By Dr Laura Sowden, Partner and Theresa Au, Lawyer

An employee suffered a medical episode at their employer’s car park. Shortly after, an email to staff about the medical episode and the employee’s status was sent. The Privacy Commissioner held that the employer’s use of the employee’s information breached the Privacy Act 1988 (Cth) and the employee was entitled to compensation.

What happened?

On 8 April 2021, the employee experienced a medical episode in the carpark of the employer’s head office. The employee had a pre-existing medical condition which was not disclosed to the employer and which the employer had no knowledge of.

It was the employer’s position that other employees witnessed the employee lying on the ground and appeared to be unconscious. Some of the employees went with the employee to the hospital.

Later that day, the employee’s emergency contact provided an update on the employee’s status to her manager as requested. This information was relayed internally and then an email to an internal mailing list was sent reporting on the medical episode and the employee’s current status (the Email).

In the Email, the employee’s medical episode was disclosed in addition to her full name, her emergency contact’s full name as well as their relationship to the employee.

Internal privacy complaint

On 28 April 2021, the employee made an internal complaint to the employer’s Privacy Officer about the sending of the Email.

The Privacy Officer contacted the employee the same day to explain the employer’s position and during that conversation the employee verbally resigned claiming the privacy breach was so significant it rendered her employment untenable.

OAIC Complaint

Dissatisfied with the employer’s response, the employee made a complaint under s 36 of the Privacy Act 1988 (Cth) (Privacy Act) to the Office of the Australian Information Commissioner (the OAIC).

What did the employee want?

The employee claimed the employer interfered with their privacy by disseminating personal information about the medical event and her subsequent status in the Email.

She also claimed she suffered economic and non-economic loss and should be awarded compensation.

The employee sought:

• the employer acknowledge that it interfered with her privacy;
• $50,096.00 for economic loss (about 6 months’ salary including super);
• $5,000.00 donation to an organisation that provides educational resources about the employee’s medical condition;
• $10,000.00 for non-economic loss; and
• the employer provide a non-prejudicial referencing regarding her employment and performance.

What did the employer say?

It was the employer’s position that sending out the Email:

• fell within the employee records exemption under s 7B(3) of the Privacy Act;
• was otherwise for purposes of fulfilling its work health and safety obligations to its staff.

What did the Commissioner say?

The employee records exemption did not apply as the act of sending the Email was not directly related to a current or former employment relationship between the employer and the employee.

The Commissioner considered the employee’s personal information was collected for the primary purpose of ensuring her welfare and to enable the employer to meet its WHS obligations to the employee, including the completion of an incident report.

The Commissioner considered the use was for the purposes of updating staff which was not the primary purpose for which the information was collected. As such, the use of the personal information was for a secondary purpose.

The secondary purpose of updating staff was not permitted under the Australian Privacy Principles because it was not consented to by the employee and the Work Health and Safety Act 2011 (NSW) did not authorise use of personal information in the manner the employer engaged in (i.e., the information could have been provided de-identified).

The Commissioner otherwise considered the employer’s conduct was made in good faith as it was genuinely concerned about the employee’s medical condition which it had no prior knowledge of and was required to balance its competing duties to concerned witnesses in a timely manner.

Mitigating factors for the employer

• The Email did not disclose the details of the employee’s medical condition or associated treatment but referenced the medical episode generally.
• The employer had no prior privacy breaches, and the conduct was isolated.
• The employer otherwise acknowledged it could have responded differently by disseminating the information to a more limited number of staff with the employee’s consent or anonymising the information and will do this moving forward to prevent any further privacy breaches.

What were the outcomes?

The Commissioner found the employer breached the Privacy Act and it was required to not repeat or continue such conduct.

The Commissioner was not satisfied the economic loss suffered by the employee was due to the employer’s conduct and the employee was not prevented from working or continuing employment with it. Significantly she had resigned from employment after the Email.

Remedies sought under the Privacy Act do not extend to charitable donations as they do not address the relevant privacy breach including any harm or loss suffered by a complainant.

The Privacy Act is not the correct forum to seek an employment reference as a remedy.

The Commissioner determined the employee was only entitled to:

• $3,000.00 for non-economic loss; and
• $125.10 for reasonably incurred medical expenses.

What does this mean?

Employers should proceed with caution when relaying personal and sensitive health information to groups of staff.

Consider why the information was collected and whether use or disclosure of the information is consistent with its collection.

In incidents there may be tension between health and safety duties owed to groups of witnesses at work, and the victim or person involved in the incident. These need to be weighed carefully and advice sought.

Consider whether information can be conveyed to a limited audience with the employee’s consent and for avoidance of doubt always ensure the information is anonymised.

Of course, there may be circumstances where de-identifying information is not appropriate for example in relation to disciplinary processes however those are bound by confidentiality and sufficiently protect the privacy of those involved.

ALI and ALJ (Privacy) [2024] AlCmr 131 (20 June 2024)