Key Takeaways
- In the recent decision of ALI and ALJ (Privacy) [2024] AICmr 131, it was found that an employer who that informed staff that an employee suffered a life-threatening medical episode at work was stable, was in breach of its obligations under the Privacy Act 1988 (Cth).
- The employer was ordered to pay damages for non-economic loss and compensation for medical expenses to the employee.
- Employers must remain vigilant and always refer to its privacy policy when sharing any sensitive information, even in instances where they believe they are acting in good faith.
Employer fined $3000 after telling staff an employee who suffered a medical episode at work was in stable condition.
In the recent decision of ALI and ALJ (Privacy) [2024] AICmr 131 handed down by the Australian Privacy Commissioner, it was held that an employer (Respondent) that informed its staff that an employee (Complainant) who suffered a life-threatening medical episode at work was in a stable condition, was in breach of its obligations under the Privacy Act 1988 (Cth) (Privacy Act). The decision is an important reminder to all employers to remain vigilant and always refer to its privacy policy when sharing any sensitive information, even in instances where they believe they are acting in good faith.
Background
On 8 April 2021 the Complainant suffered a medical episode in the car park of the Respondent due to an underlying medical condition which she had not disclosed to the Respondent. Multiple colleagues witnessed the event and administered CPR to the Complainant until paramedics attended the scene.
Following the medical episode, the Complainant was taken to a nearby hospital. A staff member of the Respondent then alerted the Complainant’s husband (who was the Complainant’s listed emergency contact) and requested that he provide an update to the Complainant’s manager as to her status.
The Complainant’s husband subsequently sent a text message to the Complainant’s manager advising that the complainant was ‘sore and tired’ but appeared to be okay. This message was relayed to the Respondent’s Managing Director. The Managing Director then sent an email to approximately 110 staff members identifying the Complainant and her husband by name and included a brief statement referencing the Complainant’s ‘medical episode’, advised that she was taken to Westmead Hospital, appeared to be okay, and would return home after final medical checks.
After obtaining a medical certificate from the hospital stating she was fit to return to work on 12 April 2024, the Complainant was advised by the Respondent to work from home until she could provide a medical clearance outlining that it was safe for her to drive with her medical condition as this was a requirement of her role. At this time, the Complainant had not raised a privacy complaint about the email.
On 26 April 2024 the Respondent cleared the Complainant to return to work. The Complainant however stated she was unable to do so due to feelings of anxiety and panic related to the medical event.
Claim
Under section 36 of the Privacy Act, the Complainant claimed that the Respondent has interfered with her privacy by disseminating personal information about the medical event and her subsequent status in the email.
An investigation into the matter was conducted by the Office of the Australian Information Commissioner (OAIC).
Decision and reasons
The Respondent claimed that sending the email fell within the “employee records exemption” under section 7B(3) of the Privacy Act as the act of sending the email directly related to a current employment relationship, and therefore did not interfere with the Complainant’s privacy.
The OAIC found where the Respondent had sent an email containing the Complainant’s personal information, including sensitive information did not directly relate to the Complainant’s employment relationship with the Respondent. Therefore, the employee records exemption did not apply.
The OAIC also considered the primary purpose of collecting the Complainant’s information was to enquire as to her welfare and for the Respondent to comply with its health and safety obligation to the Complainant, not for updating staff more broadly. The OAIC did not form the view that the Work Health and Safety Act 2011 (NSW) (WHS Act) required or expressly authorised the Respondent to use the Complainant’s name in the email.
Outcome
Ultimately the OAIC found that the Respondent could have complied with the Privacy Act and discharged its obligations under the WHS Act, and any common law duty, by obtaining the consent of the Complainant before sharing the information or alternatively de-identifying the Complainant and her husband in the email.
The Respondent was ordered to pay the Complainant $3,000.00 for non-economic loss and compensation of $125.10 for psychologist fees and medicine. The Complainant also claimed economic loss of $50,096, being the amount equivalent to 6 months salary, inclusive of superannuation. However, the OAIC was not satisfied this loss was caused by the Respondent sending the email.
Implications for employers
This decision is a timely reminder to all employers to consider the importance of balancing between the fine line of keeping staff informed and maintaining employee privacy in the event of an emergency. In these situations, employers should consider obtaining consent before disclosing personal or sensitive information, de-identifying the information, limiting the number of recipients when communicating personal or sensitive information, considering the terms of the company privacy policy and consulting before sending certain communications to staff.
If you are unsure of your privacy responsibilities, feel free to reach out to Craig Hong, Robert Lamb, or John Davies on 07 3220 1144, john@hillhouse.com.au, craig@hillhouse.com.au, or robert@hillhouse.com.au for an obligation free discussion.
The information in this blog is intended only to provide a general overview and has not been prepared with a view to any particular situation or set of circumstances. It is not intended to be comprehensive nor does it constitute legal advice. While we attempt to ensure the information is current and accurate we do not guarantee its currency and accuracy. You should seek legal or other professional advice before acting or relying on any of the information in this blog as it may not be appropriate for your individual circumstances.