Employee records and privacy: employer ordered to pay $60,000 compensation for breach of employee privacy
By Andrew Tobin and Hayden Delaney
- An Australian employer was recently ordered, along with other remedial measures, to pay $60,000 compensation (including for ‘aggravated damages’) to 14 employees and former employees for breaching their privacy.
- The decision of the Office of the Australian Information Commissioner (OAIC) on 28 May 2019 (‘QF’ & Others and Spotless Group Limited (Privacy)  AICmr 20 (28 May 2019)), highlights the risks for employers associated with improper handling of employee records and provides some useful insights into managing and containing those risks.
- In short, the employer might have avoided liability; much of the formal dispute resolution process, and; the associated adverse publicity, through:
- in the terms and conditions of employment offered to the employees concerned.
The employer, Cleanevent, is a subsidiary of ASX listed Spotless Group Limited and employs cleaners. In 2011 and 2012, in two random lists, Cleanevent gave the names of some its employees to the Victorian Branch of the Australian Workers Union. It also paid money to the union, notionally for the union membership fees of its employees who were, or were supposed to become, members of the union. This occurred whether or not the named employees were, were not or wanted to be members of the union and, so far as the 14 complainants were concerned, without their knowledge or consent. Of the 14 complainants, eight were already members of the union. The remaining six were not.
The point of this arrangement, documented in 2010, was for Cleanevent to secure industrial peace with the union following the expiry (in 2009) of a WorkChoices era collective agreement made in 2006, under which Cleanevent workers were not entitled to award penalty rates. Under the arrangement, Cleanevent kept the benefit of the 2006 collective agreement – saving about $2M in wages costs each year – and the union was to receive payments of up to $25,000 per year, notionally for membership fees. Cleanevent did not tell the complainants about the arrangement. None of them received any financial benefit from it. The six employees who had not themselves joined the union directly never knew that they had become ‘members’ and remained oblivious to any potential benefits of their union ‘membership’.
The complainants became aware of the arrangement and that their names had been given to the union as the result of the Royal Commission into Trade Union Governance and Corruption held over the course of 2014 and 2015.
What were the issues?
The complainant employees contended that the disclosure of their names to the union without their knowledge or consent was an unlawful interference with their privacy under the Commonwealth Privacy Act, being in contravention of the then applicable National Privacy Principles (NPPs) relating to use, disclosure and security of personal information (matters now covered by the Australian Privacy Principles (APPs)).
The ‘employee records’ exemption
Spotless’ primary defence was that disclosure of the complainants’ names to the union was not unlawful because it was permitted by the ‘employee records’ exemption provided for in the Privacy Act. The exemption applies to anything done by the employer of an individual ‘directly related to’:
- a current or former employment relationship between the employer and the individual; and
- an employee record held by the employer and relating to the individual.
The exemption was introduced when the Privacy Act was first amended in 2001 so as to apply to the private sector. The justification for it at the time was that the privacy of employee records was best left to workplace laws. But then and even now, with limited exceptions, no workplace laws have been made to regulate the privacy of employees in connection with records held by their employers about them. The result is that, in many situations, privacy of employees in relation to records of that kind is largely unregulated.
But this didn’t help Spotless.
The Commissioner held that the employee records exemption didn’t apply, on the basis that Cleanevent’s disclosures of random lists of employees’ names to the union had an insufficient connection with the arrangement between Cleanevent and the union, such that the disclosure was not ‘directly related’ to the employment relationship.
In reaching this conclusion, the Commissioner relied on the dictionary definitions of ‘directly’ and ‘related’. She said that, for the exemption to apply, Spotless had to show that the disclosures had an absolute, exact or precise connection to the employment relationship between Cleanevent and the complainants. For these purposes it did not matter that the arrangement between Cleanevent and the union might itself have met that requirement (about which the Commissioner made no finding). A substantial cause for Spotless’ undoing was that, as the Royal Commission had found, the express terms of Cleanevent’s arrangement with the union did not in fact require Cleanevent to give the union names of Cleanevent employees. Nor did it help that Cleanevent itself argued that the disclosures occurred without its authority (an argument which was rejected) and contrary to the arrangement as approved by Cleanevent management.
The decision also examined other things that Spotless might have done to authorise the disclosures. These boiled down to just telling its employees, one way or another, that their personal information – their names – would be given to the union or other organisations of that kind and obtaining their consent to that exercise.
The end result was that the complaints were upheld. Cleanevents’ disclosures of its employees’ names to the union was found to be an unlawful interference with their privacy, in breach of the NPPs relating to use, disclosure and security of the complainants’ personal information. Spotless was ordered to:
- engage an independent expert to undertake an initial review and to report back to the Commission about Spotless’ privacy compliance procedures, policies and processes, and those of its subsidiaries;
- repeat that exercise within six months to determine the effectiveness of any response to the initial review/report;
- apologise in writing to each of the complainants and in doing so to expressly acknowledge the interferences with their privacy and the distress it has caused; and
- pay compensation to each of the complainants.
The Commission made no bones about where ultimate responsibility for the outcome lay, namely, with Spotless’ board.
No compensation was awarded to the complainants for economic loss, although all maintained claims for lost wages, based on what they would have been paid under the applicable award but for the ongoing application of the 2006 Work Choices collective agreement. Those claims were rejected because, even assuming the complainants were indeed all worse off, this was not the result of the interference with their privacy. Rather, any loss was caused by the applicable industrial arrangements between Cleanevent and the union.
All 14 complainants were awarded compensation for non-economic loss, as compensation for the hurt and humiliation they felt upon discovery of the arrangement between Cleanevent and the union, heightened when they became aware that their names had been misused and improperly disclosed to the union. The complainants’ evidence to the Commission was to the effect that the circumstances had caused them to feel ‘anger and betrayal’ and to experience feelings of ‘stress and/or anxiety’.
The six complainants who had not previously chosen to join the union were each awarded compensation of $4,500. The eight complainants who were already members of the union were each awarded $1,500. The distinction recognised that, for the eight original union members, they had independently chosen to join the union which already had their names. The others were further compensated for an additional level of hurt and/or humiliation, on the basis that the disclosures offended the notion of freedom of association, i.e. the disclosures ‘took away our rights not to join a union’.
All of the complainants were also awarded a further sum, of $1,500, for ‘aggravated damages’. ‘Aggravated damages’ can be awarded in many types of claims, including those made under the Privacy Act, where the respondent has behaved ‘high handedly, maliciously, insultingly or oppressively’; where the manner in which the respondent conducts its case exacerbates the hurt and injury suffered by the claimant, or; where the conduct of the respondent was otherwise ‘improper, unjustifiable or lacking in bona fides’. In any of those situations ‘an increase to the plaintiff’s sense of hurt may be presumed from all the evidence’.
The awards of aggravated damages to the complainants were justified for these reasons:
- Spotless failed to appreciate the implications of Cleanevent’s conduct in handing over lists of random employees’ names, outside of the expectations of those employees, and; was indifferent to its obligations under the Privacy Act. In these respects, Spotless’ conduct was unjustified, improper and lacking in bona fides;
- the conduct occurred in the context of an employment relationship, in which Cleanevent exercised authority over the complainants as its employees and had the ability to adversely affect their interests. The cases recognise that context as aggravating conduct;
- as an employer, Spotless held a position of trust and confidence with respect to its employees and their information. Cleanevent’s conduct, being indifferent to Spotless’ privacy obligations in respect of employee information, damaged that relationship and was a source of additional hurt to the complainants.
What might the employer have done differently?
The fundamental problem for Spotless and Cleanevent was that Cleanevent’s arrangement with the union did not require Cleanevent to give the union lists of its employees’ names. From a purely management perspective, that should never have occurred. So, basic mistakes were made based on a presumed misunderstanding of the arrangement by those tasked with giving effect to it. Those errors aside, the companies might have done other things from a compliance perspective, to mitigate the risk of an unintended breach of employee privacy occurring, including these:
- Those within an organisation who have access to ‘personal information’ need to be taught, through training, what ‘personal information’ is and enough to know that dealings with it may well be prohibited by privacy law. The disclosures were made by two employees of Spotless/Cleanevent. Spotless argued that those individuals had acted without authority, an argument which the Commissioner rejected. In any event, the employees who made the disclosures appear to have not realised they were dealing in ‘personal information’ of the kind protected by the Privacy Act. The exercise should have raised a red privacy flag at the outset. This is partly a function of training.
- The issues could have been dealt with in the employment contracts. There is no discussion of employment contracts in the decision. Presumably, Cleanevents’ employment contracts did not deal with privacy or employment-related policies in a way that would have been of assistance. Our default position when drafting employment contracts is to include clauses to the effect that employees agree to familiarise themselves with, and abide by, the employer’s relevant policies, and; a specific consent to dealings by the employer in the employees’ ‘personal information’.
- And what about the board? As mentioned earlier, the decision makes it plain that responsibility for the events which occurred sat with Spotless’ board. Boards have a responsibility to protect the privacy of not only their employees, but also their customers and other stakeholders as well. This is an issue that all boards need to ensure they are dealing with and about which they have a clear understanding. While it is true that boards already have a large workload, privacy and cyber security are emerging issues that need to be on the list of key oversight issues.
How can we help?
For further information or assistance, please contact our workplace and employment (recognised by ‘Best Lawyers’), intellectual property and technology (ranked as leading by Doyle’s Guide) or Effective Governance teams. We have privacy, employment contracts and truly effective corporate governance covered from A to Z.