Commentary
Threshold for sensitive information
- This decision asserts that in order for information to indicate a person’s sexual preferences or practices or philosophical beliefs, the information must contain a clear theme, unique characteristic, or at least suggest to the average reasonable person looking at the information a specific sexual preference or practice or philosophical belief.
- In this complaint, Mr Kerig alleged that an amateur video depicting a woman in the shallows on a secluded beach with some sexualised movements indicated his sexual preferences or practices (that it is “natural and pleasing to be naked on the beach”) and his philosophical beliefs (“freedom to enjoy nature and one’s sexuality”). VCAT held that the video did not indicate either of these because there was nothing remarkable about the contents of the video to indicate either his or the person in the video’s specific sexual preferences or philosophical beliefs to the average reasonable person.
Individuals as respondents
- In this complaint, Mr Kerig attempted to add the Victoria University’s employee as a second respondent. VCAT ultimately decided to strike out this motion on the basis that Mr Kerig did not make any particular claims against the employee. Unfortunately, VCAT did not go into substantive reasoning on whether and in what circumstances (if at all) an employee could be a respondent to a complaint.
- In our view, it is unlikely that employees could be liable for a contravention of the IPPs. This is because s 13 of the Privacy and Data Protection Act 2014 (Vic.) (PDP Act) places the requirement to comply with the IPPs on either specific office holders (e.g., Ministers) or on Victorian government entities. This is further supported by s 118 of the PDP Act which attributes acts and practices of employees and agents to their respective Victorian public sector organisation (except in circumstances where the organisation takes reasonable precautions and exercises due diligence to avoid the act or practice being done by their agent or employee).
Facts and decision
- Mr Kerig was employed by Victoria University as a Loans Officer and issued a computer to carry out his work.
- Whilst Mr Kerig was on leave, another university employee attempted to use the work computer but was unable to and notified a supervisor.
- Victoria University staff investigated and discovered that Mr Kerig had breached various internal policies and terminated his employment on the basis that:
- Mr Kerig had reconfigured the computer in a way that was not permitted by Victoria University’s IT policies;
- the computer held a substantial volume of personal files, in excess of what Victoria University considered reasonable private use; and
- some of these files contained sexual content.
IPP 1.1 – Collection must be necessary for organisation’s functions or activities
Submissions
- Mr Kerig alleged that the function or activity of Victoria University was providing education services. The collection by Victoria University of his personal information from the computer was not necessary to achieve this function and therefore contravened IPP 1.1.
- Victoria University contended that, as an employer, the function or activity they were carrying out was administering employment, which included ensuring employees complied with the Victoria University’s internal policies. The collection of Mr Kerig’s personal information was necessary to achieve this purpose (and therefore authorised under IPP 1.1) because they had been notified of a possible breach of internal policies, investigated, and discovered evidence to support that there had been such a breach.
Decision
- VCAT held that the collection was authorised under IPP 1.1:
- The ‘function or activity’ Victoria University was carrying out was investigating employee compliance with internal policies. VCAT explained that this characterisation was in line with other decisions which had recognised that “one of the functions of an employer must be to conduct investigations into allegations of misconduct.” (See case notes on Jurecek v Director Transport Safety Victoria [2016] VSC 285 and Jurecek v Director, Transport Safety Victoria [2015] VCAT 253; and Kaliszewski v Department of Justice and Community Safety [2020] VCAT 27).
- The collection of Mr Kerig’s personal information from the computer was ‘reasonably necessary’ to achieve this function because Victoria University could not assess Mr Kerig’s compliance with the University’s internal policies without access to the computer’s files.
IPP 1.2 – Method of collection must be lawful, fair, and not unreasonably intrusive
Submissions
- Mr Kerig alleged that the collection was unlawful because Victoria University did not comply with its own internal policies when it collected his personal information from the computer. Victoria University’s IT Audit Procedure stated that only Victoria University’s IT department could carry out an audit of Victoria University’s equipment such as the computer, but the personal information had been collected by the HR department.
- Victoria University contended that the collection was not unlawful because the IT Audit Procedure evidenced that they had the right to inspect and audit the contents of the computer.
Decision
- VCAT held that the collection was not unlawful, agreeing with Victoria University’s position.
IPP 1.2 – Method of collection must be lawful, fair, and not unreasonably intrusive
Submissions
- Mr Kerig alleged that the collection was unfair because of the “unreasonably hasty and severe fashion” that Victoria University acted in, given that there was another computer in his department that was misconfigured that had not been investigated and that there had been no other instances of computers being removed for inspection in the way that his had been.
Decision
- VCAT interpreted the term ‘unfair’ to mean “unjust, inequitable, or discriminatory.” VCAT then went on to hold that the collection was not unfair, largely because Mr Kerig had not provided any evidence to demonstrate that the Victoria University’s conduct amounted to any of these criteria.
- A component of Mr Kerig’s assertions (and a recurring theme throughout the decision) was a fractious working relationship between him and Victoria University, particularly his immediate supervisor. In deciding that Victoria University’s conduct was not unfair, VCAT instead had close regard to the content of Victoria University’s IT and HR policy documents, and the expectations around monitoring and enforcement they reasonably created.
IPP 2.1 – Use and disclosure
Submissions and decision
- Mr Kerig alleged that Victoria University used or disclosed his personal information for purposes other than the primary purpose of collection, being to administer his employment, when several people gathered around his computer to look at his personal information.
- Victoria University contended, and VCAT agreed, that there had been no interference with IPP 2.1 because the group of people who had looked at Mr Kerig’s personal information included relevant members of Victoria University’s IT and HR departments, each of which had a role to play in assessing the misconfiguration and files on the computer against the Victoria University’s internal policies.
IPP 3.1 (Data quality) and IPP 4.1 (Data security)
Submissions
- Mr Kerig alleged that Victoria University did not take any steps to protect his personal information when they collected it from his computer and therefore Victoria University could not claim that it was accurate when using it as part of its disciplinary process.
- Victoria University contended that it had complied with IPP 3.1 and 4.1 and referred to a number of internal policies it had in place relating to the privacy and security.
Decision
- VCAT held that there had not been an interference with IPP 3.1 or 4.1 because Victoria University had relevant internal policies in place relating to the privacy and security of personal information.
- VCAT noted that whilst Victoria University was not able to prove that it had applied these internal policies to Mr Kerig’s personal information, this, without evidence by the Mr Kerig showing that Victoria University had not applied those internal policies, was not enough for a finding that an interference had occurred. VCAT noted that it is for the complainant to prove, on the balance of probabilities, that the IPP has been breached.
IPP 5.1 – Privacy Policy
Submissions
- Mr Kerig alleged that Victoria University had no document or policy clearly outlining what expectations employees would have in relation to their privacy when using work computers for personal matters.
Decision
- VCAT held that there was no interference with IPP 5.1 because Victoria University had a Privacy Policy and that Mr Kerig was aware of the existence of it as he acknowledged under cross-examination.
IPP 10 – Collection of sensitive information
Submissions
- Mr Kerig alleged that Victoria University collected his sensitive information in contravention of IPP 10.1, being:
- a video – which was a short, three minute amateur film of a woman in the shallows on a secluded beach with some sexualised movements. Mr Kerig contended that this depicted his sexual preferences or practices (“that it natural and pleasing to be naked on the beach”) and his philosophical beliefs (“freedom to enjoy nature and one’s sexuality”).
- photographs – which comprised of professional photos of various males and females in mostly unclothed poses as well as photographs of Mr Kerig and a female partner engaged in a sexual act, which Mr Kerig alleged depicted his sexual preferences or practices as a heterosexual male.
Decision
- VCAT held that Victoria University had not interfered with IPP 10.1 because neither of these contained Mr Kerig’s sensitive information:
- the video – VCAT found that the contents of the video did not indicate Mr Kerig’s sexual preferences or practices because the video was rather “unremarkable to the extent that it might be appreciated by more than a heterosexual male… For example, were the video found on the computer of the woman featured in the video, it is unlikely that it would be construed as disclosing her sexual preferences.” Similarly, VCAT found that the video did not disclose Mr Kerig’s philosophical beliefs because there was no clear theme in the video that would suggest to the average reasonable person that Mr Kerig was a person who held any particular philosophical belief.
- the photographs – VCAT found that the photographs of various males and females did not indicate Mr Kerig’s sexual preferences or practice because their “attraction could not be considered by any reasonable person to be limited to only a heterosexual male.” VCAT found that the photographs that Mr Kerig alleged depicted himself and a female partner engaged in a sexual act were not clear enough to identify Mr Kerig’s identity (and therefore, it appears, not personal information – although this aspect is not clearly articulated in the decision).