By Mike Toten Freelance Writer
Employee records are normally excluded from the Commonwealth information privacy legislation, but a recent case uncovered a situation where the exemption for employers did not apply. The employer had to pay compensation to the employee.
Facts of case
An employee suffered a medical episode, due to a pre-existing condition, in the employer’s car park. Other employees witnessed it and assisted her. She was taken to hospital.
After her husband told the employer that she was recovering, the employer sent an email to 110 of its employees that included the following:
- Her full name
- Her husband’s full name
- Information about her medical episode
- Name of the hospital she went to
- A report on her condition
The employee claimed that doing so was a breach of her privacy, and applied for compensation from the employer. She resigned from her job, believing that her position was untenable because of the disclosure (she had not previously disclosed her pre-existing condition to the employer). She claimed to have suffered stress and anxiety following the disclosure, which impeded her chances of obtaining other employment.
The employer claimed that the employee records exemption in the Privacy Act 1988 applied to it, and that it sent out the information to meet its obligation under workplace health and safety legislation to ensure the welfare of the employee and all other employees. It claimed that other employees were distressed about witnessing the incident or hearing about it.
However, the Australian Information Commissioner found that the records exemption did not apply in this case. The email was not “directly related” to the employer/employee relationship. The latter required there to be “an absolute, exact or precise connection.”
Therefore, the employer had to comply with the Act. Australian Privacy Principle 6.1 states that an employer can only disclose privacy information for a “primary purpose” (ie the reason why it was collected in the first place) or a “secondary purpose”, the latter only if the employee gave prior consent or could reasonably have expected the information to be disclosed.
The employer’s “health and safety of the employee” defence was not the real reason why it disclosed the information. It did so for a secondary purpose, which was its belief that it would protect the health and safety of other employees.
The employee had neither consented to release of the information, nor could she have reasonably expected it to happen, so the employer had breached the Act. She was awarded $3,000 for non-economic loss and $125.10 for medical expenses incurred.
Workplace health and safety legislation obligations were not a defence either. The employer could have complied with those obligations without disclosing the employee’s identity to others.
The Commissioner did say that the employer had acted in good faith and out of concern for employees, and the amount of compensation took that into account. However, it could have done so without breaching the employee’s privacy.
What this means for employers
The “exemption for employee records” from coverage by the Privacy Act 1988 is not a blanket one, as this decision demonstrates. Employers therefore need to be familiar with the provisions of the Act, particularly Australian Privacy Principle 6.1.
.png?ext=.png)
.png?lang=en-AU&ext=.png)
.png?lang=en-AU&ext=.png)