Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

When a staff update turns into a privacy breach

02 July 2024

5 min read

#Data & Privacy, #Governance

Published by:

When a staff update turns into a privacy breach

Picture this scenario. Your co-worker *Jenny* has a medical episode in the carpark at work due to a pre-existing medical condition. The episode is apparently witnessed by approximately seven other co-workers and some of the co-workers provide CPR until two ambulances and the police arrive. Jenny is transported to a nearby hospital in the company of another staff member.

The employer looks for an update on Jenny’s wellbeing, and her husband sends a text message to the manager’s work phone stating:

“[Jenny] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.”

The message is conveyed to the Managing Director, who sends an email to approximately 110 staff working at head office with the subject heading ‘[Jenny [surname]] – recovering well’ and the following text:

“As you are likely aware, [Jenny] experienced a medical episode this morning in the staff car park. It is believed that [Jenny] collapsed as she was removing items from the boot of her car. After receiving support from [the employer’s] Staff, [Jenny] was taken by ambulance to Westmead hospital and her husband, [Jenny’s husband], was contacted. [Jenny’s husband] contacted [Jenny’s manager] about 30 minutes ago and informed [Jenny’s manager] that [Jenny] is conscious and appears okay. She is just sore and tired. [Jenny] will return home after final medical checks by the Doctor. This has been a traumatic experience and we are all relieved that [Jenny] is recovering well”.

The employer believed there was a duty to provide an update as many staff members were distressed by the medical event.

Jenny made a privacy complaint and eventually brought a claim to the Privacy Commissioner, claiming her privacy had been interfered with. She wanted her former employer to:

  • acknowledge that the update interfered with her privacy
  • compensate her in the amount of $50,096 for economic loss, equivalent to approximately six months of Jenny’s former salary
  • make a $5,000 donation to an organisation that provides educational resources about the medical condition from which she suffers
  • compensate her in the amount of $10,000 for non-economic loss associated with the mental health conditions she developed following the interference with her privacy and the adverse impact it has had on her personal relationships
  • provide a non-prejudicial reference regarding her employment and performance.

Outcome

In summary, Jenny was aggrieved that the details of her medical event and subsequent status, together with her name and that of her husband, were improperly disseminated in the email. She contended that many staff did not previously know her or were not aware of the episode until receiving the email.

The employer claimed that the employee records exemption applied and that the information was collected partly to update staff more broadly. Therefore, using the information for that purpose was a ‘primary purpose’ under the Privacy Act or if it was not, its obligations under the Work Health and Safety Act (WHS Act) required it to use that information to update other staff.

The Commissioner, in the matter of ALI and ALJ (Privacy) [2024] AICmr 131 (20 June 2024), found that there had been a privacy breach.

The employee records exemption did not apply because the content of the email did not directly relate to the employer’s relationship with Jenny. This is not surprising given this exemption has been interpreted narrowly in the past.

The Commissioner also considered the primary purpose of collecting the information was to enquire as to Jenny’s welfare and comply with safety obligations and not for the broader purpose of updating staff. In the Commissioner’s view, the WHS Act did not require or expressly authorise the employer to use Jenny’s personal information in the way that it did. Instead, the employer could have discharged its obligations to other staff under the WHS Act or any relevant common law duty without identifying Jenny by name.

However, the Commissioner determined that Jenny was entitled to much less compensation than she claimed, because:

  • the employer appeared to have sent the email in good faith with a view to allay any concerns held by staff in a timely manner
  • the email did not disclose details of Jenny’s medical condition or associated treatment
  • given the circumstances it would have been unreasonable for the employer not to update relevant staff. Without an update, gossip or incorrect information about the incident could spread among staff, which would have been harmful to Jenny.

The employer accepted that, in retrospect, it could have shared the relevant information with a more limited number of staff with Jenny’s consent or in a deidentified manner and expressed its intention to take these steps if a similar incident arose in the future.

Jenny was awarded $3,000 for non-economic loss arising from the privacy breach which was considered consistent with the declarations made in respect of similar privacy complaints. She was also reimbursed $125.10 for the out-of-pocket expense incurred attending psychologist appointments that were linked to the disclosure in the email. The Commissioner did not consider the claim of $50,000 for economic loss was sufficiently linked and did not consider the other remedies sought appropriate.

Takeaway

Determinations from the Commissioner are relatively rare, as most matters are resolved prior to this stage, so this published decision gives some insight into how similar matters may be considered. It appears there was a fine line in balancing the competing need to keep staff informed in a timely manner with the complainant’s privacy concerns. The takeaways appear to be obtaining the consent of employees in these situations (if possible), limiting the audience and personal information communicated and running the communications by a privacy expert.

If you have any questions regarding this article, please get in touch with our team below.

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this