Privacy & Data Law Series | ALI and ALJ (Privacy) [2024] AICmr 131: Australian Privacy Principles and application of the employee records exemption

In the recent decision of ALI and ALJ (Privacy) [2024] AICmr 131 by the Australian Privacy Commissioner (the Commissioner), an employer was held to have breached Australian Privacy Principle (APP) 6.1 which governs the use or disclosure of personal information under the Privacy Act 1988 (Cth) (Privacy Act). This came after the employer unsuccessfully relied on the employee records exemption within section 7B(3) of the Privacy Act. This decision sheds light on the scope of the employee records exemption under the existing Privacy Act and reinforces employer’s privacy obligations to their employees. It also highlights a likely trend we will see more of under the future Privacy Reforms, where the OAIC is comfortable to take a narrow view on the scope of any records exemption that might apply.

Background

The Respondent in this matter was a wholesale distribution business who employed the Complainant at the time of the privacy breach. The privacy breach followed from a medical episode the Complainant suffered while at the Respondent’s workplace in the carpark. The Complainant had a pre-existing condition which was not known to the Respondent, and they were given CPR by other employees who were present until two ambulances arrived. Following the episode, a staff member of the Respondent contacted the Complainant’s husband requesting that he contact their manager with an update on the Complainant’s condition.

The Complainant’s husband sent a message to the manager providing an update on the Complainant’s health status following the medical episode. The manager conveyed this message to the managing director of the Respondent, who proceeded to send an email updating approximately 101 head office employees that the complainant experienced a medical episode (including disclosing that she collapsed), as well as brief details on her current health status and full names of both the Complainant and her husband.

The Complainant then attempted to settle this issue with the Respondent via the Respondent’s privacy officer. However, this was unsuccessful, with the Respondent citing duties it held to provide an update to staff as the reason for emailing the abovementioned personal information. Following this, the Complainant then resigned and lodged a complaint to the Office of the Australian Information Commissioner (OAIC).

The Respondent, in contending the claim, argued that it did not disclose the Complainant’s personal information due to the application of the employee records exemption. It also argued that even if APP 6 applied, relevant APP 6 exemptions applied.

Employee records exemption

The Commissioner, in determining whether the exemption applied, considered whether the act of sending the email was directly related to the employee relationship between the Complainant and Respondent, and whether the email was directly related to an employee record of the Complainant.

In determining whether sending the email was directly related to the employment relationship of the Respondent and Complainant, the Commissioner considered WF & Others and Spotless Group Limited (Privacy) [2019]. The case stated that to fall within the exemption, the act or practice in question must be directly related to the employment relationship, as opposed to an indirect, consequential, or remote effect on the relationship.

It was held that the sending of the email containing the Complainant’s personal information did not directly relate to the employment of the Complainant, but rather directly related to the employment of the other 110 employees to whom the Respondent owed a duty of care.

Therefore, the Respondent could not rely on section 7B(3) to avoid its obligations under the Privacy Act.

Use of the Complainant’s personal information

Under APP 6, if an APP entity (being the Respondent as a ‘body corporate’) holds information that was collected for a particular purpose, the entity must not use or disclose that information for another purpose, subject to certain exceptions.

It was found that in this scenario, the Respondent did record, and therefore collect, personal information of the Complainant due to various factors, including that the information provided by the Complainant’s husband was initially requested to be sent to the Complainant’s manager, with an inference that it was to be collected for inclusion in a record and incident reporting, as well as the text message itself being a record that was conveyed to the Managing Director.

The Commissioner also noted that the Respondent’s act of sending an email internally to the staff was not ‘disclosure’ as described under the APP Guidelines and as argued by the Respondent, but rather ‘use’, as the information was managed within the business’ control and was not accessible to outside entities.

The Commissioner then considered the primary purpose of the collection, in comparison to the purpose for which the Respondent used this information. The Commissioner found that the primary purpose of collection in this matter was to ensure the welfare of the Complainant and to meet work, health and safety obligations concerning incident reports. Consequently, the Commissioner determined that the Respondent’s use of the Complainant’s personal information to update staff was not the primary purpose for which it was collected.

Further, the Commissioner held that there were no exceptions available to the Respondent in using the Complainant’s personal information for a secondary purpose. The Respondent could not rely on APP 6.1(a) as the Complainant had not consented to the secondary use of their information, despite the Complainant’s husband willingly sharing the information to the Complainant’s manager. The Commissioner also found that the Respondent could not rely on APP 6.2(a) and APP 6.2(b) in that a reasonable person in the Complainant’s position would not expect the Respondent to disseminate the Complainant’s information in the manner it did, and further that the Work, Health and Safety Act 2011 (NSW) did not authorise the use of the Complainant’s personal information, as was contended by the Respondent.

Finding

The Commissioner, in finding that the Respondent interfered with the Complainant’s privacy by breaching APP 6.1, ordered the Respondent to pay the Complainant $3,000 in non-economic loss and $125.10 for reasonably incurred expenses.

Ultimately, this is a determination by the Commissioner and is not binding on courts. However, it is still an important decision providing a clear indication on how the OAIC views the interpretation of the employee records exemption in light of APP 6, even in circumstances where limited personal details are provided.

Key takeaways

The Commissioner’s decision in this matter provides a timely reminder for employers as to their obligations when dealing with their employees’ personal information, such as:

• In order to receive protection under the employee records exemption of the Privacy Act, the employer’s act or practice must directly relate to its employment relationship with the employee in question. An indirect, consequential or remote effect on the relationship is insufficient to enliven the exemption.
• The words ‘directly related’ in the exemption are interpreted narrowly to mean ‘absolutely or exactly having connection’.
• The fact that an employee’s personal information is already in the public domain does not relieve an employer of its privacy obligations in relation to the handling of that personal information.
• The circumstances of the individual matter are important when determining the employer’s primary purpose for collecting the information. In cases of ambiguity, the Commission will apply a narrow construction to afford protection to the employee.
• There is a distinction between the ‘use’ and ‘disclosure’ of an employee’s personal information. An employer will ‘use’ personal information by handling or managing the information within their own control, and will ‘disclose’ the personal information if it makes it accessible or visible to persons outside their organisation.

In these circumstances, the conduct complained of would only have been permitted under the Privacy Act if consent had been obtained.

See all articles in the Privacy & Data Law Series here:

Privacy & Data Law Series | Where are we now?

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Sinead Lynch, Partner
Michael Morris, Partner
Louise Rumble, Partner
Caroline Mostafa, Associate
Tilly Dalton, Clerk