Home | Databases | WorldLII | Search | Feedback University of Otago Law Theses and Dissertations

Barclay, Georgia --- "All Eyes on You: a critical evaluation of worker surveillance in Aotearoa New Zealand" [2022] UOtaLawTD 5

Last Updated: 25 September 2023

All Eyes on You: a critical evaluation of worker surveillance in Aotearoa New Zealand

Georgia Barclay

A dissertation submitted in partial fulfilment of the degree of Bachelor of Laws with Honours at the University of Otago, Dunedin, New Zealand

October 2021

Acknowledgements

Special thank you to my supervisor, Dr Dawn Duncan, for taking me on, your invaluable guidance and expertise, and your time spent helping me work on this project.

Thank you to Jaiden, and to my parents, for your support and for reading through this dissertation and providing helpful feedback.

Thank you to my family and friends who have made my time at Otago so special by supporting me and sharing my experiences.

Contents

I Introduction

Employers have always sought to monitor their workers, however, over the past two decades, worker monitoring software has become increasingly available, affordable, and intrusive.¹ Worker surveillance has insidiously become the new normal: workers emails, instant-messages, web-browsing histories, keystrokes, mobile phones, amount of time spent ‘idle’, and locations are now commonly tracked using software and cameras. Some employers have even suggested using “wearables” to track workers’ health data and microchips implanted within workers to track locations.²

As working from home has become more common, so has demand for monitoring technology to supervise workers working further from management purview.³ The Covid- 19 pandemic accelerated these pre-existing trends. With employees forced to work from home, under government mandated lockdowns, there was an immense increase in worker surveillance. For example, one company selling monitoring software targeted at employers reported a threefold increase in New Zealand sales during the startof the Covid-19 lockdown in 2020. Some employers “looked to having security cameras on computers used at home”.⁴

The extent of collection of workers’ information and the manner of its management can have serious ramifications for the individuals concerned, particularly so in employment

¹ Andy Hodder “New Technology, Work and Employment in the era of COVID‐19: reflecting on legacies of research” (2020) 35(3) New Technology, Work and Employment 262 at 265; and Paul Roth (ed) Privacy Law and Practice (online looseleaf ed, LexisNexis) at [EPM.1.4].

² Paul Roth "Privacy Law Reform in New Zealand: Will it Touch the Workplace?" (2016) 41(2) NZJER 36 at 55-56; Saima Akhtar “Employers’ new tools to surveil and monitor workers are historically rooted” The Washington Post <https://www.washingtonpost.com/outlook/2021/05/06/employers-new-tools-surveil- monitor-workers-are-historically-rooted/>; and Maggie Astor “Microchip implants for employees? One company says yes.” (25 July 2017) The New York Times

<https://www.nytimes.com/2017/07/25/technology/microchips-wisconsin-company-employees.html>.

³ Gordon Anderson "Labour law under stress some thoughts on Covid-19 and the future of the labour law" (2020) 45(2) NZJER 33 at 39..

⁴ Kathryn Dalziel, John Edwards, Annabel Forham "Privacy and Access to Information" (paper presented to New Zealand Law Society Employment Law: "Justice at Work?" Conference, Wellington, 2020) 269 at 276.

where information is the crucial component enabling advancement and firing.⁵ Thus, the inappropriate collection or management of personal information can have devastating consequences for an employee – “livelihoods, careers and personal health are often at stake.”⁶ More generally, the right to privacy, and to be free from constant surveillance, is vital when the lines between work life and private life are blurring and employers are increasingly using monitoring to have eyes on their workers at all times.

This dissertation aims to answer whether current legal frameworks governing employer surveillance of workers whilst working in New Zealand are sufficient to protect workers’ rights to privacy and, if not, what legal reform would best remedy this insufficiency. Part One discusses how the right to privacy in the context of work ought to be conceptualised, aiming to show that workers normatively ought to have legal protection of their right to privacy whilst working, despite historic justifications for undercutting it. Part Two explains what the current legal framework in New Zealand governing worker surveillance is, seeking to show that it is insufficient to protect workers’ rights to privacy. Part Three explores options for legal reform, comparatively analysing New Zealand’s legal framework with that of the European Union and Australia. Specifically, Part Three aims to show that the best reform option is a specific Act catered to workplace surveillance. Overall, this dissertation will show that the current legal framework is a bleak one for workers seeking protection, that requires reform of targeted legislation to remedy.

⁵ Gehan Gunasekara "Making a difference?: The 'Privacy Act' and employment relationship problems in New Zealand" (2018) 28 NZULR 25 at 25.

⁶ Gunasekara, above n 5, at 25.

II Part One: A Right to Privacy

A Introduction

“The fact that workers might have any privacy rights is generally regarded as a subsidiary matter, if it is regarded at all”.⁷ While there is a unique power imbalance inherent in the employment relationship that renders employees vulnerable and unable to assert their privacy rights, the common law has traditionally been apathetic to the idea of accounting for this lack of power.⁸ For example, rights to confidentiality in the course of employment have historically been bestowed on employers, not employees.⁹

This Part explores first the concept of privacy and second how the concept of privacy applies within the employment sphere. It shows that while workers ought to have a right to privacy whilst working that New Zealand is obliged to uphold, that right has historically been watered down by four considerations particular to the employment sphere. In particular, these four considerations are unsatisfactory justifications for the watering down of workers’ rights to privacy.

B What is Privacy?

Privacy is a “notoriously elastic concept” that eludes easy definition.¹⁰ The traditional starting point is the seminal article about privacy by Warren and Brandeis that defined privacy as the “right to be let alone”. ¹¹ Similarly, in Hosking v Runting, Tipping J defined

⁷ Roth, above n 2, at 36.

⁸ Roth, above n 1, at [EPM.1].

⁹ Roth, above n 1, at [EPM.1]; and Dalgleish v Lothian & Borders Police Board [1991] IRLR 42.

¹⁰ Anita Allen Uneasy Access: Privacy for Women in a Free Society (Random and Littlefield, Totowa, 1988) at 16.

¹¹ Samuel D Warren and Louis D Brandeis “The Right to Privacy” (1890) 4 Harv L Rev 193 at 195 and 207.

privacy within the context of public disclosure of private facts as “the right to have people leave you alone”.¹² Yet, this style of definition does not give the full picture.

Privacy can be thought of as being made up of two overlapping dimensions: informational privacy and local privacy.¹³ Informational privacy relates to when personal information is used, collected, or disclosed to others.¹⁴ Informational privacy is important because dissemination of private information can lead to harm if third parties take issue with it. Local privacy relates to the interest to behave in a manner free from surveillance.¹⁵ Local privacy is important because it affords mental wellbeing by providing a respite from public life, which often requires constructing a personae "in order to integrate successfully with others”.¹⁶ Both dimensions of privacy enable freedom of thought and expression by affording the space for people to develop their own opinions and personality without fear of judgement from others.¹⁷

The right to privacy then, comprised of both informational and local dimensions, is both a fundamental right on its own terms and is an important enabler of other rights, notably freedom of thought and expression. The right to privacy is “of the essence of the dignity and personal autonomy and wellbeing of all human beings”;¹⁸ it assists in “achieving elements of personhood”.¹⁹

¹² [2004] NZCA 34; [2005] 1 NZLR 1 (CA) at [57]- [58].

¹³ Law Commission A Conceptual Approach to Privacy (NZLC MP19, 2007) at [1.4.6].

¹⁴ Law Commission, above n 13, at [1.4.6].

¹⁵ Law Commission, above n 13, at [1.4.6].

¹⁶Graeme Laurie Genetic Privacy: A challenge to medico-legal norms (Cambridge University Press, Cambridge, 2002) at 7.

¹⁷ Law Commission, above n 13, at [3.63.2]; Normann Witzleb “Employee Monitoring and Surveillance under Australian Law: The Need for Workplace Privacy Legislation” in Dieter Dörr and Russell L. Weaver (eds) Perspectives on Privacy: Increasing Regulation in the USA, Canada, Australia and European Countries (De Gruyter, 2014) 126 at 128; and Laurie, above n 17, at 7.

¹⁸ Hosking v Runting, above n 12, at [58].

¹⁹ Law Commission Privacy Concepts and Issues – Review of the Law of Privacy Stage 1 (NZLC SP19, 2008) at 56.

New Zealand is obliged to uphold the right to privacy under Article 12 of the United Nations Declaration of Human Rights and Article 17 of the International Covenant of Civil and Political Rights, ratified by New Zealand in 1978.²⁰ Moreover, if privacy is an essential enabler of freedom of thought and freedom of expression, New Zealand is also obliged to uphold the right to privacy under sections 13 and 14 of the New Zealand Bill Of Rights Act, and the corresponding Articles 18 and 19 of the ICCPR. Further, New Zealand would also be obliged to uphold the right to privacy under Te Tiriti o Waitangi because Article 2 guarantees Te Tino Rangatiratanga which, “in human rights terms embodies the rights to expression, culture, property and self-determination”, which privacy rights help enable.²¹

Article 2 of the Treaty also guarantees active protection of taonga, which includes tikanga Māori.²² However, Carwyn Jones has stated that tikanga Māori is net neutral on the right to privacy.²³ Strong privacy rights may help to uphold mana and tapu. Moreover, some highly valued personal information may be considered a taonga and accordingly in need of protection by privacy rights. However, there may be a tension between privacy and tikanga Māori because privacy rights tend to be individually focused, whereas tikanga is collectively focused.

C Do Workers Have a Right to Privacy Whilst Working?

As we have seen, it is clear privacy is a fundamental right that New Zealand is obliged to uphold for all. This manifestly includes workers and employees. There is no reason why

²⁰ Universal Declaration of Human Rights GA Res 217A (1948); and International Covenant on Civil and Political Rights GA Res 2200A (XXI) (1966).

²¹ Treaty of Waitangi Act 1975, Schedule 1, Article 2; and Nura Taefi, Michael Timmins "Taking Proceedings in the Human Rights Review Tribunal" (paper presented to New Zealand Law Society Employment Law: "Justice at Work?" Conference, Wellington, 2020) 311 at 312.

²² Natalie Coates “The Recognition of Tikanga in the Common Law of New Zealand” [2014] NZSC 108; (2015) 1 NZLR 1 at 16; and Waitangi Tribunal Report on the Crowns Foreshore and Seabed Policy (Wai 1071, 2004) at 3.

²³ Dr Carwyn Jones, Joanna Hayward, Matatapu PJ Devonshire “Tikanga Māori and Privacy: reflections from the High Court review of decisions about Māori Covid-19 vaccination data” (20 May 2022) The Office of the Privacy Commissioner <https://www.youtube.com/watch?v=Fzbe9pw-2hU>.

this right should cease to exist whilst employees are working. Privacy whilst working is especially important because (a) for most people, it is through their work that they have a significant opportunity to develop relationships and (b) it is not always achievable to clearly distinguish which activities form part of someone’s professional life and which do not.²⁴ Thus, for the law to achieve the underlying aims privacy strives to protect, namely autonomy and freedom of expression, it ought to protect privacy whilst working, at least to some degree. Moreover, the concept of privacy in public spaces is recognised in other areas of New Zealand law. For example, in the Crimes Act 1961, private communication is defined as a communication made under circumstances such that (a) they may “reasonably be taken to indicate that any party to the communication desires it to be confined to the parties” at hand, and (b) they may reasonably expect the communication will not be intercepted.²⁵ Under this definition, a private communication could take place in a public area, which can include the workplace. Additionally, this concept is recognised by other international bodies. The International Labour Organisation has stated that “workers have a right to privacy” both in their “private life” and within the “workplace and human interaction in a work context”.²⁶ The European Court of Human Rights has accepted that private life can include their professional activities or activities taking place in a public place.²⁷

However, workers’ rights to privacy whilst working have historically been weakened by considerations specific to the employment context. This section focuses on four commonly used, and somewhat overlapping, considerations and aims to show that they are unsatisfactory justifications for the total overriding of workers’ rights to privacy: first, that workers’ right to privacy must give way to employers’ legitimate interests in undermining it; second, that workers have voluntarily waived their privacy rights through contract; third, that rights to privacy are extinguished where employers have the right of control over the

²⁴ Antović and Mirković v. Montenegro (2017) ECHR 70838/13, 28 November 2017 (ECHR) at [42].

²⁵ Section 216A(1).

²⁶ Frank Hendrickx Protection of workers’ personal data: General principles. ILO Working Paper 62

(International Labour Organisation, 2022) at 8 and 7, respectively.

²⁷ Niemietz v Germany [1992] ECHR 80; (1992) 16 EHRR 97 (ECHR) at [29].

use of facilities they own and workers use, perhaps including workers’ time; and fourth, that workers generally have a lesser expectation of privacy in the context of employment, so do not need their right to privacy protected.

1. Employers have legitimate interests that ought to override workers’ rights to privacy

Like all human rights, the right to privacy is not absolute.²⁸ It must yield to other interests or rights where there are irreconcilable tensions. Employers frequently have incentives that directly conflict with workers’ incentives to maintain privacy. Many of these incentives are legitimate. Employers may want to use surveillance to increase logistical efficiencies, discourage poor quality work, or prevent theft of property.²⁹ Surveillance can likewise aid in preventing employer liability: employers are liable for health and safety breaches which surveillance and monitoring may help minimise; and employers can be liable for the content of employee statements (for example, negligent misstatements) so have an interest in monitoring communications to detect issues.³⁰ Thus, the argument goes, employers’ legitimate interests must come above workers’ rights to privacy.

However, these legitimate aims should not be seen as a blanket justification for intrusive surveillance because it is unclear whether surveillance will always achieve these legitimate aims, and whether it does so will often be context dependent. For example, it is unclear that any surveillance will always increase productivity, or that any surveillance will always prevent safety breaches. Moreover, employers may have illegitimate aims. For example, they may wish to use surveillance as a means of control over worker resistance, as some

²⁸ Law Commission, above n 13, at [1.33].

²⁹ Dan Michaluk “The Other Side of the Balance: Employer Interests, Work Systems and R. v. Cole” (2015) 18(2) Canadian Labour and Employment Journal 459 at 460.

³⁰ Health and Safety at Work Act 2015, s 36; Hedley Byrne & Co Ltd v Heller & Partners Ltd

[1963] UKHL 4; [1964] AC 465 (HL).

employers have in using data collected through worker surveillance to prevent union formation.³¹

It has also been argued that employees may benefit from surveillance as it may allow unfounded allegations to be resolved in the employees’ favour.³² However, this argument is weak because employers are required to act fairly. A fair employer would likely not take severe disciplinary action based on allegations with no evidence.³³

Thus, while employers’ legitimate interests may justify narrowing workers’ rights to privacy in some circumstances, they are by no means a blanket justification that ought to override workers’ rights to privacy.

2. Workers consent to waiving their privacy rights

Workers have historically been perceived to have willingly surrendered their rights to privacy upon signing their employment agreement.³⁴ In the employment sphere, “consent” must be genuine to be meaningful – an employee cannot be taken to have impliedly consented to yielding their privacy rights simply by the act of taking the job.³⁵ Even with these additional protections, consent generally is insufficient to be a blanket justification for any and all undermining of worker rights to privacy for three reasons discussed below.

³¹ Annie Palmer “How Amazon keeps a close eye on employee activism to head off unions” (4 October 2020) CNBC <https://www.cnbc.com/2020/10/24/how-amazon-prevents-unions-by-surveilling-employee- activism.html>; see also Hayley Peterson “Whole foods tracks unionization risk with heat map.” (20 April 2020) Business Insider < https://www.businessinsider.com/whole-foods-tracks-unionization-risk-with-heat- map-2020-1>.

³² New Zealand Productivity Commission New Zealand, technology and productivity – Technological change and the future of work, Draft report 1 (New Zealand Productivity Commission, 2019) at 22.

³³ Employment Relations Act 2000, s 103 provides that an employer that has been unjustifiably dismissed or suffered an unjustifiable disadvantage may bring a personal grievance; s 103A provides that an action will be unjustifiable if the employer did not act as a fair and reasonable employer would have.

³⁴ Rebecca Britton “An employer’s right to pry” [2006] CanterLawRw 3; (2006) 12 Canta LR 65 at 70.

³⁵ New Zealand Public Service Assoc Inc v Southland Regional Council [2005] NZEmpC 124; [2005] ERNZ 1008 (EmpC) at [39]; and Gunasekara, above n 5, at 35 and 36.

Moreover, workers are taken to have consented to privacy policies that can be altered after the commencement of their employment so long as they are notified.³⁶

First, there is a significant power imbalance between employers and workers. In a competitive job market, workers accept terms they do not like to get or keep a job and the means to live by.³⁷ Workers may also not want to appear ‘difficult’. This problem is worse for unskilled or uneducated workers who often have less bargaining power with which to approach contract negotiations.

Second, workers often do not receive legal advice about the contracts they are signing so may not realise to what extent they are giving up their legal right to privacy. Correspondingly, contracts and policies are often written in dense ‘legalese’ that can be difficult to understand.

Third, even where a contract is evidence of full, informed, and willing consent by an employee to waive their privacy rights, this could be because the employee values concrete benefits like job security and money more than privacy. However, if this were the case, this does not automatically mean privacy is not valuable to the employee, or that it is not a right the law ought to protect – just that those concrete benefits of job security or money were more valuable to the employee. This could be for several reasons: privacy is intangible, so can be hard to appreciate; there is a misconception that peoples’ privacy information is effectively anonymised because of the sheer amount of personal information collected;³⁸ there is a misconception that a right to privacy only matters if one has things to hide; there can be an underestimation of how much personal information can be gathered through

³⁶ For example, in Bisson v Air New Zealand Ltd ERA Christchurch 98/06, 3 July 2006 at [103] the Authority held that sufficient notification of the employers’ internet policies would have been sufficient to establish a requirement the employees abide by it, regardless of whether they actually agreed.

³⁷ Roth, above n 1, at [EMP.1].

³⁸ Milton Heumann, Lance Cassak, Esther Kang, Thomas Twitchell “Privacy and Surveillance: Public Attitudes on Cameras on the Street, in the Home, and in the Workplace” (2016) 14(1) Rutgers Journal of Law and Public Policy 37 at 56.

monitoring, especially for uneducated or older people;³⁹ and there can be misplaced trust that employers do not invade privacy.

Accordingly, the law ought to redress the imbalance of power within the employment relationship, and common misconceptions about privacy, by limiting the ability for consent to be a justification for undermining privacy. Other areas of employment law do this by intentionally undermining freedom of contract to preserve minimum standards of conduct by which employers must abide.⁴⁰

3. Employers’ right to ownership over their equipment and facilities, perhaps including workers’ time, ought to override workers’ rights to privacy

This section discusses this justification both in reference to employer ownership over equipment and facilities and to employer ownership over workers’ time.

(a) Employer ownership of equipment and facilities

Employers usually pay for an office space and the facilities within. The employees merely use these facilities. Therefore, where an employer owns a facility, they should arguably be able to exercise their rights of ownership by setting the conditions of use as they see fit.⁴¹

However, ownership should not operate as a blanket justification for undermining employee rights. As discussed above, workers effectively do not have a choice of whether or not to use employer facilities. This is different from the usual scenario of ownership whereby someone can choose whether to enter another person’s property. Thus, while employer ownership may be a factor that can justify intrusion into workers’ privacy, it

³⁹ Anderson, above n 3, at 39.

⁴⁰ See Minimum Wage Act 1983; Holidays Act 2003; and Health and Safety at Work Act 2015.

⁴¹ Dan Michaluk, above n 29, at 465.

should not justify any and all intrusions. Moreover, this provides “no real reason why privacy rights cannot be protected, merely why they have not been protected in the past.”⁴²

Moreover, the justification of employer ownership is considerably weakened when you consider the rise of remote working and Covid-19. When an employee is using their own internet, devices, and equipment, the employer does not hold the ownership that justifies their setting the conditions of use. Accordingly, remote working likely heavily undermines the justification of employer ownership, although the extent of this likely depends on the extent to which an employee is using their own equipment.

(b) Employer ownership of employee time

Counsel have argued that employers have a right control over employees’ activities because they are paying for the employees’ time.⁴³ The law appears neutral on this point: there are no cases where this argument has been explicitly endorsed; however, there are similarly no cases where this argument has been explicitly rejected. However, it is clearly not true that an employer truly ‘owns’ an employees time to the extent they can force the employee to do anything they like. For example, they cannot make them commit a crime or otherwise act outside the requirements of the employment agreement. On the other hand, it may be true that an employer ‘owns’ the employees time to the extent that they can reasonably expect to hold an employee to their obligations within the limits of the employment agreement.

Accordingly, employer ‘ownership’ of employee time may be a justification enabling the undercutting of employee’s privacy rights, although this proposition has not been explicitly endorsed. However, if it is accepted that employers have a right to ensure a worker is spending their paid time appropriately, again this should not be a blanket justification that

⁴² Rebecca Britton, above n 34, at 70.

⁴³ Allerton v Methanex (New Zealand) Ltd [2000] EMC Wellington WC23/00[2000] NZEmpC 59; , 5 NZELC 98,610, 1 ERNZ

242 at 8.

allows any level of intrusive surveillance and should be balanced with workers’ rights to privacy.

4. Workers have a lower reasonable expectation of privacy whilst working

Both employer ownership of facilities and worker consent reduce employees’ reasonable expectations to privacy. If an employee knows they are in a public office space owned by their employer, they should not expect absolute privacy and should shape their behaviour accordingly. Workers should not expect to be able to protect a right they do not expect to have in fact.

However, as discussed in this section’s introduction, workers ought maintain their right to privacy whilst in public or within their professional activities, meaning in some circumstances they would maintain a reasonable expectation of privacy. For example, someone could have an expectation to privacy regarding a private conversation undertaken in a quiet area of the office. Moreover, the justification of reasonable expectations is undermined where an employee is working from their own home because there they have a far greater reasonable expectation of privacy. The home represents for many people the “heart of privacy” – it is a particularly private space where most people expect absolute privacy.⁴⁴ A response may be that this consideration is lessened if someone knows they are being watched, for example through their laptop camera. This is a weak response. First, the home contains personal objects which would likely be viewable. These personal objects inherently contribute to the privacy of these spaces.⁴⁵ While some of these could be moved, this is a burden and may not be practicable with larger objects or décor. Second, information about who else is in an employees’ home and what their relationship with them

⁴⁴ Beate Rössler, ‘New ways of thinking about privacy’ (translated by R D V Glasgow) in John S Dryzek, Bonnie Honig and Anne Phillips (eds), The Oxford Handbook of Political Theory (Oxford University Press: Oxford, 2006), at 707.

⁴⁵ Beate Rössler, The Value of Privacy (Polity, Cambridge, 2005) at 142.

is could be collected. An employee would ordinarily expect this information to be private if they so wished.

5. Conclusion

The right to privacy is both a fundamental right on its own terms and is an important enabler of other fundamental rights that New Zealand is obliged to protect. Workers maintain this right to privacy even whilst working. Private information can be revealed whilst working or physically at work. The right to privacy includes a right to local privacy, or space to be free from surveillance, which is a necessary contributor to autonomy and personhood. Given the increasingly blurring boundaries between work and private life and the fact that many employees work for large portions of their weeks, local privacy whilst working is then an essential part of upholding a broader right to privacy. Thus, while the right to privacy must at times yield to other rights and interests, considerations justifying the weakening of workers’ rights to privacy ought to be carefully considered and should not operate to extinguish privacy rights in all contexts. Many of the considerations that have broadly justified intrusions into workers’ privacy are of limited persuasiveness, particularly in the context of working from home. This framing shapes the answer as to whether current legal protections are sufficient to protect workers’ privacy, as discussed in the next Part, which analyses New Zealand’s legal framework surrounding worker surveillance.

III Part Two: The Current Framework

A Introduction

The previous part established that workers have a right to privacy whilst working. This Part investigates whether that right is effectively upheld under current New Zealand law, concluding that it is not. Privacy rights regarding worker surveillance are currently upheld by a confusing patchwork of law comprised of the Privacy Act, the Employment Relations Act, the Human Rights Act, the Crimes Act, contract, and tortious remedies.⁴⁶ Workers that do not meet the strict definition of employee cannot access all of these remedies; they are barred from accessing remedies under the Employment Relations Act. ⁴⁷ Those that do meet the definition of employee cannot pursue remedies under both the Human Rights Act and the Employment Relations Act where an action could be brought under either.⁴⁸ They can, however, pursue remedies under both the Privacy Act or the Employment Relations Act where an action could relate to either; however, because the Privacy Act is aimed at conciliation between the parties, parties that have reached settlement through the employment jurisdiction will likely be unable to go through the conciliation process under the Privacy Act.⁴⁹

B The Privacy Act

On first reading, the Privacy Act appears to strongly protect individuals’ right to privacy. The Act marked a “paradigm shift in the informational relationship between employers and employees”, strengthening workers’ privacy rights.⁵⁰ However, this was only in

⁴⁶ Privacy Act 2020; Employment Relations Act 2000; Human Rights Act 1993; and Crimes Act 1961.

⁴⁷ Employment Relations Act 2000, s 102 allows only employees to bring personal grievances; s 6 defines employee broadly but excludes those working in film production and independent contractors.

⁴⁸ The jurisdictional bar in HRA s79 only applies to the ERA and the jurisdictional bar in ERA s 112(3) only applies to the HRA. The privacy act has no such jurisdictional bar.

⁴⁹ Privacy Act 2020, s 74.

⁵⁰ Gunasekara, above n 5, at 29.

comparison to the absolute lack of protection of employee privacy before the Act’s inception, where “the ability of employees to control the manner in which personal data about them was acquired, who it was acquired from and shared with and to access the data were almost entirely matters subject to the employer’s whim, subject only to the terms of any employment agreement.”⁵¹ The protections of the Act, whilst an improvement from before it was enacted, remain insufficient to protect worker privacy as regards surveillance. Moreover, as we shall see, the Act has been interpreted and implemented in such a way that is “highly flexible”, and in the employment context, tends to be tilted in the employer’s rather than the employee’s favour.⁵²

In this section, I explain how the Act has been interpreted in relation to worker surveillance thus far, how it will likely be interpreted in the context of employees working from home, and the key flaws the Act has that undermine its ability to protect workers from invasive monitoring.

1. Fundamentals of the Privacy Act

For the Act to apply, “personal information” must have been collected or held by an “agency”.⁵³ “Personal information” is defined extremely broadly under the Act as “information about an identifiable individual”.⁵⁴ “Agency” is also defined broadly as any individual, company or group that is not in the list of exceptions.⁵⁵ Accordingly, employers will generally meet the definition of “agency” and surveillance of employees will generally amount to collecting “personal information” under the Act.⁵⁶ Some academics have

⁵¹ Gunasekara, above n 5, at 29.

⁵² Roth, above n 7, at 37.

⁵³ Privacy Act 2020, s 4(1).

⁵⁴ Section 7.

⁵⁵ Sections 8 and 9.

⁵⁶ Note, while “news entities” are generally exempt from the definition, this is only when they are carrying out “news activities”. Likely a news entity in carrying out employee operations would fall under the definition.

suggested that in some instances employers will not be “collecting” information under the act because either they already ‘hold’ it in their system or because it was unsolicited.⁵⁷ However, the relevent case notes of the Privacy Commissioner treat information collected by employee monitoring, including email monitoring, as having been collected for the purposes of the Act.⁵⁸ This has been a positive step that has enabled the Commissioner to examine cases of employee surveillance.⁵⁹

An individual’s privacy will have been interfered with if one or more of twelve information privacy principles (IPPs) have been breached and some form of harm can be demonstrated.⁶⁰ There must be a causal connection between the breach and the harm.⁶¹ Of the twelve IPPs, IPPs 1, 3, and 4 are particularly relevent to employee surveillance.

(a) The IPPs

IPP 1 states that the collection of personal information must be necessary for a lawful purpose connected with an agency’s function or activity.⁶² In Lehmann v Canwest Radioworks Ltd, the HRRT held that under IPP 1, “necessary” should be interpreted as “reasonably necessary”, rather than “essential”. Otherwise, the Tribunal stated, IPP 1 would impose too high a standard. ⁶³ In Tan v New Zealand Police, the HRRT held that “necessary” across all of the IPPs means what is “needed or required in the circumstances, rather than merely desirable or expedient”.⁶⁴ However, in the latter case, the Tribunal did not refer to the earlier and previously leading judgement of Lehmann.

IPP 3 states that agencies must take reasonable steps to ensure people are aware of the collection of their personal information and the underlying purpose; however, an agency

⁵⁷ Paul Roth “Surveillance Cameras in the Workplace” (2002) 4 ELB 54 at 55; Roth, above n 1, at [EPM.3.3]; Britton, above n 34, at 88.

⁵⁸ Gehan Gunasekara and Niveet Singh “Upping the Ante: New Actors and the Evolving Nature of Privacy Act Jurisprudence in New Zealand” (2017) 48 VUWLR 441 at 455.

⁵⁹ Gunasekara and Singh, above n 58, at 455.

⁶⁰ Privacy Act 2020, s 69(2); see also Privacy Act 1993, s 66.

⁶¹ Hammond v Credit Union Baywide [2015] NZHRRT 6, (2015) 10 HRNZ 66 at [134].

⁶² Section s 22 IPP 1.

⁶³ Lehmann v Canwest Radioworks Ltd [2006] NZ HRRT 35 at [47] and [51].

⁶⁴ Tan v New Zealand Police [2016] NZHRRT 32 (18 October 2016) at [77].

need not comply if they can prove they believed on reasonable grounds that one of several exceptions applied.⁶⁵ Of relevance are the following exceptions: non-compliance is “necessary” to (i) avoid prejudice to the maintenance of law or (ii) enforce a law with a pecuniary penalty;⁶⁶ compliance would “prejudice the purposes of the collection”;⁶⁷ or that compliance is “not reasonably practicable”.⁶⁸

IPP 4 states that agencies cannot collect personal information (a) unlawfully or (b) in a way that is unfair or intrudes to an unreasonable extent upon the personal affairs of the individual concerned.⁶⁹ The Privacy Commissioner has stated that when assessing IPP 4, what is deemed to be fair in the circumstances is heavily influenced by whether somebody has a “reasonable expectation of privacy”.⁷⁰ Thus, the “critical” thing an employer must do to avoid breaching IPP 4 is to have a privacy policy that is clearly communicated to employees.⁷¹

IPPs 5-11 govern how personal information must be stored, used, and released. Personal information: must be securely stored;⁷² must be able to be accessed and, where necessary, corrected by the individual to whom it relates;⁷³ must not be retained indefinitely;⁷⁴ cannot be used unless the employer verifies it is accurate, complete, and relevent;⁷⁵ and cannot be

⁶⁵ Sections 22 IPP 3, particularly (1) and (4), and 101.

⁶⁶ Section 22 IPP 3 (4)(b)(i) and (4)(b)(ii).

⁶⁷ Section s 22 IPP3 (4)(c).

⁶⁸ Section s 22 IPP 3 (4)(d).

⁶⁹ Section s 22 IPP 4.

⁷⁰ John Edwards, Privacy Commissioner “Kensington Swan Privacy in Employment: Surveillance” (13 September 2018) The Office of the Privacy Commissioner < https://www.youtube.com/watch?v=Hi9xoD- rHVI > at 3 minutes.

⁷¹ John Edwards, above n 70, at 3 minutes.

⁷² Section 22 IPP 5.

⁷³ Section 22 IPP 7; this requirement has had a “great impact” in enabling employees to access information from their employers even where the employment relationship has broken down – see Gunasekara, above n 5, at 53.

⁷⁴ Section 22 IPP 9.

⁷⁵ Section 22 IPPs 9 and 8.

used or disclosed unless it is for, or directly related to, a purpose for which the information was retained.⁷⁶

If an employee believes their privacy has been interfered with, they must first make a complaint to the Privacy Commissioner.⁷⁷ The Commissioner may investigate and make a verdict on whether their privacy was infringed under the Act.⁷⁸

(b) The 2020 update to the Act

The Act was updated in 2020. The changes made are relatively minor, and have been acknowledged as a “quick job”.⁷⁹ There is now mandatory reporting for privacy breaches that have or are likely to cause serious harm; failure without reasonable excuse is a criminal offence with a fine of up to $10,000.⁸⁰ There are also new criminal offences for not complying with Commissioner instructions.⁸¹ Finally, the Commissioner also has new powers to issue compliance notices that require an agency to do or stop doing something and has larger information gathering power when investigating.

2. Case Notes

These case notes demonstrate that the Privacy Commissioner tends to interpret the Act in a way lenient to employers. However, there is some weak evidence of a shift over time toward greater protection of employees’ rights to privacy. There are only four case notes directly on point, so I analyse them in detail.

⁷⁶ Section 22 IPPs 10 and 11.

⁷⁷ Privacy Act s 72.

⁷⁸ Privacy Act s 74, s 81.

⁷⁹ Roth, above n 1, at [INT6.2].

⁸⁰ Sections 114 and 197.

⁸¹ At s 212.

In Case Note 0632, a company placed a camera in a locker room over the course of one month to detect theft from the company’s warehouse.⁸² The Commissioner found no IPPs were breached. IPP 1 was not breached; the filming was necessary to detect theft. IPP 3 was not breached because several exceptions applied: the company reasonably believed the filming was to capture covert and unlawful behaviour;⁸³ they reasonably believed transparency prejudiced the purpose of collection;⁸⁴ and it was not reasonably practicable to be transparent.⁸⁵ IPP 4 was not breached; the level of intrusion was justified by the serious need to catch a thief.

In Case Note 32277, another company placed a camera in a changing room to (a) detect thefts from employees’ lockers and (b) prevent thefts at the plant generally.⁸⁶ Again, the Commissioner found no IPPs were breached. IPP 1 was not breached because the video footage was necessary to detect theft. IPP 3 was not breached because the company reasonably believed that transparency would prejudice the purpose of catching a thief. IPP 4 was not breached because the filming was on employer premises; while the filming captured employees changing it was not placed in the showers or toilets; the cameras were only activated by movement near the target locker; and the cameras only operated until the thief was caught.

In Case Note 229558, an employer used monitoring software to collect an employee’s personal information from his work computer as part of an employment investigation.⁸⁷ The information included emails sent to and from the employees work email, key stroke logs, and a significant number of emails from the employee’s personal email account, which the employer accessed after getting the password from the key stroke logs.

⁸² Case Note 0632 [1994] NZPrivCmr (August 1994)

⁸³ Privacy Act 2020, s 22 IPP 3 (4)(b)(ii); see also Privacy Act 1993, IPP 3(4)(c)(iv).

⁸⁴ Privacy Act 2020, s 22 IPP 3 (4)(c); see also Privacy Act 1993, IPP 3(4)(d). ⁸⁵ Privacy Act 2020, s 22 IPP 3(4)(d); see also Privacy Act 1993, IPP 3(4)(e). ⁸⁶ Case Note 32277 [2003] NZPrivCmr 25 (September 2003).

The Commissioner found the collection of work emails complied with the Privacy Act because the employee knew work computers would be monitored. However, the collection of key stroke information breached IPP 3 because the employment agreement and employee manual were not sufficiently explicit to make workers realise keystrokes were being collected. The collection of information from the personal email account breached IPPs 1, 3, and 4. IPP 1 was breached because the number of emails collected went “well beyond” information relevant to the employment investigation. IPP 3 was breached because, again, the employees were not aware that keystroke information was being tracked or would enable their passwords to be known. IPP 4 was breached because collecting the employee’s personal emails was unreasonably intrusive. The Commissioner stated, “it would require exceptional circumstances to justify an employer directly accessing it” – here, there were no such circumstances.

In Case Note 289943, a NZ Post worker complained when he found out that cameras in NZ Post vehicles were recording audio, thus capturing his conversations.⁸⁸ NZ Post claimed they needed both video and audio recording for health and safety reasons. The Privacy Commissioner found NZ Post breached IPP’s 1, 3 and 4. IPP 1 was breached because it was "not clear the audio recordings would prevent accidents from happening or provide information that would lead to changes in safety policies.” IPP 3 was breached because the worker was not made aware the camera had audio recording capacity. IPP 4 was breached because the constant audio recording was unreasonably intrusive. The worker’s right to maintain a “reasonable degree of privacy and dignity”, and that of the people the workers interacted with, outweighed NZ Post’s need to investigate possible incidents.

3. Applying the Privacy Act to employee’s working from home

(a) Video surveillance

The Office of the Privacy Commissioner has issued some relevant guidance on specifically whether employers can require employees working from home to keep their laptop cameras on, which is available on the Office of the Privacy Commissioner’s website.⁸⁹ The guidance states that employers doing so would likely be breaching IPP 4 as employees generally have a “heightened expectation of privacy in their home”. The guidance does not make a determination on IPP 1. In the abstract, this guidance is a strong position and should hopefully shape employers’ behaviour positively.

However, it is an open question as to whether the Commissioner would in fact find for an employee in this situation. While employees may generally have a reasonable expectation of privacy in the home, that reasonable expectation may be undermined if an employer had clearly informed the employee they would be monitoring them via video camera whilst working from home. In particular, this may undermine a reasonable expectation of privacy over a small area within the home that the employee is working from. Further to this point, the only two case notes where the Commissioner found the employer had breached the collection IPPs were cases where the employer had not informed the employees of their monitoring.⁹⁰ This potentially leaves open a question of whether these cases would have been decided differently had the employers had a clear privacy policy, meaning the employees could not have had a reasonable expectation of privacy.

⁸⁹ Office of the Privacy Commissioner “While I’m working at home, can my employer require me to keep my laptop camera on?” Office of the Privacy Commissioner ‘AskUs’ < https://privacy.org.nz/tools/knowledge- base/view/561?t=233661_321552#:~:text=Insisting%20that%20an%20employee%20who,purpose%20(see

%20principle%201)>.

⁹⁰ Case Note 229558, above n 87; and Case Note 289943, above n 88.

Moreover, it appears an employer enforcing video in an employee’s home would not breach IPP 1. Video recording in other circumstances is considered reasonable.⁹¹ Whilst in Case Note 289943, the Commissioner found IPP 1 was breached, that case would likely be distinguishable because (a) the employer was recording audio and (b) the employees had a reasonable expectation of privacy due to not knowing about the audio recording.

An employer wishing to video an employee from home may however risk collecting personal information of other people that are not the employee. This would potentially breach IPP 2, which states that agencies must collect information from the individual concerned.⁹² However, the chance of this risk materialising is low; (a) the non-employee involved generally must consent to the Commissioner’s investigation, which they may not, and (b) the employee must be working in an area of their home where other people are, which an employer may avoid by requesting the employees work away from others in their home.⁹³

Then, an employer in this circumstance that had clearly informed an employee of the video surveillance would likely not breach IPP 1, not breach IPP 3, and may or may not breach IPP 4. In the circumstance where the employer did not adequately inform the employee of the video surveillance the employer would likely breach IPP 3, unless one of the exceptions under the Act applied, and would likely breach IPP 4.

(b) Other monitoring

A final consideration is employers monitoring employees’ computers or work calls whilst they work from home. This appears to be permissible under the Act so long as IPP 3 is not breached, as it is similar to the general monitoring and collecting of keystrokes in Case

⁹¹ Extract from a letter by the Privacy Commissioner concerning video surveillance, Office of the Privacy Commissioner, Privacy: New Zealand. A Compilation of materials on the Privacy Act 1993 and the Office of the Privacy Commissioner, vol 2 (February 1994 – December 1994) at 252 – 253.

⁹² Privacy Act 2020, s 22 IPP 2.

⁹³ Section 74(g).

Note 229558. Arguably, if the employee owns their own computer and internet, this may make monitoring more of an unreasonable intrusion under IPP 4. However, in the above case notes, the Commissioner only explicitly gave heed to employer ownership of property as a factor in the reasonableness assessment in Case Note 32277, and even there the notice paid was only as one factor of many. On the other hand, while the Commissioner in Case Note 229558 did not explicitly reference employer ownership, this justification was implicit in the acceptance that personal emails attract a high expectation of privacy. This reasoning would likely transfer to employers accessing other personal information, although as stated above, may be undermined where the employer has adequately informed the employee of surveillance and thus undercut their expectation of privacy.

Thus, whether employer monitoring of employees’ personal equipment used for work is permissible under the Act is unclear. The answer likely depends on the facts of the case and could be influenced by intuitive factors such as the extent to which the employer is monitoring the employees’ personal equipment outside of work hours, or how much truly personal information the employer is collecting, such as personal emails or personal internet history.

4. Criticisms

While the Privacy Act at first glance appears promising at upholding employee rights to privacy, in fact it is ineffective.⁹⁴ The Act may positively shape employers’ actions by making employers “think twice before intruding unreasonably into their employees’ privacy”. ⁹⁵ Even so, in fact only the most egregious cases appear to be resolved in the employees favour. I suggest three main criticisms of the regime under the Privacy Act: the “necessity” test under IPP 1 as it has been interpreted is too relaxed; the Privacy Commissioner has had the effect of legitimising invasive practices through prioritising

⁹⁴ Roth, above n 7, at 37; Britton, above n 34, at 89.

⁹⁵ Law Commission Invasion of Privacy: Penalties and Remedies – Review of the Law of Privacy Stage 3

(NZLC IP14, 2009) at [12.34].

employer interests and not acknowledging the imbalance of power inherent in the employment relationship; and the harm requirement means employees must wait until harm has accrued before addressing invasive privacy policies.

(a) IPP 1 and the “necessity” test

IPP 1 requires that collection of personal information is necessary for a lawful purpose connected with a function of the agency concerned. As we have seen, the standard of “necessity” in relation to the workplace is quite relaxed.⁹⁶ This weak approach is mainly because the term “necessary” has been read down to mean “reasonably necessary”. The reason given for this is that using the plain wording of “necessary” would impose too high a standard on agencies.⁹⁷ While the HRRT in Tan v New Zealand Police used a stricter interpretation of “necessary” for all of the IPPs, that interpretation (a) may not be accepted in relation to IPP 1 because the ruling did not engage with the reasoning in Lehmann, and

(b) appears to have been ignored by the Privacy Commissioner who has since explicitly acknowledged the necessity standard is low, stating it is “not a high bar.”⁹⁸

This relaxed standard is further highlighted by the following case notes not directly on the point of workplace surveillance. In Case Note 2418, the Commissioner found a personality test involving very personal questions that a job applicant was asked to complete was necessary for the purpose because he “could not say in this case that such a test was not necessary”.⁹⁹ In Case Note 33623, an employer introduced finger-scanning for payroll.¹⁰⁰ The complainant argued timesheets and clock cards were sufficient. The Commissioner found IPP 1 was not breached because the company “was of the view that the collection was reasonably necessary to address attendance issues”. In Case Note 16479, an employer

⁹⁶ Roth, above n 1, at [EPM.3.6].

⁹⁷ Lehmann v Canwest Radioworks Ltd, above n 63, at [47] and [51].

⁹⁸ John Edwards, above n 70, at 1.04 minutes.

⁹⁹ Case Note 2418 [1999] NZPrivCmr (August 1999).

¹⁰⁰ Case Note 33623 [2003] NZPrivCmr 5 (1 Feb 2003).

surreptitiously recorded an interview between himself and an employee.¹⁰¹ The Commissioner found the recording was necessary because recording served “a purpose of providing evidence”.

Saying that, there may be grounds for optimism that the standard of necessity has been strengthened in recent years. Both Case Note 229558, decided in 2012, and Case Note 289943, decided in 2018, found the employer breached IPP 1. However, this ‘trend’ should be treated cautiously. First, in Case Note 229558, the collection of key stroke information, that revealed the employee’s personal passwords, was not a breach of IPP 1. Moreover, the collection of personal emails was not seen as a de facto breach of IPP 1; it was a breach because the number of emails collected went “well beyond” information relevant to the employment investigation. In Case Note 289943 the Commissioner appeared to put the burden on the employer to demonstrate that audio recordings were useful for health and safety; however, again the standard appeared to be that of “reasonable”, rather than a strict interpretation of necessity. Second, in both case notes the level of intrusion was extreme. Arguably the necessity test ought to protect against more than the most extreme cases of invasion of privacy. Third, the trend is comprised of only two case notes.

Finally, I note that the 2020 Act has altered IPP 1 to include that if the purpose underlying collection “does not require the collection of an individual’s identifying information”, an agency may not require the information. However, this likely will not have the effect of strengthening the requirements under IPP 1 in relation to employee surveillance because the term “identifying information” appears to be targeted at information like peoples’ names, phone numbers, addresses, rather than the broader category of personal information that would be collected by monitoring employees.¹⁰²

This relaxed standard of necessity is cause for concern. First, in all the above Case Notes, the Privacy Commissioner does not systematicly analyse whether alternatives were

¹⁰¹ Case Note 16479 [2001] NZPrivCmr 6 (1 June 2001).

¹⁰² Office of the Privacy Commissioner “Principle 1 – Purpose for collection of personal information” Office of the Privacy Commissioner < https://www.privacy.org.nz/privacy-act-2020/privacy-principles/1/>; Hon A Little (18 June 2019) 739 NZPD 12056.

reasonably available to the employer. This has led to findings that IPP 1 was not breached in situations where there were practicable alternatives that arguably employers ought to have tried first, before turning to more invasive solutions. For example, in Case Note 0632 it is unclear why cameras in the warehouse itself did not suffice to catch the person stealing from the warehouse. In Case Note 32277 the employer could have first tried to operate cameras at the entrance/exit to the changing rooms. More generally, it is unclear that the extensive monitoring of employees widely practiced today is necessary when there are other ways of tracking production targets, for example by tracking the quantity and quality of the work the employee does. Second, interpreting “necessary” as “reasonable” tends to blur the line between IPP 1 and IPP 4, as they both require an analysis of what is reasonable. In substance this merges two separate information privacy principles, which likely was not Parliament’s intention in separating the IPPs from each other.

(b) The Privacy Commissioner’s broad prioritisation of employer interests and corresponding lack of acknowledgement of the special nature inherent to the employment relationship

1. Broad prioritisation of employer interests

The Privacy Commissioner is explicitly required to consider, along with other interests, “businesses being able to achieve their objectives efficiently”.¹⁰³ The creation of the Act itself kept employer interests in mind from the beginning. At the time of enactment, Parliament had a key goal to “not cause a completely negative reaction within the business community” or “completely overturn the way in which legitimate commercial activity proceeded.”¹⁰⁴ Paul Roth argues this could be due to the greater political influence of business compared to human rights proponents.¹⁰⁵

¹⁰³ Privacy Act 2020, s 21(a)(ii).

¹⁰⁴ Hon P Dunne (1993) 76 NZPD 15211.

¹⁰⁵ Roth, above n 6, at 37.

While this duty to balance privacy against the right of businesses to operate efficiently only applies to the Privacy Commissioner, not to the HRRT or appellate courts, most cases do not appeal past the Commissioner.¹⁰⁶ While it may be that this policy also allows the pragmatic resolution of disputes, it also means the Commissioner tends to allow business efficiency to be a higher trump card than workers’ privacy interests in several instances. ¹⁰⁷

2. Lack of acknowledgement of special employment relationships

The implementation of the Privacy Act does not give special consideration to the special nature of the employment relationship where there is often inherent inequality in bargaining power. For example, employers can largely avoid breaching IPP 4 by having a clear privacy policy because it reduces employees reasonable expectations to privacy and largely employees will have consented to it. Whilst it is good that employers must clearly communicate their privacy policies, the reliance on the justifications of reasonable expectation and consent are flawed, as explained in the prior chapter. A second example is the lack of clarity on where one is to draw the line between an employee’s personal affairs, which cannot be unreasonably intruded upon, and matters about which an employer is entitled to be concerned.

This approach is problematic because the employee, given the imbalance of power between them and their employer, likely has no say on what that privacy policy contains. Privacy policies can be introduced after an employee has signed an employment agreement, when the employee does not want to risk harming the employment relationship by complaining or risk losing their income by quitting. Moreover, even if the privacy policy was available while signing the employment agreement, due to the reasons canvassed above in the first

¹⁰⁶ Note, the Court of Appeal majority in Harder v Proceedings Commissioner CA240/99, 11 May, 17 July 2000 at [23] once commented that s 14(a), although directed to the Privacy Commissioner, implicitly applies to the Tribunal and appellate courts. However, this “wider reading of s 14(a) has never been subsequently adopted” – see Roth, above n 6, at 38.

¹⁰⁷ Roth, above n 6, at 38.

Part, it is unclear the employee meaningfully consented. Finally, again as canvassed in the first Part, employees should not have to give up all reasonable expectations of privacy whilst at work.

The Act’s lack of acknowledgement of the employment relationship could be because the Act was primarily aimed at modifying the behaviour of agencies that hold information about individuals.¹⁰⁸ A key goal of enactment was to ensure New Zealand was not locked out of trade with the EU as a result of inadequate data protection.¹⁰⁹ This implies that issues of employee privacy were not in politicians’ sphere of awareness whilst drafting the Act.

Arguably, the avenues to enforce privacy rights through the employment jurisdiction are sufficient to account for the lack of specific recognition in the privacy jurisdiction of the special nature of the employment relationship. However, first, the Employment Relations Act only applies to employees. Thus, this approach would leave those deemed as independent contractors without an acceptable forum to raise privacy complaints. This is particularly problematic given that the worst cases of egregious employer behaviour can go hand in hand with cases where employees are exploited and fraudulently labelled as contractors. Second, as we shall see, the employment jurisdiction may also be an inadequate forum to protect privacy rights due to a lack of focus on substantively protecting against invasive collection of employee information through surveillance.

(c) Harm requirement

For there to be a privacy interference, substantive harm is required. The following amount to harm under the Act: loss, detriment, damage, or injury;¹¹⁰ adverse effects on rights/benefits/privileges/obligations/interests of individual;¹¹¹ or “significant humiliation,

¹⁰⁸ Roth, above n 1, at [INT3.1].

¹⁰⁹ Roth, above n 1, at [INT2].

¹¹⁰ Privacy Act 2020, s 69(2)(b)(i).

¹¹¹ Section 69(2)(b)(ii).

significant loss of dignity, or significant injury to the feelings of the individual”.¹¹² This is a high standard for harm that arguably does not respect the importance of privacy. On the other hand, this prevents minor complaints clogging up the system and preventing more serious issues being addressed.

A key issue with the requirement for harm to have accrued in the context of employee surveillance is that employees cannot seek help from the Privacy Commissioner in instances where, for example, their employer’s privacy policy appears to allow unjustified intrusions into an employee’s privacy. Instead, they must wait for the harm to accrue, even though investigations into whether an employer’s privacy policy itself is unacceptable likely is not onerous to investigate. This issue is somewhat mitigated by the new requirement for mandatory reporting.¹¹³ However, mandatory reporting is restricted to (a) where there are clear privacy breaches, rather than uncertain, maybe privacy breaches, and

(b) breaches likely to cause serious harm, rather than any harm.

A second, related, issue is that employees need to know that harm has in fact accrued. By illustration, in Case Note 229558, the employee discovered that their keystrokes had been used to access their personal email only because the employer copied and printed several emails to use in the related employment investigation. However, consider a hypothetical example whereby an employee is subject to a privacy policy that allows their employer to access their keystrokes. Now, imagine their employer used the keystroke information to access and read the employee’s personal email. If the employer did not leave a clear trace they had accessed it, the employee would not know the invasive activity had occurred and would not bring a complaint to the Commissioner. This is problematic for two reasons. First, the Privacy Act cannot operate to prevent harm as effectively as it could. Second, the Privacy Act in effect grants employers the option of accessing personal emails because an employee uses a personal password on their work computer. It would be better if the Privacy Act prevented this possibility from occurring.

¹¹² Section 69(2)(b)(iii).

¹¹³ See n 83.

A third, related, issue is that because there is a requirement that harm has accrued to someone, employees cannot bring an anonymous complaint to the Commissioner. This is also partly due to the Act’s focus on conciliating disputes. The lack of an anonymous complaint avenue likely prevents employees coming forward with their employer’s potential or actual privacy breaches – they may be afraid of jeopardising their relationship and therefore missing out on benefits like promotions. This could be the case even after someone has left employment – they may want to retain a good reference from their past employer, and fear that antagonising them by bringing a legal complaint would threaten that. This phenomenon appears to in fact occur; one study of litigation under the Privacy Act found that only a minority of cases had no background of pre-existing disputes between the parties.¹¹⁴

C The Employment Relations Act

Since the introduction of the Privacy Act, the employment jurisdiction has increasingly paid heed to the idea that employees can have rights to privacy and protected employees against disclosures of private information.¹¹⁵ Despite this, current protections for employees against worker surveillance under the Employment Relations Act remain insufficient to protect their privacy rights.

In this section, I explain how the Act has been interpreted in relation to worker surveillance thus far, how it will likely be interpreted in the context of employees working from home, and the key flaws the Act has that undermine its ability to protect employees from invasive monitoring.

¹¹⁴ Gehan Gunasekara and Alida Van Klink “Out of the Blue? Is Litigation Under the Privacy Act 1993 Addressed Only at Privacy Grievances?” [2011] CanterLawRw 15; (2011) 17 Canta LR 229

¹¹⁵ Gunasekara, above n 5, at [52].

1. Fundamentals of the Act

A fundamental implied contractual term in the employment setting is that of mutual trust and confidence.¹¹⁶ An aspect of this is that employers are expected to behave fairly and reasonably.¹¹⁷ The Privacy Act influences what amounts to fair and reasonable behaviour by employers but does not directly apply within the employment jurisdiction.¹¹⁸ However, the Privacy Act’s requirements do “substantially overlap the criteria used by the Court to assess the reasonableness of the policy in question as a matter of employment law”.¹¹⁹

Employee surveillance, then, must not undermine the relationship of trust and confidence and any results of surveillance must be used fairly. Accordingly, an employee can bring a personal grievance if surveillance was a factor in a claimed unjustifiable dismissal or disadvantage,¹²⁰ because an employer’s actions will be justified if they acted as a fair and reasonable employer would have in the circumstances.¹²¹ However, as we shall see, while in theory excessive surveillance may undermine the relationship of trust and confidence, no cases have found solely worker surveillance to cause this. Instead, the focus is on whether information gathered through surveillance is used fairly.

Note that employees can also bring a personal grievance under the Employment Relations Act or HRA for a claim of discrimination resulting from surveillance. Moreover, where a use or disclosure of information gathered through surveillance relates to sexual matters or results in sexual harassment, that may also be the basis of a personal grievance under s 36

¹¹⁶ Employment Relations Act, s 60(c)(ii).

¹¹⁷ Auckland Shop Employees IUW v Woolworths (NZ) Ltd [1985] 2 NZLR 372 (CA); Marlborough Harbour Board v Goulden [1985] 2 NZLR 378 (CA)

¹¹⁸ NZ Amalgamated Engineering Printing and Manufacturing Union Inc v Air New Zealand Ltd [2004] NZEmpC 32; (2004) 7 HRNZ 539 (EmpC) at [218], [221]; New Zealand Public Service Assoc Inc v Southland Regional Council [2005] NZEmpC 124; [2005] ERNZ 1008 (EmpC); see also Gordon Anderson and others (eds) Mazengarb’s Employment Law (NZ) (online looseleaf ed, LexisNexis) at [3800.8].

¹¹⁹ Gunasekara, above n 5, at 34.

¹²⁰ Employment Relations Act, s 103 (a)-(c).

¹²¹ Employment Relations Act, s 103A(2).

ERA. Finally, only those that meet the definition of employees are able to claim recourse under the ERA; independent contractors are excluded.

2. Collection, use, and disclosure of personal information

In this section I discuss personal grievance claims relating to collection, use, and disclosure of personal information by employee surveillance, dividing these claims into internet and email surveillance and direct surveillance. As we shall see, the successful personal grievance claims are primarily not successful on the basis that an employer should not have collected information through monitoring, but rather on the basis that the employer used or disclosed that information unfairly.

Note that some of these cases are substantive personal grievance claims whilst others are claims asking for an interim reinstatement injunction that would allow the claimant to return to work until the outcome of the substantive case is decided. Interim reinstatement injunctions are a discretionary remedy only granted where there is both an arguable case and the overall justice of the case requires it; they are not substantive judgements.¹²²

(a) Internet and email surveillance

In assessing claims related to internet and email surveillance, the critical element is the employer’s internet and email policy.¹²³ If the employee has breached that policy, that may be justified grounds for dismissal. However, the policy must be communicated to employees prior to their use of the internet.¹²⁴ Moreover, it must be communicated clearly to the employee, such that there is “no room for any doubt in any employee’s mind”. ¹²⁵

¹²² X v Y ltd and NZ Stock Exchange [1991] NZEmpC 48; [1992] 1 ERNZ 863 pp872-3.

¹²³ Cliff v Air New Zealand Limited [2006] NZEmpC AC 47/06 at [115].

¹²⁴ Cliff v Air New Zealand, above n 123, at [136].

¹²⁵ Bisson v Air New Zealand Ltd, above n 36, at [103].

Finally, the policy itself must be clear. If the policy allows reasonable personal use, the limits of this ought to be clear; “reasonable use” alone is a “vague term”.¹²⁶

In terms of employee surveillance, the cases implicitly accept an employer’s right to monitor internet and work email use, even where the ‘use’ is for personal reasons and the relevant internet/email policy allows this. The key question is whether the dismissal was a fair response to the internet use. This balancing test includes considerations of whether the employee actually breached the internet policy as they knew it, and the extent of offensiveness of the content accessed.

For example, in Cliff v Air New Zealand Limited, two employees were dismissed for internet use breaching the company policy.¹²⁷ The Employment Court held this was unjustified because the investigation was flawed and it was accordingly unclear whether the employees did in fact breach the policy. In Clarke v Attorney General, several employees were dismissed for sending offensive messages to each other, unrelated to official business, using their work email.¹²⁸ The employer claimed the employees breached their email policy that stated work email was to be a tool to be used for business purposes only and that offensive language was not to be used whilst using it, and that the employees learnt of the policy over two days of specific training.¹²⁹ The Court decided to use their discretion to deny interim reinstatement because the emails were highly offensive; there were hundreds of offensive messages, some of which involved pornography and insults to female employees.¹³⁰

Finally, in Howe v the Internet Group Ltd, several employees were dismissed for sending emails the employer considered to be offensive and an interference with union negotiations.¹³¹ The emails were sent to a private mailing list set up to vent union members’

¹²⁶ Cliff v Air New Zealand, above n 123, at [141].

¹²⁷ Cliff v Air New Zealand Limited, above n 123, at [2]. ¹²⁸ Clarke v Attorney General WEC 29/97, 4 June 1997. ¹²⁹ At 606.

¹³⁰ At 612.

¹³¹ Howe v The Internet Group Ltd (IHUG) [1999] NZEmpC 147; [1999] 1 ERNZ 879.

frustration, and where there was an understanding that ‘anything goes’. Travis J granted both plaintiffs an interim reinstatement, giving mention to the fact the emails were sent to a private mailing list, hosted on a personal computer owned by another employee. However, this was by no means the sole reason given for granting the interim reinstatement. Travis J also mentioned several other reasons without giving particular emphasis to any: there was no email policy or training for the employees on email use; the emails did not undermine the relationship of trust and confidence because they were not offensive viewed in context; and the employer may have been acting discriminately against union members.

(b) Direct surveillance

In the following cases, it appears to be generally assumed that direct surveillance of employees, no matter how intrusive, is acceptable, whether or not it was done covertly. Where an employer’s conduct is found to breach their duty of good faith by acting unfairly, it is because of how the employer has used the information gathered through surveillance.

In B W Bellis Ltd v Canterbury Hotel, an employer secretly observed an employee, a night cleaner, as she cleaned one night.¹³² The employer dismissed the cleaner on the basis the schedule of work done she had provided was inaccurate compared with what he had seen. The Court of Appeal held that the dismissal was unjustified. It was procedurally unfair because the employee had been hoodwinked into giving inaccurate written answers to the employer’s inquiry. The employer should have confronted the employee from the outset with what he observed while observing her. However, the Court did not find issue with the fact the employer had observed the cleaner without her knowledge or consent.

In Northern Industrial District v Nathan Distribution Centre, an employer hired an undercover agent to pose as an employee to find out who was stealing employer

¹³² B W Bellis Ltd v Canterbury Hotel, etc, Employees’ IUW [1985] ACJ 956 (CA).

property.¹³³ The agent implicated one particular employee who was resultingly dismissed. The Court held that this was an unjustified dismissal because none of the detailed evidence the undercover agent had gathered was put to the employee for comment. However, the Court did not find issue with the employer’s use of an undercover agent.

In Pillay v Rentokil Ltd, an employee resigned because he objected to his employer hiring a private investigator to spy on him, claiming this amounted to constructive dismissal.¹³⁴ There were two specific incidents of note. First, the employer got the investigator to follow Pillay as he travelled purportedly on the employer’s business. The investigator found a different employee’s car was in Pillay’s driveway during this time. Because of this, the employer suspected Pillay of starting a competing business. Subsequently, the employer hired the investigator to follow Pillay a second time. Pillay noticed he was being followed and found his car had been entered and searched, including his briefcase, located inside the car. Whilst driving, Pillay noticed his employer with the private investigator in a car that was following him. The employer attempted to hide in the car and a “high speed car chase” followed. Pillay then resigned following a meeting.

The Employment Tribunal held the employer’s conduct amounted to constructive unfair dismissal. The first incident was fair and reasonable. The company was entitled to independently check Pillay’s activities during his work hours. Moreover, Mr Pillay did not know about this first incident when he resigned so the actions were “not unreasonable”.¹³⁵ The second incident, however, “seriously damaged” the relationship of trust and confidence because “what was intended to be clandestine surveillance was easily discovered.”¹³⁶ The employer wanting to continue to check Mr Pillay’s movements was “not unreasonable”.¹³⁷ However, the meeting that led to Pillay’s resignation was procedurally unfair. Once Pillay had discovered the surveillance, Pillay was entitled to

¹³³ Northern Industrial District, etc, Storepersons’, etc IUOW v Nathan Distribution Centre Ltd (1987) 1 NZELC 95,478.

¹³⁴ Pillay v Rentokill Ltd EMT Auckland AT18/92, 4 March 1992.

¹³⁵ At 7.

¹³⁶ At 10.

¹³⁷ At 10.

know the depth of the employer’s suspicions and mistrust such that he could comment. Had the employer disclosed his suspicions and thus explained the reasoning for the clandestine surveillance, the loss of trust and confidence may have been somewhat repaired. This case appears to hold that clandestine, intrusive, surveillance is acceptable.

In Product Placement 2011 Ltd v Cockburn,¹³⁸ Ms Cockburn claimed she was unfairly dismissed. Her employer opened a work laptop used by Ms Cockburn and discovered instant messages between a former employee and Ms Cockburn that discussed accessing the employer’s confidential information and setting up a competing business. The messages were from Ms Cockburn’s Facebook account, which had been left open but minimised on the computer. There was further evidence Ms Cockburn had taken confidential files from the employer. Ms Cockburn alleged that her employer breached her privacy by opening and using the contents of her instant messages on her private Facebook account.

The Authority determined that the private messages were admissible evidence and that the contents of the messages amounted to a breach of good faith and fidelity. ¹³⁹ The Authority did not comment negatively on the employer’s accessing of Ms Cockburn’s private messages. The Authority determined that the messages could be admitted into evidence because: the messages were open on the device and were accessible without a password; the messages occurred whilst Ms Cockburn worked for her employer and were likely exchanged using the employer’s work laptop; the use of the exchanges was within the scope of the “conduct of proceedings” exception provided in the Privacy Act as grounds for non- compliance with the Privacy Act’s principles;¹⁴⁰ and the Authority has the discretion to “take into account such evidence and information as in equity and good conscience it thinks

¹³⁸ Product Placement 2011 Ltd v Cockburn [2014] NZERA Auckland 269.

¹³⁹ At [14]-[15] and [24].

¹⁴⁰ Privacy Act 2020, ss 22 IPP2 (2)(e)(iv) and 22 IPP3 (4)(b)(iv).

fit, whether strictly legal evidence or not”.¹⁴¹ Further, excluding the evidence would be inequitable, “given what she said in them”.¹⁴²

Sciascia v Wholesale Cars Direct is the most recent case on direct surveillance.¹⁴³ Mr Sciascia claimed Wholesale Cars Direct (WCD) breached his good faith obligations by (1) accessing his private digital iCloud account, and (2) installing a number of monitoring applications on his work mobile device, including keystroke loggers, monitoring applications, and a password recorder. The iCloud account was only accessible by password. The Judge found the evidence on both matters was inconclusive.¹⁴⁴ With regard to the first claim that WCD accessed Mr Sciascia’s private cloud account, the Judge commented that given the inconclusive evidence, he was “unable to find a breach of good faith by WCD in relation to that matter.”¹⁴⁵ The Judge did not comment on whether the second claim of monitoring the mobile phone would have constituted a breach of good faith.

It is unlikely that Sciascia represents a significant departure from previous cases toward enforcing employees’ privacy rights. The Judge did not firmly conclude that had WCD accessed Mr Sciascia’s cloud account, he would have found a breach of good faith solely on this basis. Further, the Judge did not address the seeming irreconcilability between his statement and the position taken in Product Placement v Cockburn. Arguably, this is because the cases are distinguishable on the basis that in this case, the personal account was password protected, whilst in Product Placement v Cockburn, Ms Cockburn had left her personal account unlocked. However, this is a weak argument given both accounts were intended to be password protected; it would be bizarre if the law refused to protect employee privacy solely on the basis of a small forgetful moment in forgetting to close an internet tab. Finally, the Judge does not indicate that monitoring the mobile phone to a high

¹⁴¹ Employment Relations Act, s 160(2).

¹⁴² Product Placement 2011 Ltd v Cockburn, above n 138, at [15].

¹⁴³ Sciascia v Wholesale Cars Direct (2017) Ltd [2020] NZERA 262.

¹⁴⁴ At [49], [50].

¹⁴⁵ At [50].

extent, including using applications specifically for reading passwords, would have been a breach.

Ultimately, these cases demonstrate there is little protection available to employees’ privacy. I note that it is possible that the cases decided before 1993 may be decided differently today, due to a shift toward upholding employee privacy thanks to the Privacy Act.¹⁴⁶ However, the latter cases demonstrate that even with this shift, employees’ privacy rights can still be undermined by employer use of intrusive surveillance.

(c) Unauthorised disclosure of personal information

If employers gain personal information relating to their employees, whether by virtue of surveillance or otherwise, they may be acting unjustifiably by disclosing it without authorisation. For example, in L v M, an employer inadvertently outed their homosexual employee, after having promised them confidentiality.¹⁴⁷ The employee suffered subsequent harassment at work, felt he had to resign, and moved countries to escape the harassment. The Tribunal held that the harassment at work amounted to sexual harassment and the employee’s resignation amounted to constructive unjustified dismissal.

3. Surveillance of employees at home

It is uncertain whether the above cases would translate directly to employees working from home, or whether they could be distinguished.

Arguably, the above cases on internet, email, and device surveillance are premised on an implicit acceptance of employer property rights; employers own the internet, email, or mobile phone in question so have the right to monitor how their property is used. In all the cases, a key question is what the employer’s policy was. This amounts to implicit

¹⁴⁶ Gunasekara, above n 5, at 52.

¹⁴⁷ L v M Ltd EOC 92-617, 14 February 1994.

acceptance that employers have the right to set a policy governing internet usage. Further to this point, there is no assessment of the fairness of the employers’ internet policies; assumedly this is because employers have ownership rights so can set their policies as they deem fit. Adding further to this is the commendation issued to Air New Zealand by the Employment Authority for establishing internet and email policies, because such policies are “essential to maintain the system’s integrity and the good name of the airline”.¹⁴⁸

Thus, many of the above cases may be distinguishable on the basis employees are working from home – they will generally be using their own internet and may be using their own devices. Thus, the justification of employer ownership would not apply. However, where employees use their work emails or their work devices, the above law will likely continue to apply to their use of those items.

On the other hand, arguably because employers pay employees for their time, they have a quasi-ownership over it that similarly justifies monitoring of their activities even where an actual property right disappears.¹⁴⁹ For example, in Pillay v Rentokill, the Court did not tie the employer’s ability to monitor the employee to the employer’s property rights – the private investigator followed Mr Pillay in public. However, this reasoning may be distinguishable on the basis that (a) the home is a particularly private space, unlike the public areas Mr Pillay was being monitored in, and (b) Pillay v Rentokill was decided before Parliament flagged the importance of privacy through introducing the Privacy Act.

A second argument may be that where employees choose to look at offensive material at home during work hours, whether or not on a work computer, the harm to other employees of having to see offensive material lowers. This may be another distinguishing factor, although may not always be the case, for example should an employee accidentally share their screen they could still cause harm to others.

¹⁴⁸ Bisson v Air New Zealand Ltd, above n 36, at [102].

¹⁴⁹ Allerton v Methanex (New Zealand) Ltd, above n 43, at 8.

Thus, whether employer monitoring of employees’ working from home is permissible under the Act is unclear. If the above cases cannot be distinguished, likely employers can monitor employees working from home to a large extent, including by using video monitoring. Whether the above cases can be distinguished is unclear and, similarly to the analysis under the Privacy Act, likely depends on the facts of the case and, for example, the extent to which an employee is using their own facilities and equipment.

4. Criticisms

It is clear from the above cases that the Employment Relations Act provides very little incentive for employers to avoid excessively monitoring employees. The key problem with the current approach is that there is little to no evaluation of whether it was acceptable for employers to collect the information they did through surveillance. There is a presumption that employers can collect what information about their employees they like, so long as they use that information in a fair way.

In terms of monitoring internet and email use, courts appear to accept employer’s rights to do this to any extent they like, so long as it is clearly communicated by the relevant policy. While it is good that employers cannot use dense legalese hidden in a dusty textbook somewhere to avoid informing employees of the extent of surveillance, this approach still means employers can be as invasive as they like when an employee may be aware of a policy, but may not agree with it.

In terms of more direct monitoring, it would seem that any information accessed in a manner that invades privacy, like in Cockburn v Product Placement Ltd, can still be admitted as evidence to have its contents assessed, whether or not the employee knew this was possible. Moreover, while in theory excessive surveillance may undermine the relationship of trust and confidence between the employer and employee, no cases have found this to be so. Instead, the focus is on whether information gathered through surveillance is used or disclosed unfairly. While it is important that information gathered through surveillance is used fairly, there should be some upper limit to how much information an employer can collect through surveillance.

Gordon Anderson argues that a more robust approach to good faith could be taken. For example, courts could hold that for an employer to be taken as having acted reasonably, the employer must show that all reasonable alternatives for solving the problem are unsuitable.

D Other Avenues Available to Protect Privacy Rights

There are some other avenues by which employees’ privacy rights are protected: tort, contract law, and the Crimes Act. These are largely ineffective at upholding workers’ rights to privacy from surveillance because they are only viable avenues for workers to take in a small number of cases.

1. Tort

First, there is the recent tort of public disclosure of private facts.¹⁵⁰ However, this would only apply where information collected through surveillance was disclosed. Moreover, it is a high standard to meet as it has only been successfully argued once. Second, there is the tort of unauthorised intrusion upon seclusion.¹⁵¹ This could apply if an employer did not have a policy explaining their intended employee monitoring and they monitored an employee at home, for example videoing. However, this tort does not apply where consent has been obtained, as it usually will be in the case of employee surveillance. Third, tortious claims are likely unaffordable to most employees that are the most likely to be monitored extensively – i.e. low income, low trust workers. Finally, common law and equity obligate employees to owe a duty of trust and confidence over information gained in the course of employment. However, this duty is rarely taken to be owed by employers to employees.¹⁵²

¹⁵⁰ Hosking v Runting, above n 12.

¹⁵¹ C v Holland [2012] NZHC 2155, [2012] 3 NZLR 672.

¹⁵² Roth, above n 1, at [EPM.1]; and Dalgleish v Lothian & Borders Police Board, above n 9.

Tortious claims should not be the only avenue workers have to remedy intrusions to their privacy. The process of making a tortious claim is likely unaffordable to most employees, particularly low income workers who are also the most likely to be monitored extensively as those with the largest inequality in bargaining power to prevent excessive monitoring.

2. Contract

Employees can negotiate greater privacy rights into their contracts. However, due to the unequal bargaining power inherent in the employment relationship, this is rare and practically is only possible for more senior employees with more leverage. Even where workers are part of unions, there are very few collective bargaining agreements that have provision for privacy rights around surveillance; and the few that do tend to be in areas of work that would have less invasive monitoring (i.e. forestry, not office workers).

3. Crimes Act 1961

Crimes Act 1961 ss 216B and 216C may apply if there is recording of voices. There are also restrictions on surveillance by private investigators hired by employers under the Private Investigators and Security Guards Act, although this is easy for employers to get around.

E Criticisms of the Overall Framework

Overall, the law currently does not adequately protect workers’ rights to privacy from intrusive surveillance by employers. While the current system does well to disincentivise widespread disclosure of information gained through surveillance and unfair punishment as a result of said information, the system does not do well to disincentivise extensive collection of private information. Further critiques to those advanced above are that the law as a whole lacks a systemic focus that prevents issues from arising, and that problems with access to justice are endemic. The implications of these critiques are that the New Zealand system is in clear need of reform to address these endemic issues.

1. Lack of systemic focus

Both the Privacy Act and the Employment Relations Act are based on a complaints process, which is “necessarily ad hoc and piecemeal”.¹⁵³ The focus on individual loss necessarily ignores the gradual systemic degradation of employees’ normative rights which can amass.¹⁵⁴ For example, as widespread monitoring by employers has become more invasive and common, increasingly it has become the new norm by which ‘unreasonably intrusive’ is judged in the privacy jurisdiction. For example, in Case Note 2418, about whether a personality test was justifiable for a job applicant, the Commissioner made explicit note of the fact that “other agencies used tests with comparable questions”.

It would be better if there was widespread guidance that firmly dictated what types of monitoring are acceptable.

2. Limited access to justice

There are several problems that limit the ability of workers to get remedies even where their rights have been clearly infringed under the current system. This is significant as New Zealand owes a general right of effective remedy under Article 2(3) of the ICCPR.¹⁵⁵

First, under the current system, a solution is not always provided “as quickly or efficiently as it should” be.¹⁵⁶ Practically, there is a “significant backlog of cases” in the Privacy Commissioner’s Office and the HRRT, leading to a delay of up to three years from filing to decision date in the HRRT.¹⁵⁷ Saying this, the 2020 update to the Act has extended the Privacy Commissioner’s “watchdog mandate”, meaning “privacy complaints can now be

¹⁵³ Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (NZLC R123, 2011) at [6.19].

¹⁵⁴ Gunasekara and Singh, above n 58, at 469.

¹⁵⁵ International Covenant on Civil and Political Rights, above n 20.

¹⁵⁶ Law Commission, above n 153, at [6.19].

¹⁵⁷ Taefi and Timmins, above n 21, at 322.

much more urgently dealt with and expediently settled”.¹⁵⁸ Moreover, employer-related complaints do still make up a significant proportion of privacy-based HRRT claims.¹⁵⁹

Second, there is a lack of clarity on what the law requires from employers regarding employee surveillance. To find guidance, a layperson must identify the multiple pathways they can take that protect their privacy rights, then identify what the law requires of their employer under these pathways. While they could go to a non-profit like Community Law, the law should be more accessible to laypeople.

Third, as noted above, there is no avenue for anonymous complaint.

F Conclusion

New Zealand’s current law does not sufficiently meet its obligations to protect workers’ rights to privacy from intrusive surveillance because it still broadly prioritises employer interests, despite improvements over the past decades as the right to privacy has become more normatively important. Thus, reform of the law is needed that will better protect workers’ rights to privacy, while balancing that right with employers’ rights to run their businesses efficiently. The next Part investigates what reform would best achieve that balance and remedy the criticisms advanced in this Part.

¹⁵⁸ (10 April 2018) 728 NZPD 3114.

¹⁵⁹ Gunasekara and Singh, above n 58, at 458.

IV Part Three: Options For Reform

This Part answers how best New Zealand could meet its obligations to protect workers’ rights to privacy in the context of surveillance. I compare New Zealand’s current framework to that in the European Union and Australia. I have chosen these jurisdictions because they are economically and legally relevent to New Zealand and because they have some of the most stringent worker protections against privacy. Both jurisdictions have broad privacy laws that apply to all member states, while some member states have specific legislation addressing worker surveillance. I conclude that the best option for reform would be to follow those states that have enacted specific workplace surveillance legislation that influences how privacy issues related to surveillance are interpreted and addressed across both the privacy and employment jurisdictions.

A European Union

Privacy rights against worker surveillance in the European Union are made up of rights granted by the General Data Protection Regulations (GDPR), the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), and, in some member states, specific legislation addressing workplace privacy.¹⁶⁰ This section first analyses both the GDPR and ECHR and find they have application to worker surveillance that affords workers greater protection than in New Zealand. Second, this section analyses Finland’s Act on the Protection of Privacy in Working Life.¹⁶¹ While there are several EU member states that have specific legislation addressing worker surveillance that enhance the general protections granted by the GDPR and ECHR further, I specifically analyse Finland because it advances worker protections the most.

¹⁶⁰ Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1; and European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950) 213 UNTS 221 [ECHR].

¹⁶¹ Laki yksityisyyden suojasta työelämässä 13.8.2004/759 2004 (Finland).

1. GDPR

The GDPR specifies that personal data must be collected for specified, explicit and legitimate purposes and processed only in a manner that complies with those specified purposes.¹⁶² Moreover, the data must be processed fairly and transparently, and even then only if one of several conditions are met.¹⁶³ These conditions are that the subject gave free consent or that data processing is necessary for: performance of a contract; compliance with legal obligations; performance of task in public interest; or purposes of the legitimate interests.¹⁶⁴ Employees are not considered to be able to give free consent due to the financial dependence on their employer.¹⁶⁵ While the ‘legitimate interests’ purpose appears broad, in practice it has been interpreted strictly as requiring three tests to be met.¹⁶⁶ First, the legitimacy test demands the interest is legitimate, specific, and identified; it cannot be vague. Second, the necessity test demands the data processing must be a targeted and proportionate way of achieving the purpose. Monitoring is considered disproportionate if in sensitive areas.¹⁶⁷ Third, the balancing test demands that the legitimate interest outweighs the privacy right of the individual at hand.

In practice, this usually means that employers must only collect employee’s personal data through surveillance in limited conditions. Where those conditions are met, the employee must be informed not only of the fact of surveillance but also the purpose of surveillance.

¹⁶² Art. 5(1)(b).

¹⁶³ Art. 5(1)(a).

¹⁶⁴ Art. 6(1)(a) and Art. 7(4).

¹⁶⁵ Kirstie Ball Electronic Monitoring and Surveillance in the Workplace (Joint Research Centre for European Commission, 2021) at 71.

¹⁶⁶ Case C-13/16 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v. Rīgas pašvaldības SIA ‘Rīgas satiksme’ ECLI:EU:C:2017:43.

¹⁶⁷ Kirstie Ball, above n 165, at 71.

2. ECHR

Article 8 of the ECHR protects the right to respect for private and family life. Workers can appeal domestic court decisions to the European Union Court of Human Rights (EUCHR) if they believe workplace surveillance has unacceptably undermined their right under Art.

8. The essential inquiry is whether the competing considerations of the applicant’s right to respect for his private life and the employer’s right to engage in monitoring to ensure the smooth running of the company have been adequately balanced.¹⁶⁸ In deciding whether Art. 8 applies, the Court has held that private communications at work or using work facilities amounts to ‘private life’ that can be interfered with.¹⁶⁹ Accordingly, private emails sent from a work email account or instant messages sent on an account created expressly for work are protected by the ECHR. The following elements must be considered when that balancing exercise is undertaken: the scope of monitoring and the degree of intrusion; whether there were less intrusive alternatives available that could have achieved the same goal; to what extent the employee had specific prior notice of the monitoring; and whether there was a legitimate reason that justified the monitoring.¹⁷⁰ Notice of monitoring is important because it contributes to what the employees’ reasonable expectation of privacy was – although this factor is not conclusive.¹⁷¹

This more detailed level of interrogation of the employer’s actions has led to greater protection of employee privacy rights. For example, in Barbulescu v Romania, an employee was dismissed for the content of private messages sent over a work Yahoo account set up to communicate with clients. The employee knew that personal use of company resources was prohibited and that monitoring of internet occurred, but not necessarily that the extent of the monitoring was such his messages could be inspected. The majority of the Grand Chamber of the EUCHR held that the employer breached Article

¹⁶⁸ Barbulescu v Romania (61496/08) Grand Chamber, ECHR 5 September 2017 at [124].

¹⁶⁹ Halford v. The United Kingdom (1997) ECHR 20605/92, 25 June 1997 (ECHR); Copland v. The United Kingdom (2007) ECHR62617/00, 3 April 2007 (ECHR) at [41]; Barbulescu v Romania, above n 168, at

[81].

¹⁷⁰ Barbelescu v Romania, above n 168, at [134]-[140].

¹⁷¹ Barbelescu v Romania, above n 168, at [73].

8. The level of intrusion was high because the conversations were private and because the employer was recording all conversations in real time, including printing out their contents. There was no legitimate reason to justify the monitoring; reasons like the “need to avoid the company’s IT system being damaged, liability being incurred by the company in the event of illegal activities in cyberspace, and the company’s trade secrets being disclosed” were non-specific and could only be seen as theoretical examples because there was no suggestion the applicant had actually exposed the company to any of those risks.¹⁷² Moreover, there was no analysis in domestic courts of whether there were less intrusive alternatives, and insufficient analysis of whether the applicant had sufficient notice of the monitoring.

A second example is Antovic and Mirkovic v Montenegro, where the EUCHR held that constant video surveillance of two university professors was a breach of Article 8.¹⁷³ This was because video surveillance of an employee at their workplace must be seen as a “considerable intrusion into the employee’s private life”, regardless of whether or not it is covert.¹⁷⁴ Here, the amphitheatres were where the teachers taught and interacted with students, thus developing relationships and constructing their social identity.

3. Act on the Protection of Privacy in Working Life

This Act explicitly requires that employers are only allowed to process employees’ personal data if it is “directly necessary” for the employment relationship.¹⁷⁵ Consent is no exception. Moreover, where personal data is processed, employers must provide notification in advance. The Act explicitly addresses both email and video surveillance. Employers are only to look at employees’ emails if the message in question clearly belongs to the employer, and if the content is information essential for one of a few tasks, and if the

¹⁷² Barbelescu v Romania, above n 168, at [135]

¹⁷³ Antović and Mirković v. Montenegro, above n 24.

¹⁷⁴ At [44].

¹⁷⁵ Section 3.

message sender and recipient cannot be contacted.¹⁷⁶ Employers are not to use video surveillance in sensitive areas, including spaces designated for employees’ personal use.¹⁷⁷ Employers cannot target video surveillance at specific employees unless doing so is essential for preventing violence or for preventing or investigating property crimes, and then only if an essential part of the employees’ work is to handle property of high value.¹⁷⁸ Generally, video surveillance must not interfere with privacy of employees more than is strictly necessary for achieving the aim of the measures.¹⁷⁹ Finally, video surveillance must be transparent and recordings must be destroyed after one year.¹⁸⁰

B Australia

Employees have adequate protection from employer surveillance only in Australian states that provide specific legislation. In the rest of the country, privacy protections stem from the Privacy Act 1998 and common law and are generally seen to be inadequate to protect workers from invasive surveillance.¹⁸¹ This section first analyses the Privacy Act 1998 and the common law, then moves to discuss the workplace surveillance Acts found in some states.

1. Privacy Act

The Act does not generally restrict employee surveillance.¹⁸² Employers are exempt from compliance with the Act if the relevant practice is directly related to an employment

¹⁷⁶ Chapter 6, ss 18-20.

¹⁷⁷ Section 16(1).

¹⁷⁸ Section 16(2).

¹⁷⁹ Section 17(1)(2).

¹⁸⁰ Section 17.

¹⁸¹ Privacy Act 1998 (Australia); and Amanda Pyman, Anne O’Rourke, and Julian Teicher “Information Privacy and Employee Records in Australia: Which Way Forward?” (2008) 34(1) Australian Bulletin of Labour 28 at 46.

¹⁸² Normann Witzleb, above n 17, at 133.

relationship and relates to an “employee record”.¹⁸³ Employee records are defined broadly as records of personal information relating to the employment of the employee.¹⁸⁴ Moreover, “small business operators” are absolutely exempt from the Act’s requirements.¹⁸⁵

2. Common Law

The Australian common law also does not generally restrict employee surveillance.¹⁸⁶ Employees owe their employers a duty to obey all lawful and reasonable commands.¹⁸⁷ In practice, that means that where surveillance is somewhat rationally related to protecting an employer from liability under health and safety legislation will generally be reasonable, as will most widespread forms of surveillance.¹⁸⁸ While there is a duty of mutual trust and confidence, as in New Zealand, invasions of employee privacy have not been held to undermine that duty as yet.¹⁸⁹

3. Australian Capital Territory and New South Wales surveillance legislation

The NSW Workplace Surveillance Act 2005 and the ACT Workplace Privacy Act 2011 are very comparable, with the biggest significant difference being that the ACT Act additionally prohibits surveillance in culturally sensitive areas, like prayer rooms.¹⁹⁰ The NSW Act applies to employees, which is defined broadly and includes those performing voluntary work.¹⁹¹ The Act applies to those “at work”, which is defined broadly as either being in a workplace or performing work for the employer.¹⁹² Where employers do monitor

¹⁸³ Section 7B(3).

¹⁸⁴ Section 4.

¹⁸⁵ Sections 6D(1) and (3).

¹⁸⁶ Normann Witzleb, above n 17, at 142.

¹⁸⁷ R v Darling Island Stevedoring & Lighterage Co Ltd, ex parte Halliday and Sullivan [1938] HCA 44; (1938) 60 CLR 601, Dixon J at 621; Bayley v Osborne (1984) 4 FCR 141.

¹⁸⁸ Normann Witzleb, above n 17, at 142.

¹⁸⁹ Normann Witzleb, above n 17, at 142.

¹⁹⁰ Workplace Surveillance Act 2005 (NSW); and Workplace Privacy Act 2011 (ACT).

¹⁹¹ Section 3.

¹⁹² Section 5, note this has been criticised as insufficiently broad as it does not protect employees from surveillance outside of work hours: Normann Witzleb, above n 17, at 142.

employees they must communicate the details of the surveillance prior to it beginning; where cameras are used they must be clearly visible.¹⁹³

Some surveillance is expressly prohibited: if it is in change rooms or bathrooms;¹⁹⁴ if it is of work devices outside of work hours, unless the equipment is provided by the employer;¹⁹⁵ if it is covert, unless authorised prior to commencement by the covert surveillance authority.¹⁹⁶

C Reform in New Zealand

The current patchwork of law available to protect employees is inadequate to protect worker rights against surveillance. The best way to address this would be to follow those countries / states that have enacted specific legislation relating to worker surveillance. A specific Act would create clear standards relating to privacy from worker surveillance that are stricter than those standards generally applying from the Privacy Act. A specific Act would have several benefits. First, it would allow the general standards flowing from the Privacy Act to continue to not “completely overturn the way in which legitimate commercial activity proceeded”, while allowing greater protections for vulnerable actors, namely workers.¹⁹⁷ Second, a specific Act would also be much clearer than the current framework because it would set out specific standards relating to worker surveillance. While a new Act may create some uncertainty in the law due to its novelty, uncertainty due to novelty is temporary and well worth it in exchange for laws that better protect workers’ rights to privacy. Third, a specific worker surveillance Act would also be an “expression of the fact that workplace privacy is a public interest” and would therefore act as a signalling mechanism to deter employers putting in place overly intrusive surveillance

¹⁹³ Sections 10 and 11.

¹⁹⁴ Section 15.

¹⁹⁵ Section 16.

¹⁹⁶ Sections 19-21.

¹⁹⁷ Hon P Dunne, above n 104.

practices.¹⁹⁸ Finally, because an Act would be able to prohibit specific forms of invasive surveillance, it would better prevent system creep of invasive surveillance by employers whereby an invasive practice would otherwise become widespread.

1 Recommended features of a New Zealand Act

This dissertation does not aim to provide a detailed draft for an Act, but rather identifies several features that ought to be present to best achieve the aim of protecting workers’ rights to privacy from invasive surveillance. These features stem from the legislation discussed above and are remedies to criticisms of New Zealand’s current law advanced in Part Two.

First, the Act should apply to all workers, including employees, independent contractors, and volunteers, and apply to employer monitoring of workers at all times, including whilst workers are working and while they are physically at work. The Act should affirm that workers have right to privacy even whilst working.

Second, the Act should establish general principles of worker surveillance that are stricter than the status quo but still somewhat line up with existing privacy principles under the Privacy Act. This would enable an easy transition of the Act to the privacy and employment jurisdictions, where there is already case law using similar language. The specific principles should be as follows. First, where there is worker surveillance it should be strictly necessary for a legitimate purpose. This requirement should act to enforce a minimum standard of privacy protection for workers whereby there is less ability for employers to monitor workers as they see fit, leaving open a clear risk of abuse. To achieve this, the Act should clearly state that “necessary” should be interpreted strictly and be taken to mean that no reasonable alternatives would have adequately achieved the purpose. Moreover, the purpose should be specific and relate to a material risk. These requirements would ensure that employers are able to monitor workers for legitimate purposes, but only

¹⁹⁸ Normann Witzleb, above n 17, at 146.

where those purposes justify the intensity of surveillance they are utilizing. Second, where there is worker surveillance, workers should be explicitly informed of the details of surveillance, including the purpose, prior to commencement so that they can complain in advance. If surveillance is covert, it must be authorised by the Privacy Commissioner prior to commencement, unless there is a serious risk of violence or harm, and can only be done in narrow circumstances. This would ensure that covert surveillance is done only where it is truly justified, as validated by the Commissioner, or in situations of real urgency.

Third, the Act should expressly address areas of serious risk of interference with privacy through surveillance. Employers should not be able to look at the content of workers’ communications over work devices or accounts if it is a clearly private email, unless doing so is essential for an investigation or business need. Employers should not be able to enact video surveillance in any sensitive areas, including changing rooms, bathrooms, allocated personal spaces, first-aid areas, and prayer rooms. Employers should not be able to video monitor workers who are working from home. Employers should not be able to monitor any personal devices or accounts belonging to a worker, even if a personal account was accessed using work equipment or facilities. These explicit statements of law would substantially clarify currently murky areas of law that are only understood by looking at cases within the privacy and employment jurisdictions.

Fourth, the Act should operate to influence the interpretation of law both within the privacy and employment jurisdictions, continuing the ability of workers to choose which jurisdiction to enter. In the employment jurisdiction, the Act would influence where worker surveillance would amount to a breach of the required mutual trust and confidence – where the Act is breached, likely so too would mutual trust be breached. In the privacy jurisdiction, the Act would influence the Privacy Commissioner’s interpretation of when information can be collected through surveillance of workers. This framing would address the concern raised that current protections in the employment jurisdiction do not adequately recognise privacy, whilst protections in the privacy jurisdiction do not adequately recognise the special nature of the employment relationship. Saying that, were an Act to apply within existing jurisdictions there may still be some uncertainty in the law due to the overlapping patchwork of law still at play, particularly for laypeople. However, given that there are

already established forums for hearing privacy-related disputes in employment, it would realistically only complicate matters to add a third forum. Moreover, the law would, as argued above, even so be substantially clearer due to the specificity of the Act.

Finally, the Act should also increase the watchdog mandate of the Commissioner. To do this, first, the Act should allow anonymous reporting of overly invasive employer policies, without a harm requirement, with a consequence of the Commissioner issuing a compliance notice rather than a penalty. For example, if an employer decided to introduce cameras with audio recording capability, a worker would be able to make a complaint before they were introduced. The Commissioner would then issue a notice to the employer that the policy of using those cameras is a breach of the workplace surveillance Act. This would increase access to justice by allowing workers to remain stable in their relationship with their employer, rather than needing to reveal themselves, when making a complaint. Moreover, this would remove the need for harm to have already accrued, meaning the Privacy Commissioner could more effectively prevent harm from occurring. A compliance notice rather than a penalty should be used to recognise the lack of substantive harm having in fact occurred, and to balance the need for access to justice for vulnerable workers with the need for employers to be treated fairly. Second, the Commissioner should be able to make investigations without a complaint, proactively preventing privacy invasions. Third, the Commissioner should be able to make recommendations to further codify any future clear invasions of privacy. For example, if companies began to use ‘wearables’ in New Zealand to collect health data on workers, the Commissioner could recommend that that practice be codified as prohibited in the Act. This would prevent invasive surveillance practices being normalised simply through widespread use.

V Conclusion

Current legal frameworks governing worker surveillance in New Zealand are profoundly insufficient to protect workers’ rights to privacy. While privacy rights must be balanced with legitimate employer interests, the current framework is reactive and disproportionately gives weight to employer interests. Thus, law reform is required. A specific Act addressing worker surveillance that clearly restricts worker surveillance to where it is strictly necessary for employer interests would best achieve this, while still allowing for employer interests in legitimate circumstances. If government and judicial apathy to protecting workers’ rights to privacy continues, the exploitation of vulnerable actors will only worsen in the decades to come as employers take advantage of technology’s rapidly growing reach to gradually degrade workers normative rights to privacy. These conclusions reflect the urgent need for New Zealand to recognise that workers ought to retain their rights to dignity, autonomy, and expression – achieved through protecting their rights to privacy – whilst working. Moreover, they reflect the need for New Zealand to protect against the gradual degradation of human rights generally, particularly in the face of advancing technologies.

Bibliography

1. Cases

1. New Zealand

Allerton v Methanex (New Zealand) Ltd [2000] EMC Wellington WC23/00[2000] NZEmpC 59; , 5 NZELC 98,610, 1 ERNZ 242.

Auckland Shop Employees IUW v Woolworths (NZ) Ltd [1985] 2 NZLR 372 (CA).

Bisson v Air New Zealand Ltd ERA Christchurch 98/06, 3 July 2006.

B. W. Bellis Limited v Canterbury Hotel, Hospital, Restaurant, Club and Related Trades Employees Industrial Union of Workers [1985] NZCA 124/84, NZELC (digest) 98,462.

C v Holland [2012] NZHC 2155, [2012] 3 NZLR 672.

Case Note 0632 [1994] NZPrivCmr (August 1994).

Case Note 16479 [2001] NZPrivCmr 6 (1 June 2001).

Case Note 229558 [2012] NZ PrivCmr 1 (1 Feb 2012).

Case Note 2418 [1999] NZPrivCmr (August 1999).

Case Note 289943 [2018] NZPrivCmr 5 (1 October 2018).

Case Note 32277 [2003] NZPrivCmr 25 (September 2003).

Case Note 33623 [2003] NZPrivCmr 5 (1 Feb 2003).

Clarke v A-G [1997] NZEmpC 119; [1997] ERNZ 600 (EmpC).

Cliff v Air New Zealand Limited [2006] NZEmpC AC 47/06.

Hammond v Credit Union Baywide [2015] NZHRRT 6, (2015) 10 HRNZ 66.

Harder v Proceedings Commissioner CA240/99, 11 May, 17 July 2000.

Hosking v Runting [2004] NZCA 34; [2005] 1 NZLR 1 (CA).

Howe v The Internet Group Ltd (IHUG) [1999] NZEmpC 147; [1999] 1 ERNZ 879.

L v M Ltd EOC 92-617, 14 February 1994.

Lehmann v Canwest Radioworks Ltd [2006] NZ HRRT 35.

Marlborough Harbour Board v Goulden [1985] 2 NZLR 378 (CA).

New Zealand Public Service Assoc Inc v Southland Regional Council [2005] NZEmpC 124; [2005] ERNZ 1008 (EmpC).

Northern Industrial District, etc, Storepersons’, etc IUOW v Nathan Distribution Centre Ltd (1987) 1 NZELC 95,478.

NZ Amalgamated Engineering Printing and Manufacturing Union Inc v Air New Zealand Ltd [2004] NZEmpC 32; (2004) 7 HRNZ 539 (EmpC).

Pillay v Rentokill Ltd EMT Auckland AT18/92, 4 March 1992.

Product Placement 2011 Ltd v Cockburn [2014] NZERA Auckland 169.

Sciascia v Wholesale Cars Direct (2017) Ltd [2020] NZERA 262.

Tan v New Zealand Police [2016] NZHRRT 32 (18 October 2016).

Walen v SkyCity Management (Auckland) Ltd ERA Auckland AA5/06, 13 January 2006.

X v Y ltd and NZ Stock Exchange [1991] NZEmpC 48; [1992] 1 ERNZ 863.

2. Australia

R v Darling Island Stevedoring & Lighterage Co Ltd, ex parte Halliday and Sullivan [1938] HCA 44; (1938) 60 CLR 601, Dixon J at 621.

Bayley v Osborne (1984) 4 FCR 141.

3. European Union

Antović and Mirković v. Montenegro (2017) ECHR 70838/13, 28 November 2017 (ECHR).

Bărbulescu v. Romania (2017) ECHR 61496/08, 05 September 2017 (Grand Chamber).

Case C-13/16 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v. Rīgas pašvaldības SIA ‘Rīgas satiksme’ ECLI:EU:C:2017:43.

Copland v. The United Kingdom (2007) ECHR 62617/00, 3 April 2007 (ECHR).

Halford v. The United Kingdom (1997) ECHR 20605/92, 25 June 1997 (ECHR).

Niemietz v Germany [1992] ECHR 80; (1992) 16 EHRR 97 (ECHR).

4. United Kingdom

Dalgleish v Lothian & Borders Police Board [1991] IRLR 42.

Hedley Byrne & Co Ltd v Heller & Partners Ltd [1963] UKHL 4; [1964] AC 465 (HL).

2. Legislation

1. New Zealand

Crimes Act 1961.

Employment Relations Act 2000. Health and Safety at Work Act 2015. Holidays Act 2003.

Human Rights Act 1993. Minimum Wage Act 1983. Privacy Act 1993.

Privacy Act 2020.

Treaty of Waitangi Act 1975.

2. Australia

Privacy Act 1998.

Workplace Privacy Act 2011 (ACT). Workplace Surveillance Act 2005 (NSW).

3. European Union

European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950) 213 UNTS 221 [ECHR].

Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

4. Finland

Laki yksityisyyden suojasta työelämässä 13.8.2004/759 2004 (Finland).

100. Treaties

International Covenant on Civil and Political Rights GA Res 2200A (XXI) (1966).

Universal Declaration of Human Rights GA Res 217A (1948).

4. Books and Chapters in Books

Anita Allen Uneasy Access: Privacy for Women in a Free Society (Random and Littlefield, Totowa, 1988) at 16..

Beate Roessler New Ways of Thinking About Privacy (translated by R D V Glasgow) in John S Dryzek, Bonnie Honig and Anne Phillips (eds), The Oxford Handbook of Political Theory (Oxford University Press: Oxford, 2006).

Beate Rössler The Value of Privacy (Polity, Cambridge, 2005).

Clara Fritsch “Data Processing in Employment Relations; Impacts of the European General Data Protection Regulation Focusing on the Data Protection Officer at the Worksite” in Serge Gutwirth, Ronald Leenes, Paul de Hert (eds) Reforming European Data Protection Law (Springer, 2015) 147.

Colin Gavaghan, Alistair Knott, James Maclaurin The Impact of Artificial Intelligence on Jobs and Work in New Zealand: Final Report on Phase 2 of the Artificial intelligence and Law in New Zealand Project (1st ed, University of Otago, Dunedin, 2021).

Graeme Laurie Genetic Privacy: A challenge to medico-legal norms (Cambridge University Press, Cambridge, 2002).

Normann Witzleb “Employee Monitoring and Surveillance under Australian Law: The Need for Workplace Privacy Legislation” in Dieter Dörr and Russell L. Weaver (eds) Perspectives on Privacy: Increasing Regulation in the USA, Canada, Australia and European Countries (De Gruyter, 2014) 126.

5. Journal Articles

Andy Hodder “New Technology, Work and Employment in the era of COVID‐19: reflecting on legacies of research” (2020) 35(3) New Technology, Work and Employment 262.

Ani Bennett and Shelley Kopu “Applying the duty of good faith in practice, in a way consistent with Te Ao Māori, Treaty and employment law obligations” [2020] ELB 114.

Antonio Aloisi and Valerio De Stefano “Essential jobs, remote work and digital surveillance: Addressing the COVID-19 pandemic panopticon” (2022) 161(2) International Labour Review 291.

Amanda Pyman, Anne O’Rourke, and Julian Teicher “Information Privacy and Employee Records in Australia: Which Way Forward?” (2008) 34(1) Australian Bulletin of Labour 28.

Chris Hunt and Corinn Bell “Employer Monitoring of Employee Online Activities outside the Workplace: Not Taking Privacy Seriously” (2015) 18(2) Canadian Labour and Employment Law Journal 411.

Daniel J Solove “‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy” (2007) 44 San Diego L Rev 745.

Dan Michaluk “The Other Side of the Balance: Employer Interests, Work Systems and R.

v. Cole” (2015) 18(2) Canadian Labour and Employment Journal 459.

Dawn Duncan “COVID-19 and Labour Law: New Zealand” (2020) 13(1) Italian Labour Law e-Journal 1.

Emma Phillips “The Changing Dimensions of Privacy in the Workplace: Legal Rights and Labour Realities” (2015) 18(2) Canadian Labour and Employment Law Journal 467.

Gehan Gunasekara "Making a difference?: The 'Privacy Act' and employment relationship problems in New Zealand" (2018) 28 NZULR 25.

Gehan Gunasekara and Alan Toy “Principles or Rules: The Place of Information Privacy Law” (2011) 24 NZULR 525.

Gehan Gunasekara and Alida Van Klink “Out of the Blue? Is Litigation Under the Privacy Act 1993 Addressed Only at Privacy Grievances?” [2011] CanterLawRw 15; (2011) 17 Canta LR 229.

Gehan Gunasekara and Niveet Singh “Upping the Ante: New Actors and the Evolving Nature of Privacy Act Jurisprudence in New Zealand” (2017) 48 VUWLR 441.

Gordon Anderson "Labour law under stress some thoughts on Covid-19 and the future of the labour law" (2020) 45(2) NZJER 33.

Gordon Anderson “Realising Parliament’s vision for good faith” (2020) ELB 117.

Isabel Ebert, Isabelle Wildhaber, Jeremias Adams-Prassl "Big Data in the workplace: Privacy Due Diligence as a human rights-based approach to employee privacy protection" (2021) 8 Big Data & Society 1.

Jairo R. Villalobos "Laboring Towards New Privacy Protections In The Workplace" (2022) 67 Washington University Journal of Law & Policy 46.

Kathryn Dalziel “Workplace surveillance and privacy – what’s happening in New Zealand and Europe?” (2017) ELB 102.

Karen Eltis "The Emerging American Approach to E-Mail Privacy in the Workplace: Its Influence on Developing Case law in Canada and Israel: Should Others Follow Suit? " (2003) 56 Mcgill LJ 289.

Karin Mika “Privacy in the Workplace: Are Collective Bargaining Agreements a Place to Start Formulating More Uniform Standards?” (2012) 49(2) Willamette Law Review 251

Lisa Smith-Butler “Workplace Privacy: We'll be Watching You” (2009) 35(1) Ohio Northern University Law Review 53.

Matthew W. Finkin “Privacy: Its Constitution and Vicissitudes – A Half-Century on” (2015) 18(2) Canadian Labour and Employment Law Journal 349.

Milton Heumann, Lance Cassak, Esther Kang, Thomas Twitchell "Privacy and Surveillance Public Attitudes on Cameras on the Street, in the Home, and in the Workplace" (2016) 14 Rutgers Journal of Law and Public Policy 37.

Natalie Coates “The Recognition of Tikanga in the Common Law of New Zealand” [2014] NZSC 108; (2015) 1 NZLR 1.

Paul M. Secunda "Privatizing workplace privacy." (2012) 88(1) NDLR 277.

Paul Roth "Privacy Law Reform in New Zealand: Will it Touch the Workplace?" (2016) 41(2) NZJER 36.

Paul Roth “Surveillance Cameras in the Workplace” (2002) 4 ELB 54. Rebecca Britton “An employer’s right to pry” [2006] CanterLawRw 3; (2006) 12 Canta LR 65.

Samuel D Warren and Louis D Brandeis “The Right to Privacy” (1890) 4 Harv L Rev 193.

Stephen Blumenfeld, Gordon Anderson, and Val. Hooper "Covid-19 and Employee Surveillance" (2020) 45(2) NZJER 42.

6. Parliamentary and Government Materials

(10 April 2018) 728 NZPD 3114.

(18 June 2019) 739 NZPD 12056.

Hon P Dunne (1993) 76 NZPD 15211.

Law Commission A Conceptual Approach to Privacy (NZLC MP19, 2007).

Law Commission Invasion of Privacy: Penalties and Remedies – Review of the Law of Privacy Stage 3 (NZLC IP14, 2009).

Law Commission Privacy Concepts and Issues – Review of the Law of Privacy Stage 1

(NZLC SP19, 2008).

Law Commission Review of the Privacy Act 1993 – Review of the Law of Privacy Stage 4

(NZLC R123, 2011).

Waitangi Tribunal Report on the Crowns Foreshore and Seabed Policy (Wai 1071, 2004).

7. Reports

Frank Hendrickx Protection of workers’ personal data: General principles. ILO Working Paper 62 (International Labour Organisation, 2022).

Kirstie Ball Electronic Monitoring and Surveillance in the Workplace (Joint Research Centre for European Commission, 2021).

New Zealand Productivity Commission New Zealand, technology and productivity – Technological change and the future of work, Draft report 1 (New Zealand Productivity Commission, 2019).

Troy Henderson, Tom Swann, Jim Stanford Under the Employer’s Eye: Electronic Monitoring and Surveillance in Australian Workplaces (Centre for Future Work at the Australia Institute, November 2018).

8. Dissertations

Hayley Miller "Technology in the Workplace and Emploeyee Privacy" (LLB (Hons) Dissertation, University of Otago, 1998).

1. Internet Resources

Annie Palmer “How Amazon keeps a close eye on employee activism to head off unions” (4 October 2020) CNBC <https://www.cnbc.com/2020/10/24/how-amazon-prevents- unions-by-surveilling-employee-activism.html>.

Dr Carwyn Jones, Joanna Hayward, Matatapu PJ Devonshire “Tikanga Māori and Privacy: reflections from the High Court review of decisions about Māori Covid-19 vaccination data” (20 May 2022) The Office of the Privacy Commissioner

<https://www.youtube.com/watch?v=Fzbe9pw-2hU>.

Emma Hatton “Employee surveillance software sales surge in lockdown” (6 June 2020) RNZ (Radio New Zealand) <https://www.rnz.co.nz/news/national/418055/employee- surveillance-software-sales-surge-in-lockdown>.

Hayley Peterson “Whole foods tracks unionization risk with heat map.” (20 April 2020) Business Insider < https://www.businessinsider.com/whole-foods-tracks-unionization- risk-with-heat-map-2020-1>.

John Edwards, Privacy Commissioner “Kensington Swan Privacy in Employment: Surveillance” (13 September 2018) The Office of the Privacy Commissioner < https://www.youtube.com/watch?v=Hi9xoD-rHVI >.

Maggie Astor “Microchip implants for employees? One company says yes.” (25 July 2017) The New York Times <https://www.nytimes.com/2017/07/25/technology/microchips- wisconsin-company-employees.html>.

Office of the Privacy Commissioner “Principle 1 – Purpose for collection of personal information” Office of the Privacy Commissioner < https://www.privacy.org.nz/privacy- act-2020/privacy-principles/1/>.

Office of the Privacy Commissioner “While I’m working at home, can my employer require me to keep my laptop camera on?” Office of the Privacy Commissioner ‘AskUs’ < https://privacy.org.nz/tools/knowledge- base/view/561?t=233661_321552#:~:text=Insisting%20that%20an%20employee%20wh o,purpose%20(see%20principle%201)>.

Saima Akhtar “Employers’ new tools to surveil and monitor workers are historically rooted” The Washington Post https://www.washingtonpost.com/outlook/2021/05/06/employers-new-tools-surveil- monitor-workers-are-historically-rooted/>.

Val Hooper, Gordon Anderson, Stephen Blumenfeld “A question of trust: should bosses be able to spy on workers, even when they work from home?” (16 June 2020) The Conversation <https://theconversation.com/a-question-of-trust-should-bosses-be-able-to- spy-on-workerseven-when-they-work-from-home-140623>.

10. Other Resources

1. Conferences

Kathryn Dalziel, John Edwards, Annabel Forham "Privacy and Access to Information" (paper presented to New Zealand Law Society Employment Law: "Justice at Work?" Conference, Wellington, 2020) 269.

Nura Taefi, Michael Timmins "Taking Proceedings in the Human Rights Review Tribunal" (paper presented to New Zealand Law Society Employment Law: "Justice at Work?" Conference, Wellington, 2020) 311.

2. Looseleaf / Online Commentary

Gordon Anderson and others (eds) Mazengarb’s Employment Law (NZ) (online looseleaf ed, LexisNexis).

Paul Roth (ed) Privacy Law and Practice (online looseleaf ed, LexisNexis) at [EPM.1].

3. Submissions to Select Committees

Australian Council of Trade Unions “Fixing the On-demand Economy and Other Insecure Work. Submission to the Inquiry into the Victorian On-demand Workforce 2019” ACTU Document No. 6/2019.

New Zealand Council of Trade Unions “Submission of the New Zealand Council of Trade Unions Te Kauae Kaimahi, New Zealand Public Service Association Te Pūkenga Here Tikanga Mahi (PSA), E tū and the New Zealand Nurses Organisation to the Justice Committee on the Privacy Bill 2018”.

The Australia Institute “Workplace surveillance – submission to the Select Committee on the Impact of Technological Change on the Future of Work” (August 2020).

4. Other

Extract from a letter by the Privacy Commissioner concerning video surveillance, Office of the Privacy Commissioner, Privacy: New Zealand. A Compilation of materials on the Privacy Act 1993 and the Office of the Privacy Commissioner, vol 2 (February 1994 – December 1994).