A recent decision of the Office of the Australian Information Commissioner (OAIC) has illustrated how difficult it can be for employers to balance their obligations under various workplace laws when managing ill and injured employees.
In these situations, employers are often faced with the unenviable task of managing compliance with discrimination, work health and safety, privacy and workers compensation laws – many of which impose obligations on employers that do not easily align with other laws.
In the decision of ‘ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131, the OAIC was required to determine a complaint made by an individual that her former employer had breached the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs).
The complaint concerned the employer’s handling of a medical episode that the individual had suffered in the car park of their head office. The medical episode was the result of a pre-existing condition that the individual had not disclosed to the respondent. At the time, seven employees had seen the individual lying on the ground and some had to provide CPR until ambulances arrived and conveyed her to a nearby hospital.
The individual’s husband, as her emergency contact, was requested to provide an update and did so, sending a text to the individual’s manager stating that “[she] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.”
This message was relayed to the employer’s managing director who, that same day, sent an email to the 110 staff working at head office as follows:
As you are likely aware, [the complainant] experienced a medical episode this morning in the staff car park.
It is believed that [the complainant] collapsed as she was removing items from the boot of her car. After receiving support from [the respondent’s] Staff, [the complainant] was taken by ambulance to Westmead hospital and her husband, [the complainant’s husband], was contacted.
[The complainant’s husband] contacted [the complainant’s manager] about 30 minutes ago and informed [the complainant’s manager] that [the complainant] is conscious and appears okay. She is just sore and tired. [The complainant] will return home after final medical checks by the Doctor.
This has been a traumatic experience and we are all relieved that [the complainant] is recovering well.’
Despite being cleared to return to the office a week later, the individual felt she was unable to do so because of feelings of anxiety and panic related to the medical event. She lodged a complaint with the employer’s Privacy Officer, raising concerns that many of the email’s recipients did not know her or about the medical event prior to the email.
The Privacy Officer determined the complaint and advised the individual that it did not consider there to be any breach to her privacy as the managing director had only disclosed information that was already known in the public domain, and was acting with a duty of care and moral obligation to notify staff of her wellbeing and recovery.
Ultimately, the individual resigned from her employment on the basis that it was no longer tenable to continue working with the employer and lodged a complaint with the OAIC.
Before the OAIC, the employer sought to rely on the “employee records” exemption provided to employers in relation to their handling of employee records in relation to current and former employment relationships. It submitted that the email contained information that was already known to employees and was intended to discharge the employer’s obligations under the Work Health and Safety Act 2011 (NSW) (the WHS Act) and minimise the risk of vicarious trauma in the workplace.
However, the OAIC was of the view that the exemption did not apply in this situation because the email was not directly related to the employment relationship between the employer and the individual. Rather, it was directly related to the employment relationship between the employer and other employees to whom it owed a duty of care.
The OAIC then turned to the question of whether there was a breach of the APPs, specifically APP 6.1 which prohibits an entity from using or disclose personal information collected for a particular purpose, for a secondary purpose.
The OAIC’s position was that the employer had collected the employee’s personal information, including her full name, her husband’s full name, the medical event she suffered at work, the name of the hospital and the status of her health for the primary purpose of ensuring her welfare and to enable the employer to meet its WHS obligations to the individual, such as to complete an incident report.
The OAIC noted that while the information relating to the individual’s health status was vague, on balance, some of it constituted health information and was therefore sensitive information for the purposes of the Privacy Act.
According to the OAIC, the employer then used the personal information for the purpose of updating its staff, which was not the primary purpose for which the information was collected.
The OAIC also noted that the WHS Act did not require or expressly authorise the employer to use the individual’s personal information in the way it did, and that the employer could have discharged its obligations to other staff without identifying the complainant by name, which was the substantial part of her grievance.
The OAIC therefore found that the employer had interfered with the individual’s privacy in breach of the Privacy Act and ordered $3,000 in non-economic loss as well as $125.10 for out-of-pocket expenses. The OAIC refused to make the other orders sought, such as for economic loss (noting that it was the individual’s decision to resign from her employment), a donation to a charitable organisation or provision of an employment reference.
Lessons for employers
As mentioned at the outset, managing ill or injured employees in the workplace requires employers to consider a number of obligations under various workplace laws, some of which may unfortunately conflict with each other.
As much as reasonably practicable, employees and employers should openly communicate with each other about personal information so that these competing obligations can be managed appropriately and with the agreement of both the employee and the employer.
Conflicting legal obligations imposed on employers and decisions like this one make it almost impossible for employers to be able to comply with one legal obligation without breaching another. Decisions like this impede an employer from openly and transparently engaging with employees about matters that do genuinely affect them in the workplace, such as witnessing a traumatic medical event.
As always, legal advice should be sought when confronted with a conflict of laws situation to give your business the best possible chance of minimising risk.
Information provided in this blog is not legal advice and should not be relied upon as such. Workplace Law does not accept liability for any loss or damage arising from reliance on the content of this blog, or from links on this website to any external website. Where applicable, liability is limited by a scheme approved under Professional Standards Legislation.