The Privacy Act 1988 (Cth) sets stringent requirements for organisations handling personal information. Specifically, health information collected for one purpose cannot be used for another without the individual’s consent or unless reasonably expected for the secondary purpose.
Context and Legal Framework
Health information is particularly sensitive and is protected under the Privacy Act. Exceptions exist when the use or disclosure of personal information about an employee is directly related to the employment relationship and contained within employer-held records. However, these exceptions are narrowly defined.
Case Study: DANI v ALPH (2024)
In a recent case, an employee, identified as Dani, claimed that her employer, Alph, breached her privacy by sharing details about a medical event in an email to the entire staff. The incident occurred in the employer’s car park and was due to a pre-existing condition that Dani had not disclosed.
The employee’s manager later sent an email to reassure staff about her recovery, inadvertently sharing sensitive health information. This information had been provided by the employee’s husband to the employer to ensure her welfare and comply with workplace health and safety requirements.
Employer’s Argument and Ruling
Alph argued that the email fell under the employee records exemption because:
- The medical event occurred during work hours.
- There was an ongoing employment relationship.
- The employer held relevant records, including emergency contact details and health status.
- The email was related to maintaining workplace health and safety.
Despite these points, the Australian Privacy Commissioner determined that the email, which included the employee’s full name and health details, did not directly relate to the employment relationship. The information was initially collected for workplace health and safety compliance, not for a staff-wide update.
Breach of Privacy and Consent
The Commissioner noted that while the information was provided by the employee’s husband, there was no consent for its dissemination to all staff. Neither Dani nor her husband could have reasonably expected this use of the information. The employer’s duty to ensure workplace health and safety did not necessitate naming the employee in the email.
The Privacy Commission concluded that the employer had breached the Privacy Act by misusing the employee’s personal information. Consequently, the employer was ordered to compensate the employee for the privacy violation.
Lessons Learned
This case underscores the importance of strict adherence to privacy laws when handling personal and sensitive information. Employers must be cautious and ensure that any use of such information is directly related to its intended purpose and within the scope of consent provided. Missteps in this area can lead to significant legal repercussions and damage to employee trust.
Disclaimer: The information provided in this blog was accurate at the time of writing and is intended as general advice. For specific advice, please call AHR on 1800 577 515.
