Privacy Breach in the Workplace: The Case of a Medical Episode and Its Legal Ramifications

Employment Law: 24 July 2024

Author: Stephen Curtain - Our People

On 8 April 2021, the complainant (whom we will call Kylie) had a medical episode in her employer’s carpark. The episode was the result of a pre-existing medical condition which Kylie had not disclosed to her employer. Approximately seven other employees saw Kylie lying on the carpark floor apparently unconscious and provided her with CPR.

One staff member requested that Kylie’s husband contact Kylie’s manager, to update him on Kylie’s status and later that day the husband sent a text message to Kylie’s manager ‘Kylie is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.’ Kylie’s manager conveyed the content of that message to the employer’s Managing Director who sent an email later that day to the approximately 110 staff working at its head office with the subject heading ‘[Kylie] – recovering well’ and the following text:

As you are likely aware, [Kylie] experienced a medical episode this morning in the staff car park.

It is believed that [Kylie] collapsed as she was removing items from the boot of her car. After receiving support from [the employer’s] Staff, [Kylie] was taken by ambulance to Westmead hospital and her husband, [Kylie’s husband], was contacted.

[Kylie’s husband] contacted [Kylie’s manager] about 30 minutes ago and informed [Kylie’s manager] that [Kylie] is conscious and appears okay. She is just sore and tired. [Kylie] will return home after final medical checks by the Doctor.

This has been a traumatic experience and we are all relieved that [Kylie] is recovering well.’

On 28 April 2021, Kylie complained to the employer’s Privacy Officer about the sending of the email. She noted that many of the email recipients did not know her or about the medical event prior to the email being sent and shortly thereafter she verbally resigned from her position because she believed it was ‘no longer tenable’ to continue working for the employer.

In summary, Kylie was aggrieved that the details of her medical event and subsequent status, together with her name and that of her husband, were improperly disseminated in the email. She contended that many staff did not previously know her or were not aware of the episode until receiving the email, and claims that ‘having an email sent out about it that unambiguously identified me was mortifying’. She claimed that:

1. The employer interfered with her privacy by disseminating personal information about the medical event and her subsequent status in the email; and
2. as a result of the privacy breach, she suffered economic and non-economic loss, and should be awarded compensation.

Relief sought

Kylie sought the following from the employer:

1. an acknowledgement that it interfered with her privacy;
2. compensation of $50,096 for economic loss, equivalent to approximately 6 months of her former salary, inclusive of superannuation for the time she claims that she was unable to find employment due to anxiety associated with the interference with her privacy; and
3. compensation of $10,000 for non-economic loss associated with the mental health conditions she had developed following the interference with her privacy and the adverse impact it has had on her personal relationships; and
4. a $5,000 donation to an organisation that provides educational resources about the medical condition from which she suffered.
5. a non-prejudicial reference regarding her employment and performance.

The Employee Records Exemption

Section 7B(3) of the Privacy Act relevantly provides that certain acts or practices are exempt from the obligations of the Act being those engaged in by an employer of an individual, which are directly related to:

1. a current or former employment relationship between the employer and the individual; and
2. an employee record held by the organisation and relating to the individual.

The employer submitted that the employee records exemption applied to its sending of the email because:

1. the medical event occurred at Kylie’s workplace during working hours;
2. here was a current employment relationship between Kylie and the employer;
3. the employer held records about Kylie including her emergency contact details and health status for attendance at work; and
4. the email was directly related to the employment relationship and the employee records.

Kylie disputed the employer’s position on the basis that:

1. sending an email to 110 staff members about the medical event was not directly related to Kylie’s employment; and
2. the personal information about the medical event contained in the email was not the subject of an employee record at the time the email was sent.

The employer also submitted that the email was directly related to its employment relationship with Kylie because it related to an incident which occurred in the following circumstances:

1. while Kylie was on work premises, being the car park;
2. in the course of her employment, at work and during work hours;
3. she was discovered in the workplace by colleagues, who administered first aid to her;
4. the employer had legislative and common law obligations to ensure the safety of Kylie and its employees; and
5. the incident was escalated, as per the employer’s work, health and safety policies.

The employer also submitted that other employees were distressed at seeing Kylie unwell or hearing about the medical event from colleagues and that it sent the email with information that was already known to employees, to address the risk to those employees’ health and safety and to ameliorate their concerns to discharge its obligations under the Work, Health and Safety Act 2011 (NSW) (WHS Act) and minimise the risk of vicarious trauma in the workplace and therefore there was an ‘absolute, exact or precise connection’ to the employment relationship with Kylie.

The Commissioner noted an earlier authority that: “To fall within the exemption under s 7B(3), the act or practice must be directly related to the employment relationship, and not merely an act or practice having an indirect, consequential or remote effect on that relationship.”

Kylie submitted that her employment relationship with the employer was ‘at best indirect or consequential’ to the employer’s act of informing staff of her health status following the medical event.

The Commissioner concluded that the email, which identified Kylie by her full name and included her sensitive information, to 110 other staff, did not directly relate to the employment relationship with Kylie so that the employee exemption did not apply to exempt the employer from the obligations of the relevant Australian Privacy Principle.

APP 6 - Use of Kylie’s personal information

APP 6.1 states that if an APP entity such as the employer holds personal information that was collected for a particular purpose (the primary purpose), it must not use or disclose the information for another purpose (the secondary purpose), subject to certain exceptions.

The personal information collected by the employer predominantly concerned Kylie’s health condition following the medical event and was voluntarily provided by Kylie’s husband in a text message to Kylie’s manager. That information, in a somewhat varied form, was used in the email which specifically referenced Kylie by her full name.

An APP entity may use or disclose such information for a secondary purpose where:

1. the individual has consented to the use or disclosure of the information (APP 6.1(a));
2. the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose, if the information is sensitive information, is directly related to the primary purpose (APP 6.2(a)(i)).

In considering whether the employer had breached APP 6, the relevant issues were:

1. What personal information was collected, used, or disclosed?
2. What was the purpose of collection (primary purpose)?
3. Was the use of the information for the primary purpose or another purpose (secondary purpose)?
4. If the use was for a secondary purpose, did an exception apply to the use for the secondary purpose?

The personal information of Kylie collected and used by the employer included:

1. her full name and that of her husband;
2. the fact that she had a medical event at work;
3. the name of the hospital in which Kylie was treated; and
4. the status of Kylie’s health being that she is ‘conscious, very sore and tired but otherwise appears ok’.

Although the language used by the employer to describe Kylie’s health status was vague, on balance, some of the information disseminated by the employer constituted health information and was therefore sensitive information as defined by the Privacy Act.

The employer contended that the health information it disseminated about Kylie was volunteered by her husband and so it should be inferred to have been collected with her consent. However, it was considered evident that Kylie did not consent to the use of her personal information in the email, and that the use was not directly related to the primary purpose for which it was collected. Consequently, the employer could not rely on Kylie having consented to the use of the information under the exception in APP 6.1(a).

In this instance, the employer did not ‘disclose’ Kylie’s personal information within the meaning of APP 6 because it did not make her personal information accessible or visible to others outside the entity. However, by disseminating that personal information in the email to its staff, it ‘used’ Kylie’s personal information which was within its effective control.

The employer said it collected Kylie’s personal information for the primary purpose of ensuring her welfare and to enable the employer to meet its work health and safety obligations to Kylie, including the completion of an incident report.

However, the Commissioner concluded that the employer used Kylie’s personal information for the purpose of updating its staff, which was not the primary purpose for which it was collected, but a secondary purpose.

The employer also argued that it was not in breach of APP 6 as the information in the email was already in the public domain, but this was rejected. The Commissioner noted that an APP entity is not relieved of its privacy obligations in relation to the handling of personal information by virtue of the personal information already being in the public domain.

The employer contended that the secondary purpose for which the personal information about Kylie was used was to ensure the welfare of other staff in accordance with its duty under the Work Health and Safety legislation. However the Commissioner found the legislation did not authorise such use of personal information.

The Commissioner accepted that Kylie did not reasonably expect, and that a reasonable person in her position would not expect, that the employer would use such information in an email to staff in the manner that it did, which identified her by her first and last name, and therefore the exception under APP 6.2(a) applies.

The Commissioner observed that the employer could have discharged its obligations to other staff under the WHS Act, or any relevant common law duty, without identifying Kylie by name, which was at the heart of her grievance. Consequently, she concluded that the WHS Act did not authorise the use of Kylie’s personal information and the employer’s conduct was not permitted under APP 6.2(b).

The Commissioner also concluded that the use of the personal information did not fall within any of the permitted general situations prescribed by s 16A of the Privacy Act and the employer breached APP 6.1 by using Kylie’s personal information in the email and so interfered with her privacy within the meaning of s 13(1) of the Privacy Act and the complaint substantiated.

The Commissioner considered that the employer’s conduct should be considered in context. noting that:

1. The employer appears to have sent the email in good faith with a view to allay any concerns held by staff who were aware of Kylie’s medical event and to meet its obligations to those staff under the WHS Act. It appears that the employer was genuinely concerned for the welfare of Kylie about a medical condition in respect of which it had no prior knowledge, and sought to navigate its competing duties to other staff members in a timely manner.
2. The email did not disclose details of Kylie’s medical condition or associated treatment. Rather, it broadly referenced the medical event, which several staff witnessed and many more had presumably heard about, and that Kylie was okay.
3. In the circumstances it would have been unreasonable for the employer to take no action to update relevant staff. A failure to do so posed the real risk that gossip or incorrect information would be circulated amongst staff about the incident, which would have arguably been detrimental to Kylie. The employer accepts that, in retrospect, it could have conveyed the relevant information to a more limited number of staff with Kylie’s consent or in a deidentified manner, and has expressed its intention to take such steps if a similar incident arises in the future.

Ultimately Kylie was awarded $3,000 for non-economic loss arising from the privacy breach and the consequent hurt feelings, distress or anxiety.

Kylie sought compensation for her loss of income during the six-month period between resigning from her employment and obtaining other employment, attributing this delay to anxiety associated with the privacy breach. She claimed that the anxiety she experienced in relation to returning to work after the privacy breach was so significant that it rendered her employment to be ‘untenable’.

The Commissioner was not satisfied that the economic loss suffered was caused by the employer’s act of sending the email and that Kylie’s decision to resign was broadly attributable to her perceptions of and feelings toward the employer’s response to the events of 8 April 2021.

The declaration made was:

1. under s 52(1)(b)(i) of the Privacy Act, the employer engaged in conduct constituting an interference with Kylie’s privacy and must not repeat or continue such conduct; and
2. under s 52(1)(b)(iii) of the Privacy Act, the employer must pay Kylie, within 30 days of the date of this determination, $3,000 for non-economic loss and $125.10 for reasonably incurred expenses.