Lessons for Employers if They Interfere with an Employee’s Privacy

Balancing privacy laws in the workplace Viewers of this file can see comments and suggestions

A recent determination by the Office of the Australian Information Commission (OAIC) in ‘ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131 provides a critical reminder for employers about balancing workplace health and safety obligations with privacy laws. 

Background 

On 8 April 2021, an employee had a medical episode in the employer’s car park, resulting in her lying unconscious in the employer’s car park (Medical Event). 

The Medical Event was derived from a pre-existing health condition the employee had not disclosed to the employer. On the employer’s account, the employee was witnessed by approximately seven other employees lying on the carpark floor and appeared to be unconscious. 

The other employees who were present during the employee’s Medical Event provided CPR until two ambulances and the police arrived. According to the employee’s husband, while providing CPR, the employee’s co-workers were required to undress the employee and expose her chest so that compressions could be undertaken. The employee was taken to a nearby hospital in the company of another staff member. 

A staff member of the employer contacted the employee’s husband, who was nominated as her emergency contact. The staff member requested that the employee’s husband contact the employee’s manager to update the manager on the employee’s status. The husband subsequently sent the employee’s manager a text message stating: 

‘[the employee] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.’

The employee’s manager conveyed the content of that message to the Managing Director. Later that day, the Managing Director emailed over 100 staff with the subject heading ‘[the employee] – recovering well’ and sharing details about the employee’s Medical Event. The email described the incident, the employee’s full name and her status following medical treatment as follows: 

‘As you are likely aware, [the employee] experienced a medical episode this morning in the staff car park.

It is believed that [the employee] collapsed as she was removing items from the boot of her car. After receiving support from [the employer’s] staff, [the employee] was taken by ambulance to Westmead Hospital and her husband, [the employee’s husband], was contacted.

[The employee’s husband] contacted [the employee’s manager] about 30 minutes ago and informed [the employee’s manager] that [the employee] is conscious and appears okay. She is just sore and tired. [The employee] will return home after final medical checks by the Doctor.

This has been a traumatic experience and we are all relieved that [the employee] is recovering well.’ 

As a result of the disclosure, the employee resigned shortly after and lodged a privacy complaint, alleging her personal information was improperly disclosed without her consent. 

The Relevant Law 

The employer was captured by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP). 

Employee records exemption

  1. Section 7B (3) of the Privacy Act relevantly states:

An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

  • a current or former employment relationship between the employer and the individual; and
  • an employee record held by the organisation and relating to the individual.

2. Section 6 of the Privacy Act defines:

  • an employee record to be ‘a record of personal information relating to the employment of the employee’ and includes health information about the employee.  
  • An entity ‘holds’ personal information if the entity has possession or control of a record that contains the personal information.  A ‘record’ includes a document or an electronic or other device. 

APPs

  1. Under the APP, APP 6.1 states that if an APP entity holds personal information that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose), subject to certain exceptions. 

  2. Relevantly, an APP entity may use or disclose personal information for a secondary purpose where:
    • the individual has consented to the use or disclosure of the information (APP 6.1(a)); 
    • the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose, and the secondary purpose, if the information is sensitive information, is directly related to the primary purpose (APP 6.2(a)(i)). 

The Decision 

The Privacy Commissioner found that the employer had breached the Australian Privacy Principles (APP’s) under the Privacy Act 1988 (Cth) by: 

  1. Collecting the employee’s personal information primarily to ensure her welfare and comply with workplace safety obligations.
  2. Using the information for a secondary purpose (by updating staff) that was not directly related to the primary purpose and without the employee’s consent. 

The Employer’s Missteps and the Decision  

In the proceedings, the employer attempted to rely on the employee records exemption and its legislative and common law obligations to ensure the safety of the employee and its employees by justifying the disclosure under moral obligations and the duty of care under work health and safety laws.

Employee Records Exemption

The Commissioner found that the employment record exemption did not apply. The commissioner was not satisfied with the employer’s act of sending the email, which identified the employee by her full name and included her sensitive information, to 110 other staff directly related to its employment relationship with the employee. 

APP

The Commissioner ruled that these laws did not mandate using the employee’s name in the communication. The Commissioner acknowledged that the email was sent in good faith to reduce speculation but determined that it could have been anonymised or sent to a smaller, relevant audience with the consent of the employee, such as the employees who witnessed the Medical Event and those who assisted the employee in the car park. 

The Commissioner found the employee’s personal information collected and used by the employer included:

• the employee’s full name;

• the full name of the employee’s husband;

• the fact that the employee had a medical event at work;

• the name of the hospital in which the employee was treated; and 

• the status of the employee’s health being that she is ‘conscious, very sore and tired but otherwise appears ok’.  

The employee was awarded $3,000 for non-economic loss and $125.10 for medical expenses, reflecting a recognition of the privacy breach’s impact but also the employer’s mitigating actions and good intentions. 

Key Takeaways for Employers Captured by The Privacy Act

  1. Limit the information you disclose: When updating staff about workplace incidents, consider whether identifying the employee is necessary. If not, use anonymised information. 

  2. Obtain consent: Always seek the affected employee’s permission before sharing personal or sensitive information, particularly if it involves health information or information that may embarrass, humiliate, impact the individual’s dignity or likely result in serious harm to one or more individuals. 

  3. Assess secondary use of personal information: Ensure that any secondary use of the personal information aligns with the original purpose of collection and complies with the APPs. 

  4. Train your workers on the Australian privacy laws and APPs: Ideally, all workers should be trained on Australia’s privacy laws and APPs, or at the very least, privacy officers and managers should be equipped with knowledge about handling personal and sensitive information to prevent similar breaches. 

  5. Privacy policy: Ensure you implement a privacy policy that covers relevant stakeholders such as prospective, current, and former employees, volunteers, contractors, and clients and that it is updated with the relevant information. 

If you need help understanding whether you are complying with your privacy obligations under Australian privacy laws or need help responding to a privacy breach, please give us a call. We are here to help. 

Similar Posts

Fair Work Commission Finds BHP Vaccination Mandate Not a Lawful and Reasonable Direction: What Does This Mean for Your Workplace?

Fair Work Commission Finds BHP Vaccination Mandate Not a Lawful and Reasonable Direction: What Does This Mean for Your Workplace?

Many employers are implementing, or are considering implementing, a mandatory vaccination policy. Friday’s decision of the Full Bench of the Fair Work Commission (FWC) in CFMMEU & Matthew Howard v Mt Arthur Coal Pty Ltd T/A Mt Arthur Coal is…