Posted on: Aug 26, 2013

A woman told the Privacy Commission that she had applied for a job as a part-time retail assistant with a large retail chain employer.  The job application had been completed online on the store’s website. As part of the process she was required to consent to the store carrying out a credit check on her. The woman’s application was unsuccessful, and she complained to the Privacy Commission that she considered the store’s collection of her credit report was unnecessary for the purpose of determining whether she was a suitable applicant.

The Commissioner contacted the store, who advised that no credit check had been carried out on the woman. It said that credit checks were only carried out after interviews had been conducted and a preferred candidate for a job identified – the credit check was a final step in the recruitment process. It said consent was obtained from every applicant via the online application process for reasons of efficiency.

  This information was relayed back to the woman, who subsequently decided not to pursue the complaint. However the Commissioner considered that the store’s practices raised issues under principles 1 and 3 of the Privacy Act, and asked it to provide some further information.

Principle 1

Principle 1 of the Privacy Act requires an agency to only collect personal information if it has a lawful purpose connected with a function or activity of the agency, and the collection of the information is necessary for that purpose. 

The Commissioner did not think that it was necessary for a credit check to be carried out for the position of a part-time retail assistant.

Under the Credit Reporting Privacy Code 2004 employers can only access credit information where a job involves significant financial risk to the employer.

The Commissioner did not consider that a part-time retail assistant job posed such a risk. 

The store accepted this view, and undertook not to carry out credit checks for sales assistant positions in the future.

Principle 3

Principle 3 of the Privacy Act generally requires that, when an agency collects personal information from an individual, they tell that individual why they are doing so, and what the information will be used for. 

The Commissioner considered that the store’s online application process did not make it sufficiently clear to applicants what personal information was being collected about them and for what purpose, including that credit checks would only be carried out at the end of the recruitment process. 

The store agreed to amend its online application process to ensure that future applicants understood what information was being collected about them, and for what purpose.

As the store had accepted the Commissioner’s views and amended its processes accordingly the file was closed.

Case note 222306 [2012] NZ PrivCmr 4

Disclaimer

This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.

Posted on: Aug 26, 2013

A man applied for a job in a government department. As part of the application process the department used a company which specialised in pre-employment screening of potential employees. The man was unsuccessful in his application, and made a request under principle 6 of the Privacy Act for the personal information held by the government agency in relation to his application. Some information was provided, but some was withheld under section 29(1)(b) of the Privacy Act.

The man complained to the Privacy Commission about the information that had been withheld. He also complained about some of the information that had been collected and retained about him by the pre-screening company.

The Commissioner investigated the complaint as one raising issues under principles 1, 6 and 9 of the Privacy Act.

Government department responsible for actions of pre-screening company

The department was responsible for the actions of the pre-screening company which had collected the information about the man. The pre-screening company was acting on the department’s behalf.

Principle 1

Principle 1 provides that an agency must not collect personal information unless it is collected for a lawful purpose connected with an activity of the agency and the collection is necessary for that purpose.

In this case information had been collected about the man’s personal and commercial credit history. The position he had applied for was not one in which there was significant financial risk to the department.  The Commissioner did not consider that the department needed to collect this information about the man in order to determine whether he was suitable for the job, and that in doing so it had breached principle 1.

The department accepted this, and apologised to the man for collecting this information.

Principle 6

Principle 6 provides that an individual has a right of access to the personal information that an agency holds about them, unless one of the stated exceptions applied.

The man had requested copies of the reference checks carried out on him. The department had refused on the basis that the exception at section 29(1)(b) applied.

Section 29(1)(b) allows an agency to withhold personal information that is evaluative material where releasing it would breach an express or implied promise made to the person who supplied it that the information or their identity would be held in confidence.

“Evaluative material” is defined in section 29(3) as including evaluative or opinion material compiled solely for the purpose of determining an individual’s suitability for employment.

The Commissioner was satisfied that the department had a proper basis to withhold the information as the references had been provided in confidence and releasing them would breach that confidence.

Principle 9

Principle 9 provides that an agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

The form that the pre-screening company used to collect information about potential employees stated that all the information collected would be retained indefinitely by the pre-screening company, and would form part of its own database for the purpose of determining that person’s suitability for any position they apply for in the future.

The Commissioner did not consider that this practice accorded with principle 9. In their view, principle 9 is incompatible with indefinite retention.  The Commissioner advised the department of this, and it accepted this point. It instructed the pre-screening company to destroy the information it held about the man. This is all the man wanted to achieve and he wanted us to close the file.

Conclusion

The man accepted that he could not get access to the information withheld under section 29(1)(b). He advised that he was satisfied with the outcome in relation to the principle 1 and 9 issues, and the file was closed.

Case Note 218236 [2011] NZ Priv Cmr 4

Disclaimer

This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.

Posted on: Aug 26, 2013

This case acts as a reminder for employers to be aware of the Privacy Act when conducting employment investigations.

As part of an employment investigation, an employer collected personal information from a man’s work computer. The information collected included emails sent to and from the work computer, as well as key stroke logs for the computer. The employer used information collected from key stroke logging to access the man’s personal web-based email account and copy several emails.

The man complained to the Privacy Commission about the information his employer had collected.

The Commissioner considered that separate issues were raised for the two different types of information collected; information collected directly from the work computer and information collected from the man’s personal email account.

Information collected directly from the work computer

The Commissioner was satisfied that this action complied with the Privacy Act. This was because in both the employment agreement and employee manual the employer had clearly set out that work computers would be subject to monitoring.  However, they considered the collection of key stroke information raised issues under principle 3 of the Privacy Act.

Principle 3(1) sets out that where an agency collects information from an individual, the agency must take such steps which are, in the circumstances, reasonable to ensure that the individual is aware of a number of things, including the fact that information is being collected.

The policies set out in the agreement and manual were not explicit enough to make staff aware that such detailed information was being collected.  On this basis the Commissioner considered that the employer had breached principle 3 in collecting key stroke information.

Information collected from the personal email account

Using the password it obtained from key stroke information the employer accessed the man’s personal email account. The Commissioner considered this raised issues under principles 1, 3 and 4 of the Privacy Act, which are outlined below.

Principle 1

Principle 1 sets out that agencies must not collect personal information unless it’s for a lawful purpose connected with the functions or activities of the agency, and collection is necessary for that purpose.

When the employer accessed the man’s personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.

This went well beyond any information that may have been relevant to the employment investigation. The Commissioner formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer’s needs.

Principle 3

The Commissioner was also satisfied that the employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information, and therefore formed the view that this also breached principle 3.

Principle 4

Principle 4 requires that personal information shall not be collected by unlawful means, or means which, given the circumstances, are unfair or unreasonably intrusive.

Principle 4 is concerned with the method of collection. The Commissioner considered that an individual’s personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it.

This case was not considered to include exceptional circumstances, and so this method of collection was unreasonably intrusive and in breach of principle 4.

Outcome

The Commissioner advised the employer of their views. The man and his employer attended mediation, were able to reach a settlement, and the complaint was closed.

Case note 229558 [2012] NZ PrivCmr 1

Disclaimer

This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.