the means which enables e-mail to be carried over the Australian Internet and other networks
Kent Davey is also of the view that the effect of the definitions of telecommunications network and telecommunications system:
...would be that the Australian Internet and all computer networks within Australia including Local Area Networks and Wide Area Networks would be considered to be telecommunications systems whether or not they are connected to a telecommunications network by a carrier. Computers linked to the Australian Internet would also be part of a telecommunications system being equipment connected to a telecommunications network.[20] [21]
If that is correct, then it still needs to be determined whether the ‘intermediary computer’ has intercepted the email in question.
Mr Gunning was of the opinion:
interception of data stored by a computer involved in any communication does not contravene the legislation because the communication is not passing over a telecommunications system at that time;[22]
On the basis of the wide definitions of telecommunications system and telecommunications network contained in the act set out above and Mr Davey’s conclusions, it would appear that Mr Gunning may not be correct, if the computer referred to is an intermediary computer and the message is still ‘passing’.
Mr Gunning was also of the view that the interception legislation was:
...only potentially relevant to real time interceptions of communications -ie, in the context of the Internet, interception of exchanges that occur whilst a transmission channel between two computers is open.[23]
In respect to that issue and in the context of an intermediary computer, the writer suspects the recording referred to in s6(1) would be the more significant issue and one which would fall within the above provisions. If the intermediary computer makes a ‘cache’ copy of the message prior to the receiver receiving it, in the writer’s submission that message is ‘recorded’ within the meaning of the act whilst passing over a communications system.
The issue of intermediary computers has been considered judicially in the US.
Kent Davey refers to an American decision of Reed J in Bohach and Catalano v The City of Reno.[24] In that case:
...a US District Court considered whether the storage of copies of messages on an intermediate computer was an interception of the messages for the purposes of the ECPA [Electronic Communications Policy Act 1986 (US)]..... [25]
Reed J held that no interception occurred by reason of the storage of the messages on the server involved. He queried:
...how there could have been an interception in the ordinary sense of the word where no computer or phone lines have been tapped, no conversations picked up by hidden microphones, no duplicate pager cloned to tap into message intended for another recipient.[26]
If there had been an interception of the messages, Reed J was of the view that consent would likely be implied:
for one who sends a message using a computer must surely understand that the message will pass through the computer.[27]
After referring to his Honours comments Kent Davey goes on to state:
The storage of Internet e-mail in mailboxes of recipients and on intermediate computers is necessary for the transmission of messages over the Internet. Such storage of e-mail may not be an interception of the message for the purposes of the Interception Act as the storage would be unlikely to be without the knowledge of the person making the communication. The sender of e-mail probably impliedly consents to such storage by sending the message over the Internet. Where information relating to the contents of a communication has not been obtained by the interception of the communication the Act imposes no restrictions on the communications and uses which may be made of such information.[28]
With respect, the writer disagrees. The writer suspects that most people who use email are not aware that messages may still be retrieved from a network server even after such messages are deleted and the ‘trash’ in a typical program such as Groupwise, is emptied. The writer suspects that most people who use email in a network setting are not aware that their email can be obtained via the server. This is not to suggest that most people are ignorant. It is not unreasonable to expect that people who use a software application do not know the technical details of how the application works. By analogy, many adult people know how to drive a car, but is it reasonable to assume all those people understand how the engine works?
The writer also disagrees with Reed J’s comments with respect to there being an element of intention in the interception insofar as Kent Davey seeks to implicitly apply that reasoning to the Australian legislation. Interception is referred to in s6 which is set out above. Applying s15AB(1)(b)(i) of the Acts Interpretation Act 1901 (Cth), the writer can seen no reason why there would need to be recourse to the ordinary sense of the word in circumstances where the provision is not ambiguous or obscure. It is a technical act and s6 provides a technical definition of a very significant word within that act. The definition requires no clarification.
Section 6(2)(b) refers to an exclusion relating to:
...a communication that is being received at the service in the ordinary course of the operation of that telecommunications system.
The writer can see no reason why that part of the exclusion could not relate to the interception referred to in s6(1) if that was the intention of the legislature. Subsequent provisions could make the use to which any such communication was put as comprising the offence. In the alternative specific provision could be made for intermediary computers in local area networks. Changing legislation to take into account technological advances is not without precedent. A useful analogy would be the now recognised need in copyright law to make an exclusion for cache copies located on a computer which breaches copyright.
If the writer is correct, then employers running computer networks are in breach of s7 of the Telecommunications (Interception) Act 1997 and the act is in need of amendment. The employer in the above fact situation was in breach of s7 when the network server made a record of the messages, prior to their being viewed.
The writer is supported in his views of employers’ unwittingly infringing s7 of the Interception Act in maintaining a computer network by Graham Greenleaf in his article “Interception on the Internet – the risks for ISPs”. Mr Greenleaf also makes the very significant point that s107A of the act creates a civil right of action for breach of s7 for an ‘aggrieved person’ who is defined (under s107A(2) as “a party to the communication; or” where “…the communication was made on the person’s behalf”. Mr Greenleaf notes:
…a Court can award such relief as it considers appropriate (ss(4), (5)), including awarding damages (s7)) and even punitive damages (s(10))![29].
A person who contravenes s7(1) is also committing an indictable offence pursuant to 105(2) which carries a period of imprisonment for a period not exceeding 6 months (s105(4)).
The Australian Privacy Commissioner released a consultation paper, “A National Scheme for fair information practices in the private sector”, in August of 1997 in response to the decision of the Federal Government not to extend the Privacy Act 1988 to the private sector, but rather to help business “...in the development of voluntary codes of conduct to meet privacy standards”.[30]
In the overview provided in that publication by the commissioner she stated as follows:
The Scheme deals with the fair and responsible handling of personal information. Put simply, this means:
- informing people about why their personal information is being collected and what it is being used for
- allowing people reasonable access to information about themselves and to correct it if it is wrong;
- making sure that the information is securely held and cannot be tampered with, stolen or improperly used; and
- limiting the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances.[31]
In an article entitled “Serious flaws in the National Privacy Principles”, Roger Clarke identifies workplace privacy as lacking in the above principles. He stated:
…The Introduction leaves entirely open the question as to whether employment data is within the NPP’s scope. This is a serious weakness... [32]
In short, the National Principles provide no real protection for the employee in question. The principles essentially provide a voluntary code of conduct, with which employers have no obligation to comply, nor, it would seem, incentive to do so. It is beyond the scope of this paper to fully analyse the National Principles but the writer would suggest that, given the significance of the subject and the disputes which may arise, a voluntary code is not the answer. Affirmative legislation, such as that proposed with the extension of the Privacy Act 1988 to the private sector would seem to go someway towards filling the gap.
Once again, a voluntary code of practice has been promulgated (last revised 12 February 1999) which is intended to cover those who agree to be bound by the Code and whose business is to provide the products and services that comprise the Internet or who make use of the Internet to supply or service their customers.
The provisions relevant to the above fact scenario are contained in clauses 8 and 9:
8. SECRECY AND PRIVACY OBLIGATIONS
8.1 Code Subscribers will comply with the National Principles for the Fair Handling of Personal Information. The provisions of this Code are in addition to and not in reduction of the obligation of Code Subscribers under those Principles:
8.2 Code Subscribers will:
(a) keep confidential the business records, personal details and information of or relating to each users and will respect the privacy of users personal communications;
(b) take adequate steps to ensure the confidentiality of business records, personal details and information;
(c) ...
(d) refrain from intentionally examining or tampering with a user’s business records, personal details or information without the express prior consent of the user except to the extent required by a properly qualified officer for the maintenance of system security or data integrity;
(e) treat email as private content whether in transit or in storage.
8.3 Clause 8.2 does not prevent disclosure of information with the express or implied consent of the user or as required by law... [33]
Clause 9 deals with the collection and use of user details which substantially follows those principles in the National Principles for the Fair Handling of Personal Information referred to above. In particular they deal with only collecting details relating to a use if relevant and necessary or for another legitimate purpose which is made known.
It would seem that if the employer in the fact situation provided was a code subscriber under this code of practice, then the employee may have a legitimate expectation that the privacy of their personal email communications would be respected. Given the extent of Internet based email presently being used and the small proportion of employers who would be code subscribers it seems likely to be of limited use.
Many email programs have an option whereby messages can be transmitted privately. If that option is utilised, would that create any greater protection for the employee above? At present there is no strict answer, though commentators have suggested it should:
...If the information was of a confidential nature then surely encryption must be of relevance as it is evidence that the communication was imparted in circumstances importing an obligation of confidence.
It is submitted that any form of reasonable encryption should be sufficient to impose upon the unauthorised recipient the duty not to disclose the information obtained by decoding the information. [34]
Mark D. Robins, in an article entitled “Electronic Trespass: an Old Theory in a New Context”[35] provides some arguments to support an action for trespass to intangible interests, such as electronic communications. Mr Robins identified a number of necessary criteria including;
1. the trespass must be of personal property; and
2. the contact alleged to be trespassory must have been unauthorized in order to be actionable as trespass, though consent will be ineffective to bar a trespass action where the defendant’s conduct exceeds the scope or duration of any consent and where the consent was obtained fraudulently.
The obvious difficulty in the employment situation is that the employer would appear to have good arguments that, in general, material produced in the workplace is owned by the employer. This would not, however, appear to cover those communications originating from outside the workplace.
The second difficulty is the possibility that a court will hold that, by sending such email through work, there is an implied authority provided to record the communication. The issue of users’ likely knowledge of how the system works is referred to above. Is it possible to imply an authority for the material to be recorded in circumstances where people are not aware (and some may be concerned) that the communication is being recorded?
There would not be any trespass to tangible property in the fact scenario described above as the company would own the network server.
If the company had a published electronic communication policy which formed part of the conditions of employment of the employee which included the clause:
X is the owner of and asserts copyright over all email messages created by employees as part of their employment and sent through its network. X may, at its sole discretion, examine the contents of all email. The X network is provided for business not personal purposes,
It is submitted that might go some way towards deciding some of the issues. But it does not solve all the issues. It incorrectly presumes the only privacy people require is that relating to personal issues and not business related issues. It also only refers to messages created by employees and sent through its network, though not messages sent from outside the network:
…the mere knowledge (or consent) of an employee or ISP client may be insufficient, so it may be virtually impossible for ISPs, employers etc to protect themselves by obtaining consent. Implied knowledge by the sender might be present in some cases, but not others.[36]
The voluntary codes do not provide adequate protection to employees in the private sector. The Telecommunications Act 1997 appears to be limited in its application to eligible carriage service providers. Section 7 of the Telecommunications (Interception) Act 1997, on one interpretation may be being breached by intermediary computers in a local area network and create a civil cause of action for the employee under s107A. Trespass to intangible property is beset by a number of difficulties including initially establishing personal property in the communication. Electronic communication policies are inevitably going to be limited in circumstances where they try to regulate messages received from an external source.
Clear legislation dealing with privacy rights in electronic communication is needed in the private sector so that employees know where they stand.
Acts Interpretation Act 1901 (CTH)
Australian Privacy Charter Council, “Australian Privacy Charter” Computers & Law, No 27 September 1995
Australian Privacy Commissioner’s Website, “Draft Guidelines on Workplace E-mail, Web Browsing and Privacy” http://www.privacy.gov.au/issues/p7_4html
, 25/11/99 printed 12 December 1999
Roger Clarke, “Serious flaws in the National Privacy Principles” (1998) 4 PLPR 176
Cooley Godward, LLP, “Privacy Limits on Collecting Personal Information Via The Internet” The Computer Lawyer, No 6, June 1998, 17
Kent Davey, “Privacy Protection for Internet e-mail in Australia - part 1” Computers & Law, No 33, June 1997, 7
Kent Davey, “Privacy Protection for Internet e-mail in Australia - part 2” Computers & Law, No 34, December 1997, 8
Kent Davey, “Privacy Protection for Internet e-mail in Australia - part 3” Computers & Law, No 35, April 1998, 21
Gordon Greenleaf, “Interception on the Internet – the risks for ISPs” (1996) 3 PLPR 93
Patrick Gunning, “Legal Aspects of Privacy and the Internet” Going Digital Chapter 14 1998 Prospect Media Pty Ltd Chippendale
Internet Industry Association, “Internet Industry Code of Practice” 12 February 1999 (www.iia.net.au/index2.html)
Justice Michael Kirby, “Kirby’s Ten Commandments”, The Privacy Bulletin, No. 2, September 1986, 1
Legal, Constitutional and Administrative Review Committee, “32 recommendations to protect privacy in Queensland” (1998) 5 PLPR 49
Paul McGinness, “The Internet and privacy - some issues facing the private sector” Computers & Law, No 29, June 1996
Minter Ellison, “Minter Ellison Electronic Communication Policy” September 1997, Brisbane
Jim Nolan, “Privacy in the workplace, Part 1: legal issues” (1995) 2 PLPR 1
Jim Nolan, “Privacy in the workplace, Part 2: industrial and unfair dismissals” (1995) 2 PLPR 27
Jim Nolan, “Privacy in the workplace, Part 3: some legal issues” (1995) 2 PLPR 48
Privacy Act 1988 (CTH)
Mark D. Robins, “Electronic Trespass: an Old Theory in a New Context”, The Computer Lawyer No. 7, July 1998, 1
Moira Scollay, “Information Privacy in Australia; A national scheme for fair information practices in the private sector” (1997) 4 PLPR 42
Michael A. Smyth v The Pilsbury Company (E.D. Pa 1996) (www.Loundy.com/CASES/Smyth_v_Pillsbury.html)
Telecommunications Act 1997 (CTH)
Telecommunications (Interception) Act 1997 (CTH)
Daryl Williams, “Privacy and the private sector” (1996) 3 PLPR 1
[*] Minter Ellison Lawyers, Brisbane
[1] Paul McGinness, “The Internet and privacy - some issues facing the private sector” Computers & Law, No 29, June 1996 (quote taken from the Australian Law Reform Commission, Privacy and Personal Information, Discussion Paper no. 14 1980)
[2] Jim Nolan, “Privacy in the workplace, Part 3: some legal issues” (1995) 2 PLPR 48 at 50
[3] It is beyond the scope of this paper to look at Australia’s International Privacy Obligations, such as are contained in the International Covenant on Civil and Political Rights and OECD Data Protection and Security Guidelines. For those interested, please see Kent Davey’s article “Privacy Protection for Internet E-mail in Australia” referred to below at 15.
[4] which can be located at
http://www.Loundy.com/CASES/Smyth_v_Pilsbury.html
[5] As it has been in Australia since at least 1997. See Ellen Farmon’s article, “The message is: be very careful!”, The Australian, 1 April 1997 – referred to in Kent Davey’s article, “Privacy Protection for Internet e-mail in Australia - part 1” Computers & Law, No 33, June 1997, 7 at 8
[6] Note 3 at 3
[7] Note 3 at 3
[8] Note 3 at 4
[9] Note 3 at 4
[10] Note 3 at 2 with reference to Henry v Pitsburgh & Lake Erie Railroad Co., 139 Pa. 289, 297, 21A. 157, 157 (1891).
[11] Note 3 at 2 with reference to Borse v Piece Goods shop, Inc., 963 F.2d at 614
[12] Note 3 at 4 with reference to Paul v Lankenau Hospital, 524 Pa. 90, 569 A.2d 346 (1990).
[13] Australian Privacy Charter Council, “Australian Privacy Charter” Computers & Law, No 27 September 1995 at 15
[14] Published in Moira Scollay’s article, “Information Privacy in Australia; A national scheme for fair information practices in the private sector” (1997) 4 PLPR 42
[15] Published by the Internet Industry Association, 12 February 1999 (www.iia.net.au/index2.html)
[16] The Australian Privacy Commissioner’s Website, “Draft Guidelines on Workplace E-mail, Web Browsing and Privacy” draft 25/11/99, http://www.privacy.gov.au/issues/p7_4html, printed 12 December 1999.
[17] Note 12 at 16
[18] Note 13 at 49
[19] Patrick Gunning, “Legal Aspects of Privacy and the Internet” Going Digital Chapter 14 1998 Prospect Media Pty Ltd Chippendale 169 at 173
[20] Kent Davey, “Privacy Protection for Internet e-mail in Australia - part 3” Computers & Law, No 35, April 1998, 21
[21] See also Gordon Greenleaf, “Interception on the Internet – the risks for ISPs” (1996) 3 PLPR 93
[22] Note 17 at 173
[23] Note 17 at 173
[24] 932 F Supp 1232 (1996)
[25] Kent Davey, “Privacy Protection for Internet e-mail in Australia - part 2” Computers & Law, No 34, December 1997, 8 at 20
[26] Quoted in Mr Davey’s article at Note 22 at 20
[27] Quoted in Mr Davey’s article at Note 22 at 20
[28] Note 22 at 20
[29] Note 19 at 94
[30] Note 13 at 41
[31] Note 13 at 52
[32] Roger Clarke, “Serious flaws in the National Privacy Principles” (1998) 4 PLPR 176
[33] Note 14
[34] Note 1 at 26
[35] Mark D. Robins, “Electronic Trespass: an Old Theory in a New Context”, The Computer Lawyer No. 7, July 1998, 1
[36] See Note 19 at 94
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1999/10.html