When a staff update turns into a privacy breach

Picture this scenario. Your co-worker “Jenny” has a medical episode in the staff carpark due to a pre-existing medical condition. The episode is witnessed by approximately seven other co-workers and some of them provide CPR until two ambulances and the police arrive. Jenny is transported to a nearby hospital in the company of a co-worker.

 

The employer looks for an update on Jenny’s wellbeing, and her husband sends a text message to the manager’s work phone stating:

“[Jenny] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.”

The message is conveyed to the Managing Director, who sends an email to approximately 110 staff working at head office with the subject heading ‘[Jenny [surname]] – recovering well’ and the following text:

“As you are likely aware, [Jenny] experienced a medical episode this morning in the staff car park. It is believed that [Jenny] collapsed as she was removing items from the boot of her car. After receiving support from [the employer’s] Staff, [Jenny] was taken by ambulance to [local] hospital and her husband, [Jenny’s husband], was contacted. [Jenny’s husband] contacted [Jenny’s manager] about 30 minutes ago and informed [Jenny’s manager] that [Jenny] is conscious and appears okay. She is just sore and tired. [Jenny] will return home after final medical checks by the Doctor. This has been a traumatic experience and we are all relieved that [Jenny] is recovering well”.

The employer believed there was a duty to provide an update as many staff members were distressed by the medical event. 

 

“Jenny” claimed her privacy had been interfered with and eventually brought a claim to the Privacy Commissioner. She wanted her former employer to:

 

• acknowledge that the update interfered with her privacy
• compensate her in the amount of $50,096 for economic loss, equivalent to approximately six months of Jenny’s former salary
• make a $5,000 donation to an organisation that provides educational resources about the medical condition from which she suffers
• compensate her in the amount of $10,000 for non-economic loss associated with the mental health conditions she developed following the interference with her privacy and the adverse impact it has had on her personal relationships
• provide a non-prejudicial reference regarding her employment and performance.

 

Many early childhood centres aim to create a familial atmosphere by engaging closely with their staff which makes this scenario a very relatable one for the early childhood sector. 

 

Outcome

 

In summary, Jenny was aggrieved that the details of her medical event and subsequent status, together with her name and that of her husband, were improperly distributed in the email. She contended that many staff did not previously know her or were not aware of the episode until receiving the email.

 

The employer claimed that the employee records exemption applied, and that the information was collected partly to update staff more broadly. Therefore, using the information for that purpose was a ‘primary purpose’ under the Privacy Act or if it was not, its obligations under the Work Health and Safety Act (WHS Act) required it to use that information to update other staff.

 

The Commissioner, in the matter of ALI and ALJ (Privacy) [2024] AICmr 131 (20 June 2024), found that there had been a privacy breach.

 

The employee records exemption did not apply to this case as the content of the email did not directly relate to the employer’s relationship with Jenny. This is not surprising given this exemption has been interpreted narrowly in the past.

 

The Commissioner also considered the primary purpose of collecting the information was to enquire as to Jenny’s welfare and comply with safety obligations and not for the broader purpose of updating staff. In the Commissioner’s view, the WHS Act did not require or expressly authorise the employer to use Jenny’s personal information in the way that it did. Instead, the employer could have discharged its obligations to other staff under the WHS Act or any relevant common law duty without identifying Jenny by name.

 

However, the Commissioner determined that Jenny was entitled to much less compensation than she claimed, as the employer appeared to have sent the email in good faith with a view to allay any concerns held by staff in a timely manner. The email did not disclose details of Jenny’s medical condition or associated treatment, and given the circumstances it would have been unreasonable for the employer not to update relevant staff. Without an update, gossip or incorrect information about the incident could spread among staff, which would have been harmful to Jenny.

 

The employer accepted that, in retrospect, it could have shared the relevant information with a more limited number of staff with Jenny’s consent or in a deidentified manner and expressed its intention to take these steps if a similar incident arose in the future. Early childhood centres should learn from this and take similar steps if an incident were to occur. 

 

Jenny was awarded $3,000 for non-economic loss arising from the privacy breach which was considered consistent with the declarations made in respect of similar privacy complaints. She was also reimbursed $125.10 for the out-of-pocket expense incurred attending psychologist appointments that were linked to the disclosure in the email. The Commissioner did not consider the claim of $50,000 for economic loss was sufficiently linked and did not consider the other remedies sought appropriate.

 

Takeaway

 

Determinations from the Commissioner are relatively rare, as most matters are resolved prior to this stage, so this published decision gives some insight into how similar matters may be considered. It appears there was a fine line in balancing the competing need to keep staff informed in a timely manner with the complainant’s privacy concerns. 

 

If a similar circumstance occurs in an early learning centre, the recommendation would be to seek consent from the employee to provide staff with an update (the ideal outcome). Otherwise, do not identify the employee in the corresponding communications to staff and consider sending the communication to a limited number of staff that were known to have witnessed the incident and that require the update.

 

For further insight to ensure your centre does not breach privacy laws, see here.

 

If you have any questions, please get in touch with Holding Redlich Special Counsel Emily Booth here.

 

Disclaimer

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.