Most employers and employees do the right thing with employee personal information by keeping it securely stored and protected from disclosure or loss. However, occasional slips by employees with control over personal information can be costly both in a financial sense and in an emotional sense.
From the moment an individual applies for a job, an employer has collected personal information about that person. As the employment relationship continues more and more personal information about the individual is collected – and for legitimate reasons.
Some information may relate to the practical side of the employment relationship like contact details and bank account information for paying wages. But as we all know, one’s work life and personal life occasionally intersect and other types of personal information end up in a personnel file. This can include health information legitimately required by an employer to accommodate illness or injury, to ensure an employee is fit to do their job or to substantiate claims for sick leave.
Most employers and employees do the right thing with employee personal information by keeping it securely stored and protected from disclosure or loss. However, occasional slips by employees with control over personal information can be costly both in a financial sense and in an emotional sense.
Exposure of employee personal information can lead to distrust between an employee and their employer, not to mention the potential humiliation an employee may suffer if the information disclosed is particularly sensitive.
This was the case in a recent decision of the Victorian Civil and Administrative Tribunal where an employee’s hurt and humiliation from having her health information exposed resulted in an award of compensation.
Case study – Harrison v Department of Education and Training (Human Rights) (Corrected) [2017] VCAT 1128
The Victorian Department of Education and Training was ordered to pay a teacher $11,000 for failing to take reasonable steps to keep her health information from loss, misuse, unauthorised access or disclosure when a colleague found a note containing the health information in a staff toilet.
The note was penned by the then acting principal during a phone call with one of the Department’s legal advisors. The purpose of the call was to discuss a separate claim lodged by the teacher in the Victorian Equal Opportunity and Human Rights Commission and future workforce planning issues. The note contained short descriptions or single word prompts about what was discussed, including the teacher’s work history, her request for a compassionate transfer and her complex medical history.
The note did not identify the teacher directly but contained sufficient information such that she could be identified as the subject of at least part of the note.
The colleague who found the note in the staff toilet took it to the staff room and had a discussion about it with another employee. They determined the note was about the teacher and placed it in her pigeon hole.
The teacher was distressed to discover the note and did not return to work after finding the note.
The key issue that brought the Department undone was not its possession of the teacher’s health information, but the control, or lack thereof, over that information. The Department, through its employees, failed to protect personal information from loss and disclosure. In particular, the acting principal could not account for how the note came to be in the staff toilet.
The loss and disclosure of the health information breached Health Privacy Principle 4 under the Health Records Act 2001 (Vic) and caused the teacher to suffer damage in the form of distress, an inability to return to work and deterioration in her mental health.
Lessons for employers
Employers should encourage employees, especially managers and those with payroll or HR responsibilities, to be mindful of how they collect, work with and store employee personal information.
Whether the disclosure was intentional or not, the result for the employee is the same and, as demonstrated in our case study, employees can suffer compensable damage from the improper disclosure of their sensitive information.
Accidental disclosure is at higher risk in open plan work spaces. As discussed in our earlier blog Prison break! – How confidential information can escape from open-plan offices employers should consider whether the work done by particular sections of their workforce is suitable to open plan office design.
For example, a note left on a HR manager’s desk while they are at lunch in an open plan office is capable of being reviewed by any employee or visitor who walks past.
In the end, it comes down to common sense – employees should understand the significance of protecting personal information and do everything they can to protect such information from disclosure, including disclosure to their colleagues who do not absolutely need to know.
Of course, exemptions to particular privacy laws exist with regards to employee records but as matter of best practice, employers should aim keep personal information, especially sensitive information like health information, under control and protected from disclosure.
Information provided in this blog is not legal advice and should not be relied upon as such. Workplace Law does not accept liability for any loss or damage arising from reliance on the content of this blog, or from links on this website to any external website. Where applicable, liability is limited by a scheme approved under Professional Standards Legislation.