Tech Suite | Employee privacy considerations: Policies and practices
Description
In this episode, Corporate and Commercial Senior Associate Suzy McMillan is joined by Employment Partner, June Hardacre to discuss employee and workplace privacy considerations.
Suzy and June discuss key policies and practices organisations should consider implementing to ensure compliance with their privacy obligations in relation to the collection, treatment, and protection of employee information, and outline how this may differ from customer focused privacy compliance.
[01:21 ] Suzy begins by noting that all New Zealand employers are subject to and must comply with the Privacy Act 2020 (Privacy Act) in relation to any personal information which they collect about or from their employees. She asks June what privacy practices and policies employers should have in place to protect this type of information and how these may differ from other privacy policies the organisation may have in place.
[02:37 ] June observes that the enduring nature of the employment relationship results in a large amount of employee data being collected by employers, and it is fundamental that employers are transparent with their collection and use of this data to comply with their obligations under the Privacy Act. The employer’s proposed uses of employee personal information will also influence whether a separate employee privacy policy is necessary in the circumstances.
[05:20 ] Suzy and June consider how an employer should deal with the information of prospective employees received during the recruitment process. June states that it may not be necessary to have a separate privacy policy to deal with this particular situation so long as it is covered under existing company privacy policies
[07:44 ] June asks Suzy what IT systems employee data is typically held on and how organisations can ensure that these systems satisfy the IPP 5 requirements of the Privacy Act. Suzy notes that to comply with IPP 5 requirements, it is important for employers to ensure that the security levels of any procured IT system are reasonable in the circumstances, given the sensitive and valuable nature of employee data that might be stored on it.
[10:10 ] June outlines, from a non-technical perspective, what employers should do to prevent employee information being mishandled, noting how this might differ from other general safeguards that are put in place when protecting personal information.
[12:22 ] They then consider the balancing act required by employers in relation to the retention of employee information, against an employer’s obligations under IPP 9 of the Privacy Act to ensure that information is not kept for longer than is lawfully required.
[16:37 ] June and Suzy discuss the increasing workplace trend of employers collecting more sensitive employee data for the purposes of analysing and reporting on workplace diversity and inclusion and how this trend fits within principles of data minimisation. June suggests three guiding principles in this situation: understanding the need for the information, considering anonymous collection, and making employee response optional. She also recommends that a specific employee privacy policy may need to be put in place for the collection and use of this type of information.
[20:08 ] Suzy and June conclude the episode, considering the employee privacy implications of surveillance and artificial intelligence use in the workplace.
Information in this episode is accurate as at the date of recording, 15 July 2024.
For show notes and additional resources visit minterellison.co.nz/podcasts