Sydney financial services firm Fortrend Securities must pay $A13,500 in damages after deliberately disclosing a former employee's confidential medical certificate to a client.

The Australian Information Commissioner found the company breached Australian Privacy Principle 6 by posting the sensitive health document to the client to discredit the departing employee.

Acting General Manager Justin Lodge ruled the disclosure was "malicious, improper and unjustifiable" in his determination.

The case began when the complainant, known as 'AYN', resigned from Fortrend Securities in November 2022. During a 30-day notice period, the complainant claimed to have experienced hostile behaviour from the company's managing director and obtained medical certificates stating they were unfit for work due to anxiety and emotional distress.

After the employee left, the managing director told multiple clients the former employee had suffered a "nervous breakdown" and was unfit to manage portfolios. When one client questioned this claim, the managing director mailed them a copy of the employee's medical certificate dated 9 December 2022.

The certificate clearly stated "PERSONAL AND IN CONFIDENCE NOT TO BE RELAYED TO ANY THIRD PARTY WITHOUT REFERENCE TO THE AUTHOR" at its top.

Lodge found the respondent collected and held the medical certificate but disclosed it for an unauthorised secondary purpose. The employee records exemption did not apply because the disclosure occurred after employment ended and served no employment-related purpose.

"The respondent disclosed the complainant's sensitive health information contained in the Medical Certificate to the Client with the intent to harm the complainant," Lodge wrote.

The determination awarded $A10,000 for non-economic loss including humiliation, hurt feelings and embarrassment. An additional $A3,500 in aggravated damages reflected the malicious nature of the breach.

Evidence from the complainant's psychiatrist confirmed they suffered ongoing anxiety and depression from the disclosure. The complainant described explaining to clients they were not having a "mental breakdown" as humiliating.

Lodge noted the breach occurred within an employment relationship where the respondent held a position of trust regarding the employee's personal information. The managing director displayed "indifference towards its privacy obligations in respect of the employee's sensitive health information."

The company must issue a written apology within seven days and engage an independent reviewer within three months to examine its privacy policies, procedures and training programmes. A report must be provided to the Commissioner within six months.

The respondent also provided unreliable information throughout the investigation, initially denying receiving the medical certificate despite email evidence showing the complainant sent it to the managing director on 12 December 2022.

Both parties have 28 days to apply for review by the Administrative Review Tribunal if they wish to challenge the determination.