Most employers are aware that in any employment process they need substantive justification, a fair process, and to deal with employees in good faith. What is often overlooked, however, is the privacy dimension of those same decisions.
Sarah Lim
In the rush to progress matters, employers tend to focus on having a sound reason for their decision and gathering information for employee feedback. Too often, they forget to pause and consider when and how that information is being collected, and from where. That oversight can create avoidable legal risk.
This can be a costly mistake. If an employee’s privacy is breached, they could allege an unjustified disadvantage and a breach of good faith. Where an employment agreement requires compliance with the Privacy Act 2020, privacy failures may also amount to a breach of contract. An employee may also complain to the Office of the Privacy Commissioner, which takes such matters seriously, and often publicly.
Before taking action, employers should consider the potential privacy risks that may arise. These commonly occur in everyday employment situations, including:
(a) Pre-employment checks: These should be completed with the individual’s consent before they commence work. If checks are carried out later, for example, after concerns arise about past conduct, this may amount to a breach of privacy.
(b) Collecting information from public sources: Employers must ensure any collection is necessary for a legitimate business purpose. While information from sources such as Google searches or social media may be publicly available, it is usually collected indirectly and should not be used in a way that is unfair or unreasonable. Reasonable steps should also be taken to confirm the information’s accuracy.
(c) Monitoring employees’ work equipment and activities: Monitoring must be directly connected to a business purpose. If, for example, employees are required to enable location tracking, there must be a clear justification. Best practice is to record this clearly in employment agreements or workplace policies.
(d) Obtaining an employee’s ACC information: In a medical incapacity process, employers may need information held by ACC, which will typically require the employee’s written consent before releasing it. Regardless, best practice is to consult with the employee and limit access to those with a genuine need to know.
If a proposed decision or process may carry privacy risks, employers should seek advice before collecting or relying on employee information. EMA members can access the AdviceLine service, which provides practical, up-to-date guidance on privacy obligations in employment processes and the wider workplace, helping address issues early before they escalate.
EMA Legal also regularly advises on privacy matters and can provide more detailed support where required. In employment matters, how information is gathered can be just as important as the decision that follows.
EMA members listen to Alan McDonald at the summer briefing in Tauranga. Photo: Mary Anne Gill
