Employee records and privacy: employer ordered to pay $60,000 compensation for breach of employee privacy
The employer, Cleanevent, is a subsidiary of ASX listed Spotless Group Limited and employs cleaners. In 2011 and 2012, in two random lists, Cleanevent gave the names of some its employees to the Victorian Branch of the Australian Workers Union. It also paid money to the union, notionally for the union membership fees of its employees who were, or were supposed to become, members of the union. This occurred whether or not the named employees were, were not or wanted to be members of the union and, so far as the 14 complainants were concerned, without their knowledge or consent. Of the 14 complainants, eight were already members of the union. The remaining six were not.
The point of this arrangement, documented in 2010, was for Cleanevent to secure industrial peace with the union following the expiry (in 2009) of a WorkChoices era collective agreement made in 2006, under which Cleanevent workers were not entitled to award penalty rates. Under the arrangement, Cleanevent kept the benefit of the 2006 collective agreement - saving about $2M in wages costs each year - and the union was to receive payments of up to $25,000 per year, notionally for membership fees. Cleanevent did not tell the complainants about the arrangement. None of them received any financial benefit from it. The six employees who had not themselves joined the union directly never knew that they had become ‘members’ and remained oblivious to any potential benefits of their union ‘membership’.
The complainants became aware of the arrangement and that their names had been given to the union as the result of the Royal Commission into Trade Union Governance and Corruption held over the course of 2014 and 2015.
The complainant employees contended that the disclosure of their names to the union without their knowledge or consent was an unlawful interference with their privacy under the Commonwealth Privacy Act, being in contravention of the then applicable National Privacy Principles (NPPs) relating to use, disclosure and security of personal information (matters now covered by the Australian Privacy Principles (APPs)).
Spotless’ primary defence was that disclosure of the complainants’ names to the union was not unlawful because it was permitted by the ‘employee records’ exemption provided for in the Privacy Act. The exemption applies to anything done by the employer of an individual ‘directly related to’:
The exemption was introduced when the Privacy Act was first amended in 2001 so as to apply to the private sector. The justification for it at the time was that the privacy of employee records was best left to workplace laws. But then and even now, with limited exceptions, no workplace laws have been made to regulate the privacy of employees in connection with records held by their employers about them. The result is that, in many situations, privacy of employees in relation to records of that kind is largely unregulated.
But this didn’t help Spotless.
The Commissioner held that the employee records exemption didn’t apply, on the basis that Cleanevent’s disclosures of random lists of employees’ names to the union had an insufficient connection with the arrangement between Cleanevent and the union, such that the disclosure was not ‘directly related’ to the employment relationship.
In reaching this conclusion, the Commissioner relied on the dictionary definitions of ‘directly’ and ‘related’. She said that, for the exemption to apply, Spotless had to show that the disclosures had an absolute, exact or precise connection to the employment relationship between Cleanevent and the complainants. For these purposes it did not matter that the arrangement between Cleanevent and the union might itself have met that requirement (about which the Commissioner made no finding). A substantial cause for Spotless’ undoing was that, as the Royal Commission had found, the express terms of Cleanevent’s arrangement with the union did not in fact require Cleanevent to give the union names of Cleanevent employees. Nor did it help that Cleanevent itself argued that the disclosures occurred without its authority (an argument which was rejected) and contrary to the arrangement as approved by Cleanevent management.
The decision also examined other things that Spotless might have done to authorise the disclosures. These boiled down to just telling its employees, one way or another, that their personal information - their names - would be given to the union or other organisations of that kind and obtaining their consent to that exercise.
The end result was that the complaints were upheld. Cleanevents’ disclosures of its employees’ names to the union was found to be an unlawful interference with their privacy, in breach of the NPPs relating to use, disclosure and security of the complainants’ personal information. Spotless was ordered to:
The Commission made no bones about where ultimate responsibility for the outcome lay, namely, with Spotless’ board.
No compensation was awarded to the complainants for economic loss, although all maintained claims for lost wages, based on what they would have been paid under the applicable award but for the ongoing application of the 2006 Work Choices collective agreement. Those claims were rejected because, even assuming the complainants were indeed all worse off, this was not the result of the interference with their privacy. Rather, any loss was caused by the applicable industrial arrangements between Cleanevent and the union.
All 14 complainants were awarded compensation for non-economic loss, as compensation for the hurt and humiliation they felt upon discovery of the arrangement between Cleanevent and the union, heightened when they became aware that their names had been misused and improperly disclosed to the union. The complainants’ evidence to the Commission was to the effect that the circumstances had caused them to feel ‘anger and betrayal’ and to experience feelings of ‘stress and/or anxiety’.
The six complainants who had not previously chosen to join the union were each awarded compensation of $4,500. The eight complainants who were already members of the union were each awarded $1,500. The distinction recognised that, for the eight original union members, they had independently chosen to join the union which already had their names. The others were further compensated for an additional level of hurt and/or humiliation, on the basis that the disclosures offended the notion of freedom of association, i.e. the disclosures ‘took away our rights not to join a union’.
All of the complainants were also awarded a further sum, of $1,500, for ‘aggravated damages’. ‘Aggravated damages’ can be awarded in many types of claims, including those made under the Privacy Act, where the respondent has behaved ‘high handedly, maliciously, insultingly or oppressively’; where the manner in which the respondent conducts its case exacerbates the hurt and injury suffered by the claimant, or; where the conduct of the respondent was otherwise ‘improper, unjustifiable or lacking in bona fides’. In any of those situations ‘an increase to the plaintiff’s sense of hurt may be presumed from all the evidence’.
The awards of aggravated damages to the complainants were justified for these reasons:
The fundamental problem for Spotless and Cleanevent was that Cleanevent’s arrangement with the union did not require Cleanevent to give the union lists of its employees’ names. From a purely management perspective, that should never have occurred. So, basic mistakes were made based on a presumed misunderstanding of the arrangement by those tasked with giving effect to it. Those errors aside, the companies might have done other things from a compliance perspective, to mitigate the risk of an unintended breach of employee privacy occurring, including these:
For further information or assistance, please contact our workplace and employment (recognised by ‘Best Lawyers’), intellectual property and technology (ranked as leading by Doyle’s Guide) or Effective Governance teams. We have privacy, employment contracts and truly effective corporate governance covered from A to Z.