A recent decision of the Victorian Supreme Court has shed some light on how information privacy principles apply to employee’s social media. The Court found that an employer had not breached an employee’s privacy by accessing her Facebook account while conducting a misconduct investigation.

Ms Lara Jurecek, an employee of Transport Safety Victoria, was the subject of a disciplinary investigation as a consequence of chats and posts on Facebook with respect to her workplace and colleagues, including an abusive message to a colleague posted on the colleague’s Facebook wall. The colleague reported these events to Transport Safety Victoria, and an external investigator was engaged. Ultimately the misconduct was substantiated and Ms Jurecek was given a final warning.

Ms Jurecek made an application to the Victorian Civil and Administrative Tribunal (the “Tribunal”) claiming that her personal information (including her Facebook messages) had been obtained by her employer without first attempting to obtain it directly from her or notifying her. She alleged that such conduct breached the Information Privacy Principles (“IPPs”) in the Information Privacy Act 2000 (Vic). The Tribunal rejected her arguments on the basis that the collection of the information was part of Transport Safety Victoria’s investigation into the alleged misconduct, and did not involve any inappropriate conduct on the part of Transport Safety Victoria, such as “hacking” into her Facebook page.

Ms Jurecek appealed the decision to the Supreme Court of Victoria which confirmed the original decision. The Court noted that the collection of the information was necessary for conducting the misconduct investigation, which was a legitimate purpose. With respect to the obligation to notification the employee that her information had been collected, the Court found that it was not practicable for the employer to do so in these circumstances as this could have jeopardised the integrity of the disciplinary investigation.

What does this mean for employers?

The employer in this case was a State public sector agency, subject to the Victorian Information Privacy Act 2000 (Vic) and it’s IPPs. These principles are expressed in similar terms with to the Australian Privacy Principles (“APPs”) in the Privacy Act 1988 (Cth). The Privacy Act 1988 (Cth) governs the federal regulation of privacy, and its APPs apply to most private sector organisations in terms of how such organisations handle, use and manage personal information.

From this case we can see that information collected for an appropriate purpose and obtained in a lawful and reasonable manner is unlikely to breach privacy law. The investigation of misconduct allegations involving an employee’s social media interactions can establish a legitimate purpose. While pursuing that purpose, employers still need to take care to ensure that any information collected is not obtained unlawfully or in an improper manner, such as hacking a Facebook account or covertly enticing an employee to provide the information.