Employee Privacy Violations

By Tyler W

August 01, 2024

Employee Privacy Violations

There was a recent case that illustrates the power and discipline that the OAIC can exert over those that run afoul of the Privacy Act. To provide a spoiler, the Commissioner found in favour of the complainant in this instance.

The facts of the case essentially boil down to:

1. The employer runs a business with 3,000 employees, of which the complainant was an employee.
2. The employee / complainant had a medical episode, in front of several employees in the carpark, and had to be taken to hospital.
3. The husband of the impacted employee sent a text message to the employee / complainant's manager advising that stated "[employee] is being checked out the by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.'
4. This status update was shared with approximately 110 staff members, advising that the employee had suffered a medical incident at work, which hospital they had been taken and the husband, by name, had been contacted. The email also advised that the husband had contacted the employees manager and provided a medical status update.

Full details of the case can be located at: https://classic.austlii.edu.au/au/cases/cth/AICmr/2024/131.html

Flash forward to when the employee was scheduled to return to work, they were unable to do so, citing 'feelings of anxiety and panic related to the medical event'. 2 days later the employee became the complainant by lodging a complaint to the employers privacy officer in regard to the email - citing that private information was disclosed to other people who did not need to know it (as they were not aware of them, or their pre-existing medical condition). After response from the companies privacy officer, suggesting the managing director acted within their duty of care as employer, disclosing the information and medical update, they resigned.

Let's recap:

1. The employee suffered a pre-existing, non-disclosed medical episode at work.
2. Several employees witnessed the incident, and assisted the impacted employee.
3. The husband was contacted, as next of kin, and provided a medical update to the manager.
4. The managing director subsequently shared an update, containing several privacy elements to approximately 110 staff members.
5. The employee was unable to return to work due to mental health issues and lodged a complaint.
6. The employer argued they were acting with the best intentions in mind, only shared information available within the public domain, dis not disclose any private information, the company did not distribute any private information, outside of those directly related to the employee's return to work efforts.
7. The employee resigns, and lodged a complaint with the OAIC citing personal information was disclosed and as a result of the breach has suffered economic and non-economic losses.
8. The relationship deteriorates between the two parties.

From here official proceedings commenced, ultimately finding in favour of the complainant and awarding 6 months salary plus non-economic losses of $3k.

The employer, or respondant attempted to argue they were operating within the realms and requirements of an employer, and attempted to rely on the employee records exemption. (you might want to look that up). Ultimately the commissioner found that the exemption did not apply, and the sharing of the email, was in breach of the Privacy Act and found in favour of the employee or complainant. The impact to the employer was non-economic losses of $3k, as well as 6 months salary, being the lost income from resigning until finding new employment.

What this illustrates is that the Privacy Act, and it's financial impact to organisations cannot be discounted. Regardless of where you sit in regard to this case, it is something we absolutely need to consider as employers, or industries that are custodians of sensitive information. In this instance the respondent had grounds they believed for their actions, and these were definitely considered by the Commissioner. We need to ensure we all have safeguards in place to protect this data, and monitor it's access and sharing. This comes from a cybersecurity and general governance perspective. If this information had been unlawfully access due to poor cybersecurity or governance defence mechanisms, would the commissioner have been so lenient? We don't know, but we could assume not. Now is the time to review your policies, procedures, and access controls of the data you hold that is sensitive and contains personal identifiable information.

Hope you have strong safeguards in place, but if you want to discuss your defences further, please do just reach out.