Andrew Sutherland and Gordon Hughes of Davies Collison Cave provide a round-up of some cases in Australia.
On 28 April 2020, the Victorian Civil and Administrative Tribunal ruled that a university had not infringed the Privacy and Data Protection Act 2014 (Vic) when it collected images with sexual content from an employee’s computer, resulting in a disciplinary process leading to the employee’s dismissal: Kerig v Victoria University  VCAT 469. The images were discovered by the university during an investigation into technical issues with the computer. The complainant alleged breaches by the university of Information Privacy Principles 1 (Collection), 2 (Use and Disclosure), 3 (Data Quality), 4 (Data Security), 5 (Openness) and 10 (Sensitive Information). The Tribunal considered that the collection of the images by the university was necessary in order to ensure that the operator was complying with university policies. The complainant was aware of the university’s policies in relation to personal use of computers. The investigation fell within the scope of the university’s IT Audit Policy which permitted an investigation of alleged breaches by a staff member, provided the investigation was fair and reasonable, and compliant with all relevant law, including the Privacy and Data Protection Act.
In other news, they write:
NSW private member’s bill seeks to expand NSW privacy legislation
On 18 June 2020, the New South Wales Shadow Attorney-General, P.G Lynch MP, tabled a private member’s bill in the New South Wales Legislative Assembly. The object of the Privacy and Personal Information Protection Amendment (Service Providers) Bill 2020 is to amend the Privacy and Personal Information Protection Act 1998 (NSW) to extend its application to a person or body which provides services for or on behalf of a public sector agency, or which receives funding from a public sector agency in connection with providing services, if that person is prescribed by the regulations under the Act. At present, the Act extends to private sector entities only if they provide “data services” (that is, services “relating to the collection, processing, disclosure or use of personal information”). The Bill will lapse in accordance with standing Orders on 17 December 2020.
Read their other case summaries on Lexology.