Intellectual Property, Information Technology & Cybersecurity

The Privacy Act’s Employee Record Exemption Tested in ALI and ALJ

A recent decision from the Office of the Australian Information Commissioner (OAIC) clarifies the operation of the employee records exemption under the Privacy Act and brings into focus the privacy obligations of employers in regard to their employees.

Background

In ALI and ALJ (Privacy) [2024] AICmr 131, an employer was found to have breached its obligations under the Privacy Act 1988 (Cth) (Privacy Act) concerning personal information of an employee. The employee suffered a medical emergency in the employer’s carpark and was taken by ambulance to hospital. Several employees observed the incident, some of whom attempted CPR.

A colleague subsequently contacted the employee’s husband, requesting an update on her condition. In response, the husband provided a short update. Using the information received, the manager emailed all staff, informing them of the injured employee’s condition, naming the hospital and providing an update on her health.

The employee subsequently returned to work and complained to the employer’s Privacy Officer about the all-staff email. The complaint could not be resolved, so the employee resigned and lodged a complaint with the OAIC, claiming that her employer had interfered with her privacy by disclosing personal information in the email for a purpose for which it was not collected.

Her employer argued that the employee record exemption under the Privacy Act applied to exempt the transmission of the email from the Privacy Act. Her employer further argued that, even if the employee record exemption did not apply, it had not interfered with its former employee’s privacy because:

  • The information had been collected and was used for the purpose of informing other employees;
  • A reasonable person in the employee’s position would expect the information to be used in the manner it had been used by the employer; and
  • The information had to be disclosed under applicable workplace safety legislation to minimise the risk of vicarious trauma.
OAIC determination

Employee records exemption

The Privacy Act states that any act done by an organisation that is or was an employer of an individual, is exempt if the act is directly related to:

  • a current or former employment relationship between the employer and the individual; and
  • an employee record held by the organisation and relating to the individual.

The employer argued that sending the email was exempted under the employee record exemption because:

  • The medical event occurred at its workplace during working hours;
  • At the relevant time, there was a current employment relationship between the parties;
  • The employer held records about the complainant, including her emergency contact details and health status for work attendance; and
  • The email was directly related to the employment relationship and the employee records.

It was not disputed that there was an employment relationship. However, the complainant argued that emailing all 110 staff members about the medical event that she suffered was not directly related to her employment and the personal information about the medical event in the email was not the subject of an employee record when the email was sent.

The employer argued that her colleagues were distressed at seeing the complainant unwell or from hearing about the event from those that had witnessed the event. Accordingly, the employer argued that its employees were already aware of the information and the email had been sent to address the risk to those employees’ health and safety and to reduce their concern, in compliance with applicable workplace health and safety law.

The OAIC rejected these arguments. The OAIC found that sending the email was directly related to the employment relationship between the employer and its other employees, not the relationship between the employer and the complainant. Accordingly, the act of sending the email was not protected by the employee record exemption since the act failed the first limb of the exemption.

Did the employer breach APP 6 by sending the email to all staff about the complainant’s health status?

Since the OAIC determined that the employee records exemption did not apply, the OAIC needed to assess whether the former employer had breached APP 6. Under APP 6, if an entity holds personal information that was collected for a particular purpose (primary purpose), then the entity must not use or disclose such information for any other purpose (secondary purpose), unless an exception applies. To assess whether the employer had breached APP 6, the OAIC held that it had to determine the following:

  • What (if any) personal information was collected, used or disclosed by the employer about the complainant;
  • What was the primary purpose of collection;
  • Was the information used for the primary purpose or for a secondary purpose; and
  • If the use was for a secondary purpose, did an exception apply to the use of the information for that secondary purpose.

The OAIC held that the employer had collected and used the complainant’s full name, the full name of her husband, the fact that the complainant had suffered a medical event at work, the name of the hospital and her health status (in that she was “conscious, very sore and tired but otherwise appears ok”). The OAIC found that the information about the complainant’s health status, while vague, constituted “health information” about the complainant and was therefore “sensitive information” for the purposes of the Privacy Act.

The OAIC determined that the employer had taken steps to collect the complainant’s personal information because a staff member of the employer had requested the health update from her husband and the husband’s text message was received on a work device.

Based on the evidence, the OAIC found that the primary purpose of collection was ensuring the complainant’s welfare and to enable the employer to meet its work health and safety obligations to the complainant, including the completion of an incident report. The OAIC dismissed any argument that it requested and collected the information for the primary purpose of updating staff more broadly as unconvincing.

The OAIC held that the complainant had not consented to the use of her personal information in the email, and it was immaterial that information in the all-staff email was already in the public domain. Accordingly, the employer could not rely on any consent from the complainant to the use of personal information for a secondary purpose, and was not relieved of its privacy obligations in relation to the information because the information was already in the public domain.

Further, the OAIC determined that the complainant did not reasonably expect, and that a reasonable person in her position would not have expected, that the employer would use the complainant’s personal information in an email to all staff in the manner that it did, which identified her by her first and last name.

The OAIC considered whether the use for a secondary purpose was required or authorised by law, by reviewing the relevant provisions in the NSW occupational health and safety laws. The OAIC held that the relevant statute did not require or expressly authorise the employer to use the complainant’s personal information in the way that it did, and that such authorisation would have to be implied from the statute.

The OAIC determined that it was evident that the employer could have discharged its statutory obligations (as well as any common law duties) without identifying the complainant by name. Accordingly, the OAIC held that the statute did not authorise the use of the complainant’s personal information and the employer was in breach of APP 6.

After considering arguments on the remedies, the OAIC declared that the employer had engaged in conduct constituting an interference with the complainant’s privacy and that the employer had to pay the complainant, $3,000 for non-economic loss and a small sum of money for reasonably incurred expenses.

Conclusion

Having regard to the evidence and the parties’ arguments, the OAIC determined that the employee record exemption did not apply to the employer’s conduct of sending an email specifically naming the complainant and providing an update regarding her health status to all staff, and the OAIC determined that the employer had breached APP 6 by sending this email. The employer was required to pay damages for non-economic loss and to reimburse the complainant for reasonably incurred expenses arising out of the employer’s interference with her privacy.

Key Takeaways
  • The OAIC emphasised that the scope of the employee records exemption under the Privacy Act should be interpreted narrowly. It is clear that merely because the information has some relation to an employee does not necessarily mean that the information is covered by the employee record exemption. The issue is whether the use of information about the employee is directly related to the employment relationship between the employer and the employee.
  • The intentions of the employer in using the personal information is not relevant to whether the employer has interfered with the privacy of its employees. Even good faith uses of employee personal information can breach the Privacy Act.
  • The use and disclosure other than in accordance with the Privacy Act of personal information that is already public can still interfere with the privacy of the relevant individual, since an entity is “not relieved of its privacy obligations … by virtue of the personal information already being in the public domain”.

< Back