What is private and confidential when it comes to employee information on work devices?
With the increased reliance of businesses on technology to support their operations, an interesting question is raised of: what rights does an employer have to view private information stored on company systems by employees?
Increasingly employers are seeking advice regarding their rights to review an employee’s content information that has been stored on the company systems, with the majority of business IT or Computer Use Policies providing no clear guidance. With more employees than ever now either having dedicated devices (including laptops, cell phones, tablets or desktops) the line between what is business use and private use is becoming more and more blurred.
Where an employee is provided with a company cell phone, unless the policy specifically states that it is for business use only, it would be custom and practice that the employee could also use this as their personal device and that this would then hold data on personal contacts, private photos and important documents or events/activities. Given the connectivity between devices, this data could soon (without prompting by the employee) find its way onto the company’s internal IT systems.
So, does an employer have a right to view this information – and if so, in finding inappropriate materials, what rights does the employer have to take disciplinary action?
This question was recently put to the Employment Relations Authority in the case of Rayman and R&E Electrical Limited [2023] NZERA 10.
Rayman was employed by R&E as a DVS Installer and, to enable him to complete his duties and responsibilities aligned to his position, he was provided with a company iPad which had its own sim card. While assisting R&E to set up the device, Rayman suggested to the company owner that he use his own Apple ID as he already had a personal iPhone. However, neither Rayman nor R&E realised at the time that linking his personal Apple ID with the iPad, would sync the devices thereby sharing the data from the iPhone to the iPad.
A dispute arose between Rayman and R&E, on a totally unrelated matter, resulting in Rayman leaving his work van at the company premises while he took some time off. In leaving the vehicle Rayman also left the company iPad on the front seat. While absent, R&E had genuine reason to access the iPad, including clicking on the photo app to check for photos of work jobs, house plans, measurements, and job locations. In doing so they inadvertently discovered videos and photos of what appeared to be marijuana, drug related paraphernalia – including drug scales and a bong, a firearm and significant sums of money.
After getting over the initial shock of what they had viewed, and seeking advice, they locked the device so that content could not be viewed by others. R&E believed that they had grounds to request Rayman to attend a formal disciplinary matter with respect to the images that had been stored on the company systems and therefore requested him to attend a meeting to reply to the allegations. Rayman however resigned from his employment, raising a personal grievance for constructive dismissal, alleging the company had breached his privacy by accessing his personal information.
The ERA, in investigating the matter determined that R&E had not required Rayman to link his personal iPhone with the company iPad and therefore they were not liable for the fact that, in Rayman offering to do this himself, his personal data was then synced with the company systems.
The ERA also noted that Rayman’s employment agreement contained a provision that stated that “there were no expectations of privacy which included anything new that may have been subsequently added to the device”. In reviewing R&E’s actions upon discovering the personal data, the ERA noted that they immediately sought to lock the device to prevent the images from being available to other workers.
In considering the constructive dismissal claim, the ERA noted that Rayman elected not to attend this meeting (given his resignation) and believed that his refusal to attend prevented him from pleading his case that it was an innocent action in sharing the data across the devices as he did not know that this would occur through the common Apple ID. The ERA deemed that, had he provided this response, the employer may well have accepted this as a genuine error with disciplinary actions being unlikely. The ERA also accepted R&E’s position that they were not ‘trawling’ through Rayman’s personal content and that anyone with access to the device’s four-digit pin number could reasonably have stumbled across this information.
Rayman’s claims were therefore dismissed with his personal grievance being unsuccessful.
The Case highlights that, as well as having the appropriate wording in the IEA and Computer Use Policy, the employer’s obligations to act responsibly when accessing a device used by an employee cannot be underestimated. The Case also reinforces that, if personal information of an inappropriate nature is located on a company device, the employer does have rights to address this, ensuring that this is undertaken in a procedurally fair manner.
If this Case raises questions for you with respect to the completeness of your IEA Computer Use clauses or policies, or you have concerns regarding the storage of employees’ personal content on your business systems, please feel free to contact us for advice.