Email to staff advising of employee’s medical episode breached the Privacy Act

The Australian Information Commissioner (Commissioner), ALI and ALJ (Privacy) [2024] AICmr 131, awarded compensation for both economic and non-economic loss to an employee following an email sent by the managing director of the employer to 110 staff stating that the employee had experienced a medical episode in the carpark. The Commissioner found that this email was in breach of the Privacy Act 1988 (Cth) (Act)

Facts

On 8 April 2021, the employee complainant had a medical episode in the employer respondent’s carpark. The episode was the result of a pre-existing medical condition. The complainant was witnessed by a number of employees of the respondent lying on the floor of the carpark, apparently unconscious. The employees provided CPR to her until an ambulance arrived.

After the complainant’s husband provided an update about her health by text message to her manager, the managing director of the respondent sent an email to 110 staff working at head office as follows:

‘As you are likely aware, [the complainant] experienced a medical episode this morning in the staff carpark. It is believed that [the complainant] collapsed as she was removing items from the boot of her car. After receiving support from [the respondent’s] staff, [the complainant] was taken by ambulance to Westmead Hospital and [the complainant’s] husband was contacted.

[The complainant’s] husband contacted [the complainant’s manager] about 30 minutes ago and informed [the complainant’s manager] that [the complainant] is conscious and appears okay. She is just sore and tired. [The complainant] will return home after final medical checks by the doctor.

This has been a traumatic experience, and we are all relieved that [the complainant] is recovering well.’

On 21 April 2021, the complainant complained to the respondent’s privacy officer about the email. She contended that many of the email recipients did not know her (or about the medical event) prior to the email being sent. The complainant subsequently made a complaint to the Office of the Commissioner.

Did the Employee Record Exemption apply?

Section 7B(3) of the Privacy Act relevantly provides:

‘An act done, or practice engaged in by an organisation that is or was an employer of an individual is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

(a) a current or former employment relationship between the employer and the individual; and

(b) an employee record held by the organisation relating to the individual.

In QF & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 it was stated:

‘To fall within the exemption of section 7B(3), the act or practice must be directly related to the employment relationship and not merely an act or practice having an indirect or consequential or remote effect on relationship.’

The Commissioner found that the sending of the email directly related to the employment relationship between the respondent and other employees who received the email and to whom it owed a due care and did not directly relate to the employment relationship with the complainant.

APP 6.1

Australian Privacy Principle (APP) 6.1 states that, if an entity to which the APP applies (APP entity) holds personal information that was collected for a particular purpose (primary purpose) the entity must not use or disclose the information for another purpose (secondary purpose) subject to certain exemptions.

An APP entity may use or disclose personal information for a secondary purpose where:

the individual has consented to the use or disclosure of the information; or

the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose, if the information is sensitive information, is directly related to the primary purpose.

Was personal information collected?

The Commissioner found that the personal information received in the text message from the complainant’s husband was collected for inclusion in a record because a staff member of the respondent had requested the complainant’s husband update the complainant’s manager about her status, such that the information was collected for inclusion in a record.

Was personal information used?

The Commissioner found that by distributing the complainant’s personal information in the email to its staff the respondent used the complainant’s personal information.

What was the primary purpose of collection?

The Commissioner found that the respondent collected the complainant’s personal information for the primary purpose of ensuring her welfare and to enable the respondent to meet its workplace health and safety obligations, including the completion of an incident report.

Was there use for a primary purpose?

The Commissioner found the respondent used the complainant’s personal information for the purpose of updating its staff. This was not the primary purpose for which the information was collected. The complainant’s personal information was therefore used for a secondary purpose.

Was the information lawfully used for secondary purpose?

The Commissioner found that the requirements in the Act relating to use of personal information for a secondary purpose were not satisfied because:

(a) the complainant did not consent to the use of her personal information in the email;

(b) the complainant did not reasonably expect, and a reasonable person in her position would not expect the respondent would use the information in an email to the staff in the manner it did and which identified by her first and last names.

The Commissioner therefore found the respondent breached APP 6.1 by using the complainant’s personal information in the email and therefore interfered with her privacy.

Remedies

The Commissioner noted it would have been unreasonable for the respondent to take no action to update relevant staff about the incident. To not do so would have given rise to a risk that gossip or incorrect information would be circulated amongst staff about the incident. However, the respondent accepted, in retrospect, it could have conveyed the information to a more limited number of staff, with the complainant’s consent, or in a de-identified manner.

The complainant was awarded $3,000 for non-economic loss. The respondent was also ordered to reimburse the complainant $125.10 for out-of-pocket expenses she incurred in attending psychologist appointments.

Conclusion

It is a very common (and reasonable) practice to update staff about workplace incidents or injuries, however, employers need to take care with how such communications are worded, such that they do not breach the Act.