Get Well Soon email Breached Employee's Privacy
A well-meaning manager thought they were doing the right thing by updating staff on the welfare of an employee who was hospitalised after collapsing in the company carpark. Australian Privacy Commissioner Carly Kind has disagreed and fined the firm $3000 for breaching the employee's privacy.
The incident occurred on April 8, 2021, when the employee, known as 'ALI', suffered a medical episode in the company's car park due to a pre-existing condition. After receiving CPR from colleagues and being taken to hospital by ambulance, ALI's husband texted her manager to say she was "out of the woods" but "very sore and tired."
Later that day, the Managing Director of the company, referred to only as 'ALJ', sent an email to approximately 110 head office staff with the subject line "[ALI] - recovering well". The email named ALI and her husband, described the medical incident, and provided an update on her condition.
ALI complained to ALJ's Privacy Officer on April 28, stating that many email recipients did not previously know her or about the incident. She verbally resigned that day, saying her position was "no longer tenable."
Dissatisfied with ALJ's response, ALI filed a complaint with the Office of the Australian Information Commissioner on May 6, 2021.
In her recent determination, Commissioner Kind rejected ALJ's claim that its actions were exempt under the "employee records" provision of the Privacy Act. She found that sending the email to 110 staff was not directly related to ALJ's employment relationship with ALI.
The Commissioner determined that ALJ collected ALI's personal information, including sensitive health information, for the primary purpose of ensuring her welfare and meeting work health and safety obligations. However, ALJ then used this information for the secondary purpose of updating staff more broadly.
"I am of the view that the respondent used the complainant's personal information for the purpose of updating its staff. This was not for the primary purpose for which the information was collected," Commissioner Kind wrote.
She found that ALI did not consent to this use of her information, nor would a reasonable person in her position expect it. The Commissioner also determined that work health and safety laws did not require or expressly authorize ALJ to use ALI's personal information in this manner.
"It is evident that the respondent could have discharged its obligations to other staff under the WHS Act, or any relevant common law duty, without identifying the complainant by name, which seems to be at the heart of her grievance," the determination states.
While acknowledging that ALJ appeared to act in good faith to address staff concerns, Commissioner Kind found its actions constituted a breach of Australian Privacy Principle 6.1.
The Commissioner ordered ALJ to pay ALI $3,000 in compensation for non-economic loss, recognizing the "hurt feelings, distress and anxiety" caused by the privacy breach. She also directed ALJ to reimburse $125.10 for two psychologist appointments ALI attended partly due to the incident.
However, the Commissioner declined ALI's request for six months' salary compensation, finding that her decision to resign was not directly caused by the privacy breach. She also rejected requests for ALJ to make a charitable donation or provide an employment reference.
"Declarations made under s 52(1)(b) of the Privacy Act are intended to address the relevant privacy breach, including any harm or loss suffered by a complainant. This does not extend to providing donations to other entities," Commissioner Kind explained.
The determination noted that this appeared to be an isolated incident for ALJ rather than a systemic issue. The company has already taken steps to prevent similar breaches, including updating its privacy policy and requiring legal review of sensitive staff communications.
"The determination will have an educative effect and provide the respondent with the opportunity to review and improve its internal practices, procedures and systems to ensure future compliance with the Privacy Act," Commissioner Kind wrote.
The full ruling is available HERE