Company Breached Employee's Privacy

Rosie Clark

March 2018. . . A New Zealand company has fallen foul of privacy rules following the departure of an employee. Drugs and drug paraphernalia were observed in the employee’s car while it was parked in the company car park. A fellow employee took a photo of the items and showed it to various colleagues. This prompted an investigation by management, and ultimately led to the employee leaving her job with three months wages as part of her severance.

So where did the company go wrong? Shortly following the employee’s departure, a manager sent an email to the company’s 100 plus staff, informing them that the employee was no longer employed by the company and that she had been found with illicit drugs at work, and explained that management had been working with the woman on a number of performance related matters.

Not surprisingly, the former employee found out about the email. She complained to the Privacy Commissioner saying that the stress of the situation had damaged her confidence and emotional state and she was concerned about her ability to find another job given the small size of the industry.

The Privacy Act places restrictions on how people and organisations can use or disclose information. In particular, principle 11 of the Act says that personal information should not be disclosed for purposes other than those for which the information was obtained. “Personal information” is a very wide term, encompassing all “information about a living human being” that identifies, or is capable of identifying that person.

The company accepted that it had disclosed personal information, but claimed that there was no breach of the Act because the information about the drugs and drug paraphernalia was widely known amongst staff (remember the employee who took the photo had already shown it to a number of colleagues).

The Privacy Commissioner did not accept this approach, noting that principle 11 is concerned with the disclosure by the company, and not with what is already known by the recipient. It also noted that an email from management carried considerably more weight than workplace gossip.

Having accepted that the company had breached the employee’s privacy, the Privacy Commissioner turned to consider the consequences of that breach. The employee only needed to show that the company’s actions were a contributing or material cause of the harm suffered (but not the sole cause). The Privacy Commissioner formed the view that the employee had suffered significant humiliation, loss of dignity or injury to her feelings as a result of the company’s actions.

Ultimately a private settlement was reached between the parties, so we do not know what this ended up costing the company. However it is probably safe to assume that the experience would have consumed significant resources (both time and money) that the company would have preferred to invest elsewhere.

So what could the company have done differently? It is entirely usual to notify employees about staff changes, and it is also understandable that an employer might look for opportunities to reinforce their zero tolerance of drugs in the work place. The lesson from this example is that the two messages should be kept quite separate. The reasons for an employee’s dismissal or departure should be kept confidential unless the employee has agreed it can be disclosed. Ideally any message to the wider company about an employee’s departure should be first approved by the departing employee and not disclose any unapproved personal information.