This week (9 – 14 May 2022) is Privacy Week. The theme is Privacy: The Foundation of Trust which, at first blush, overlaps with the fundamental employment law principle of trust and confidence.
This got us thinking about the many ways in which privacy and employment law intersect, and how a foundation of trust is created and maintained in the workplace. In this article, we look at a number of issues that may arise in the workplace which would trigger obligations under the Privacy Act 2020 (“the Privacy Act”).
When does privacy need to be considered in the workplace?
Rights and obligations under the Privacy Act can arise in respect of:
- complaints about another employee’s conduct;
- collection, use and storage of an employee’s personal information (including their IRD number, bank account number, vaccination status or other medical information);
- employers requesting information from prospective employees for the purposes of assessing a candidate’s suitability for a role;
- the impact of an employee’s personal life on work-related matters;
- whistleblowing;
- meeting health and safety obligations; and
- requests for information from employees.
Collection, use and storage of personal information
Under the Privacy Act, personal information must not be collected unless it is collected for a lawful purpose, and the collection is necessary for that purpose. The information must not be stored for longer than necessary.
There are obligations on a collector to inform the individual of, among other things:
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- who will hold that information.
We have been reminded of these obligations in recent times with the Government lifting vaccination mandates in some sectors and removing the requirement to provide proof of vaccination before entering certain venues. While it would depend on the circumstances, this means some organisations may no longer have a legitimate purpose for collecting, storing, or using vaccination information.
Information requests
An organisation may receive a request for the provision or correction of personal information from their employee.
The starting point is that this is information which they are entitled to have access to (with a few exceptions). Receivers of information requests should be mindful of the response timeframes specified in the Privacy Act, and any requests for urgency in respect of that information.
Privacy and safety concerns
Many leaders will have also experienced a team member sharing personal information with them in confidence. For example, this could relate to a condition or circumstance that is impacting their ability to work safely.
While the sharing of this information requires a level of trust, absolute confidence is unlikely to be possible where the failure to share the information with the appropriate people could undermine the leaders’ or the organisation’s health and safety responsibilities.
Complaints
The tension between one employee’s right to privacy and another employee’s right to access personal information may become evident when a person attempts to make an anonymous complaint. Again, there are limited circumstances in which the organisation can refuse to share the full details of the complaint (including who the complainant is) with the accused person.
Contact the team at Black Door Law for tailored advice regarding the intersection of privacy and employment law obligations.
Disclaimer: This information is intended as general legal information and does not constitute legal advice. If you have a specific issue and wish to discuss it, contact the Black Door Law team.