Resources: Blogs

To tell or not to tell

Blogs
|

The difficulties in balancing privacy and WHS obligations when handling employee personal information

A recent decision of the Office of the Australian Information Commissioner has illustrated how difficult it can be for employers to balance their obligations under various workplace laws when managing ill and injured employees.

A recent decision of the Office of the Australian Information Commissioner (OAIC) has illustrated how difficult it can be for employers to balance their obligations under various workplace laws when managing ill and injured employees.

In these situations, employers are often faced with the unenviable task of managing compliance with discrimination, work health and safety, privacy and workers compensation laws – many of which impose obligations on employers that do not easily align with other laws.

In the decision of ‘ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131, the OAIC was required to determine a complaint made by an individual that her former employer had breached the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs).

The complaint concerned the employer’s handling of a medical episode that the individual had suffered in the car park of their head office. The medical episode was the result of a pre-existing condition that the individual had not disclosed to the respondent. At the time, seven employees had seen the individual lying on the ground and some had to provide CPR until ambulances arrived and conveyed her to a nearby hospital.

The individual’s husband, as her emergency contact, was requested to provide an update and did so, sending a text to the individual’s manager stating that “[she] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.

This message was relayed to the employer’s managing director who, that same day, sent an email to the 110 staff working at head office as follows:

As you are likely aware, [the complainant] experienced a medical episode this morning in the staff car park.

It is believed that [the complainant] collapsed as she was removing items from the boot of her car. After receiving support from [the respondent’s] Staff, [the complainant] was taken by ambulance to Westmead hospital and her husband, [the complainant’s husband], was contacted.

[The complainant’s husband] contacted [the complainant’s manager] about 30 minutes ago and informed [the complainant’s manager] that [the complainant] is conscious and appears okay. She is just sore and tired. [The complainant] will return home after final medical checks by the Doctor.

This has been a traumatic experience and we are all relieved that [the complainant] is recovering well.’

Despite being cleared to return to the office a week later, the individual felt she was unable to do so because of feelings of anxiety and panic related to the medical event. She lodged a complaint with the employer’s Privacy Officer, raising concerns that many of the email’s recipients did not know her or about the medical event prior to the email.

The Privacy Officer determined the complaint and advised the individual that it did not consider there to be any breach to her privacy as the managing director had only disclosed information that was already known in the public domain, and was acting with a duty of care and moral obligation to notify staff of her wellbeing and recovery.

Ultimately, the individual resigned from her employment on the basis that it was no longer tenable to continue working with the employer and lodged a complaint with the OAIC.  

Before the OAIC, the employer sought to rely on the “employee records” exemption provided to employers in relation to their handling of employee records in relation to current and former employment relationships. It submitted that the email contained information that was already known to employees and was intended to discharge the employer’s obligations under the Work Health and Safety Act 2011 (NSW) (the WHS Act) and minimise the risk of vicarious trauma in the workplace.

However, the OAIC was of the view that the exemption did not apply in this situation because the email was not directly related to the employment relationship between the employer and the individual. Rather, it was directly related to the employment relationship between the employer and other employees to whom it owed a duty of care.

The OAIC then turned to the question of whether there was a breach of the APPs, specifically APP 6.1 which prohibits an entity from using or disclose personal information collected for a particular purpose, for a secondary purpose.

The OAIC’s position was that the employer had collected the employee’s personal information, including her full name, her husband’s full name, the medical event she suffered at work, the name of the hospital and the status of her health for the primary purpose of ensuring her welfare and to enable the employer to meet its WHS obligations to the individual, such as to complete an incident report.

The OAIC noted that while the information relating to the individual’s health status was vague, on balance, some of it constituted health information and was therefore sensitive information for the purposes of the Privacy Act.

According to the OAIC, the employer then used the personal information for the purpose of updating its staff, which was not the primary purpose for which the information was collected.

The OAIC also noted that the WHS Act did not require or expressly authorise the employer to use the individual’s personal information in the way it did, and that the employer could have discharged its obligations to other staff without identifying the complainant by name, which was the substantial part of her grievance.

The OAIC therefore found that the employer had interfered with the individual’s privacy in breach of the Privacy Act and ordered $3,000 in non-economic loss as well as $125.10 for out-of-pocket expenses. The OAIC refused to make the other orders sought, such as for economic loss (noting that it was the individual’s decision to resign from her employment), a donation to a charitable organisation or provision of an employment reference.

Lessons for employers

As mentioned at the outset, managing ill or injured employees in the workplace requires employers to consider a number of obligations under various workplace laws, some of which may unfortunately conflict with each other.

As much as reasonably practicable, employees and employers should openly communicate with each other about personal information so that these competing obligations can be managed appropriately and with the agreement of both the employee and the employer.

Conflicting legal obligations imposed on employers and decisions like this one make it almost impossible for employers to be able to comply with one legal obligation without breaching another.  Decisions like this impede an employer from openly and transparently engaging with employees about matters that do genuinely affect them in the workplace, such as witnessing a traumatic medical event.

As always, legal advice should be sought when confronted with a conflict of laws situation to give your business the best possible chance of minimising risk.

Information provided in this blog is not legal advice and should not be relied upon as such. Workplace Law does not accept liability for any loss or damage arising from reliance on the content of this blog, or from links on this website to any external website. Where applicable, liability is limited by a scheme approved under Professional Standards Legislation.

Similar articles

Victoria records first workplace manslaughter conviction

Various Australian jurisdictions have been slowly introducing an offence of industrial manslaughter, dealing with workplace fatalities that arise as a result of negligent conduct by a person conducting a business or undertaking or its officers.

Read more...

The dangers of failing to keep WHS systems up to date

In a recent decision involving a forklift fatality, the District Court of New South Wales has cautioned growing businesses of the need to ensure that their WHS systems are adequate for the size of the business and the type of work being performed.

Read more...

Requesting health information from employees

A force not to be reckoned with

A recent decision of the NSW Industrial Relations Commission has highlighted one of the pertinent issues currently being faced by employers – that is, to what extent an employer is entitled to require or request an employee provide them with personal medical information.

Read more...

Commission finds no objective or rational connection between an employee’s age and his flexible working request to work from home

The age of flexibility

An employee will only be eligible to request a flexible working arrangement if they are able to demonstrate that there is a sufficient nexus between one of the prescribed circumstances under the Fair Work Act 2009 (Cth) and the request itself.

Read more...

Employer’s “tick and flick” training on workplace policies rendered dismissal unfair

Not just the what, but also the why

When relying on a workplace policy as grounds for dismissal, employers must be able to clearly demonstrate that the employee is aware of the policy and has undergone meaningful training on the policy.

Read more...

Commission finds employer’s unsubstantiated allegations rendered dismissal unfair

Not mushroom for error

Where there is a factual dispute about allegations made against an employee, employers must ensure that the allegations are properly tested before proceeding to a disciplinary process. This will ensure that the employee has been provided with procedural fairness and any reasons relied on by the employer as grounds for dismissal are valid.

Read more...

Let's talk

please contact our directors to discuss how ouR expertise can help your business.

We're here to help

Contact Us
Let Workplace Law become your partner in workplace law and sports law.

Sign up to receive the latest industry updates with commentary from the Workplace Law team direct to your inbox.