Employee records and privacy: employer ordered to pay $60,000 compensation for breach of employee privacy

Key issues:

  • An Australian employer was recently ordered, along with other remedial measures, to pay $60,000 compensation (including for ‘aggravated damages’) to 14 employees and former employees for breaching their privacy.
  • The decision of the Office of the Australian Information Commissioner (OAIC) on 28 May 2019 ('QF' & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 (28 May 2019)), highlights the risks for employers associated with improper handling of employee records and provides some useful insights into managing and containing those risks.
  • In short, the employer might have avoided liability; much of the formal dispute resolution process, and; the associated adverse publicity, through:
    • further attention to its privacy policy and processes; and
    • in the terms and conditions of employment offered to the employees concerned.

What happened?

The employer, Cleanevent, is a subsidiary of ASX listed Spotless Group Limited and employs cleaners. In 2011 and 2012, in two random lists, Cleanevent gave the names of some its employees to the Victorian Branch of the Australian Workers Union. It also paid money to the union, notionally for the union membership fees of its employees who were, or were supposed to become, members of the union. This occurred whether or not the named employees were, were not or wanted to be members of the union and, so far as the 14 complainants were concerned, without their knowledge or consent. Of the 14 complainants, eight were already members of the union. The remaining six were not.

The point of this arrangement, documented in 2010, was for Cleanevent to secure industrial peace with the union following the expiry (in 2009) of a WorkChoices era collective agreement made in 2006, under which Cleanevent workers were not entitled to award penalty rates. Under the arrangement, Cleanevent kept the benefit of the 2006 collective agreement - saving about $2M in wages costs each year - and the union was to receive payments of up to $25,000 per year, notionally for membership fees. Cleanevent did not tell the complainants about the arrangement. None of them received any financial benefit from it. The six employees who had not themselves joined the union directly never knew that they had become ‘members’ and remained oblivious to any potential benefits of their union ‘membership’.

The complainants became aware of the arrangement and that their names had been given to the union as the result of the Royal Commission into Trade Union Governance and Corruption held over the course of 2014 and 2015.

What were the issues?

The complaint

The complainant employees contended that the disclosure of their names to the union without their knowledge or consent was an unlawful interference with their privacy under the Commonwealth Privacy Act, being in contravention of the then applicable National Privacy Principles (NPPs) relating to use, disclosure and security of personal information (matters now covered by the Australian Privacy Principles (APPs)).

The ‘employee records’ exemption

Spotless’ primary defence was that disclosure of the complainants’ names to the union was not unlawful because it was permitted by the ‘employee records’ exemption provided for in the Privacy Act. The exemption applies to anything done by the employer of an individual ‘directly related to’:

  • a current or former employment relationship between the employer and the individual; and 
  • an employee record held by the employer and relating to the individual.

The exemption was introduced when the Privacy Act was first amended in 2001 so as to apply to the private sector. The justification for it at the time was that the privacy of employee records was best left to workplace laws. But then and even now, with limited exceptions, no workplace laws have been made to regulate the privacy of employees in connection with records held by their employers about them. The result is that, in many situations, privacy of employees in relation to records of that kind is largely unregulated.  

But this didn’t help Spotless.

The Commissioner held that the employee records exemption didn’t apply, on the basis that Cleanevent’s disclosures of random lists of employees’ names to the union had an insufficient connection with the arrangement between Cleanevent and the union, such that the disclosure was not ‘directly related’ to the employment relationship.

In reaching this conclusion, the Commissioner relied on the dictionary definitions of ‘directly’ and ‘related’. She said that, for the exemption to apply, Spotless had to show that the disclosures had an absolute, exact or precise connection to the employment relationship between Cleanevent and the complainants. For these purposes it did not matter that the arrangement between Cleanevent and the union might itself have met that requirement (about which the Commissioner made no finding). A substantial cause for Spotless’ undoing was that, as the Royal Commission had found, the express terms of Cleanevent’s arrangement with the union did not in fact require Cleanevent to give the union names of Cleanevent employees. Nor did it help that Cleanevent itself argued that the disclosures occurred without its authority (an argument which was rejected) and contrary to the arrangement as approved by Cleanevent management.

Spotless’ Privacy Policy

The decision also examined other things that Spotless might have done to authorise the disclosures. These boiled down to just telling its employees, one way or another, that their personal information - their names - would be given to the union or other organisations of that kind and obtaining their consent to that exercise.

It could have done this directly (but didn’t) or via its privacy policy.

Spotless did have a privacy policy, being a compulsory requirement for private sector organisations with an annual turnover of $3M or more. Even assuming that the employees knew about the policy (which is not discussed in the decision), the Commissioner found that the policy was clearly insufficient to inform employees about the prospect for disclosure of their names to the union. 

The outcome

The end result was that the complaints were upheld.  Cleanevents’ disclosures of its employees’ names to the union was found to be an unlawful interference with their privacy, in breach of the NPPs relating to use, disclosure and security of the complainants’ personal information. Spotless was ordered to:

  • engage an independent expert to undertake an initial review and to report back to the Commission about Spotless’ privacy compliance procedures, policies and processes, and those of its subsidiaries;
  • repeat that exercise within six months to determine the effectiveness of any response to the initial review/report;
  • apologise in writing to each of the complainants and in doing so to expressly acknowledge the interferences with their privacy and the distress it has caused; and
  • pay compensation to each of the complainants.

The Commission made no bones about where ultimate responsibility for the outcome lay, namely, with Spotless’ board.

Economic loss

No compensation was awarded to the complainants for economic loss, although all maintained claims for lost wages, based on what they would have been paid under the applicable award but for the ongoing application of the 2006 Work Choices collective agreement. Those claims were rejected because, even assuming the complainants were indeed all worse off, this was not the result of the interference with their privacy. Rather, any loss was caused by the applicable industrial arrangements between Cleanevent and the union.

Non-economic loss

All 14 complainants were awarded compensation for non-economic loss, as compensation for the hurt and humiliation they felt upon discovery of the arrangement between Cleanevent and the union, heightened when they became aware that their names had been misused and improperly disclosed to the union. The complainants’ evidence to the Commission was to the effect that the circumstances had caused them to feel ‘anger and betrayal’ and to experience feelings of ‘stress and/or anxiety’.

The six complainants who had not previously chosen to join the union were each awarded compensation of $4,500. The eight complainants who were already members of the union were each awarded $1,500. The distinction recognised that, for the eight original union members, they had independently chosen to join the union which already had their names. The others were further compensated for an additional level of hurt and/or humiliation, on the basis that the disclosures offended the notion of freedom of association, i.e. the disclosures ‘took away our rights not to join a union’.

Aggravated damages

All of the complainants were also awarded a further sum, of $1,500, for ‘aggravated damages’. ‘Aggravated damages’ can be awarded in many types of claims, including those made under the Privacy Act, where the respondent has behaved ‘high handedly, maliciously, insultingly or oppressively’; where the manner in which the respondent conducts its case exacerbates the hurt and injury suffered by the claimant, or; where the conduct of the respondent was otherwise ‘improper, unjustifiable or lacking in bona fides’. In any of those situations ‘an increase to the plaintiff’s sense of hurt may be presumed from all the evidence’.

The awards of aggravated damages to the complainants were justified for these reasons:

  • Spotless failed to appreciate the implications of Cleanevent’s conduct in handing over lists of random employees’ names, outside of the expectations of those employees, and; was indifferent to its obligations under the Privacy Act. In these respects, Spotless’ conduct was unjustified, improper and lacking in bona fides;
  • the conduct occurred in the context of an employment relationship, in which Cleanevent exercised authority over the complainants as its employees and had the ability to adversely affect their interests. The cases recognise that context as aggravating conduct;
  • as an employer, Spotless held a position of trust and confidence with respect to its employees and their information. Cleanevent’s conduct, being indifferent to Spotless’ privacy obligations in respect of employee information, damaged that relationship and was a source of additional hurt to the complainants.

What might the employer have done differently?

The fundamental problem for Spotless and Cleanevent was that Cleanevent’s arrangement with the union did not require Cleanevent to give the union lists of its employees’ names. From a purely management perspective, that should never have occurred. So, basic mistakes were made based on a presumed misunderstanding of the arrangement by those tasked with giving effect to it. Those errors aside, the companies might have done other things from a compliance perspective, to mitigate the risk of an unintended breach of employee privacy occurring, including these:

  1. Those within an organisation who have access to ‘personal information’ need to be taught, through training, what ‘personal information’ is and enough to know that dealings with it may well be prohibited by privacy law. The disclosures were made by two employees of Spotless/Cleanevent. Spotless argued that those individuals had acted without authority, an argument which the Commissioner rejected. In any event, the employees who made the disclosures appear to have not realised they were dealing in ‘personal information’ of the kind protected by the Privacy Act. The exercise should have raised a red privacy flag at the outset. This is partly a function of training.  
  2. It is not safe to assume that the ‘employee records’ exemption will forgive any transgression against employee privacy. We go the other way, and encourage our clients to organise their affairs as if the exemption did not exist, by covering off on potential dealings with the personal information of their employees in their industrial and management frameworks. The basic point is twofold. Firstly, as far as possible, expressly disclose potential dealings with personal information. Secondly, obtain consent to all such dealings in advance. That work is done through the employer’s policy framework, including in the terms of its privacy policy, and; in the employees’ terms and conditions of employment.
  3. Spotless’ privacy policy could have anticipated disclosures of the kind which occurred. Despite the unique situation in which Spotless and Cleanevent found themselves, it would not have been far-fetched for Spotless’ privacy policy - documented in 2011 - to telegraph the possibility for employees’ personal information to be given to unions, where unions have been historically active in the contract cleaning industry. Also, the terms and conditions of employment at Cleanevent were partly determined by industrial instruments with a limited life. If there was a failure here, it occurred in the due diligence exercise that Spotless should have conducted in the development of its privacy policy - to identify both the types of personal information Spotless collected and, its uses and intended uses of that information. Privacy policies and processes should be reviewed and adapted on an ongoing basis, to reflect an organisation’s actual operations and environment and, ultimately, to properly comply with the Privacy Act.  For further insight into this, see our previous article.
  4. Employees and prospective employees need to be told about applicable policies in a way that can be proven later. Spotless’ privacy policy was held to be of no assistance to them in the claims that were made. Perhaps, for that reason, the decision did not canvas whether or not the claimants ever knew about the policy. To have a good policy is the first step. The second is to make sure that those to whom it might relate are told about it. For employees and prospective employees, that means producing it during the recruitment process and cross referring to it in contracts of employment. This needs to be done in a way that you can later prove, through a suitable system of record keeping. Ideally, prospective and new employees should be required to sign-off on having been referred to the employer’s privacy policy during their recruitment and/or induction processes. Employees who might deal with personal information held by an employer need specific instruction about the employer’s legal obligations, tailored to the employer’s environment and management framework, including the employer’s privacy policy.
  5. The issues could have been dealt with in the employment contracts. There is no discussion of employment contracts in the decision. Presumably, Cleanevents’ employment contracts did not deal with privacy or employment-related policies in a way that would have been of assistance. Our default position when drafting employment contracts is to include clauses to the effect that employees agree to familiarise themselves with, and abide by, the employer’s relevant policies, and; a specific consent to dealings by the employer in the employees’ ‘personal information’.
  6. And what about the board? As mentioned earlier, the decision makes it plain that responsibility for the events which occurred sat with Spotless’ board. Boards have a responsibility to protect the privacy of not only their employees, but also their customers and other stakeholders as well. This is an issue that all boards need to ensure they are dealing with and about which they have a clear understanding. While it is true that boards already have a large workload, privacy and cyber security are emerging issues that need to be on the list of key oversight issues.

How can we help?

For further information or assistance, please contact our workplace and employment (recognised by ‘Best Lawyers’), intellectual property and technology (ranked as leading by Doyle’s Guide) or Effective Governance teams. We have privacy, employment contracts and truly effective corporate governance covered from A to Z.