Firm disclosing reason for worker leaving job found to be a breach of privacy
A NEW Zealand company has fallen foul of privacy rules following the departure of an employee.
Drugs and drug paraphernalia were observed in the employee’s car while it was parked in the company car park. A fellow employee took a photo of the items and showed it to various colleagues. This prompted an investigation by management and ultimately led to the employee leaving her job with three months’ wages as part of her severance.
So where did the company go wrong?
Shortly following the employee’s departure, a manager sent an email to the company’s 100plus staff, informing them the employee was no longer employed by the company and had been found with illicit drugs at work.
The email also explained that management had been working with the woman on a number of performancerelated matters.
Not surprisingly, the former employee found out about the email. She complained to the Privacy Commissioner, saying that the stress of the situation had damaged her confidence and emotional state and she was concerned about her ability to find another job, given the small size of the industry.
The Privacy Act places restrictions on how people and organisations can use or disclose information. In particular, principle 11 of the Act says personal information should not be disclosed for purposes other than those for which the information was obtained.
‘‘Personal information’’ is a very wide term, encompassing all ‘‘information about a living human being’’ that identifies, or is capable of identifying, that person.
The company accepted that it had disclosed personal information, but claimed there was no breach of the Act because the information about the drugs and drug paraphernalia was widely known among staff (remember the employee who took the photo had already shown it to a number of colleagues).
The Privacy Commissioner did not accept this approach, noting principle 11 was concerned with the disclosure by the company, and not with what was already known by the recipient. It also noted an email from management carried considerably more weight than workplace gossip.
Having accepted that the company had breached the employee’s privacy, the Privacy Commissioner turned to consider the consequences of that breach. The employee only needed to show that the company’s actions were a contributing or material cause of the harm suffered (but not the sole cause). The Privacy Commissioner formed the view the employee had suffered significant humiliation, loss of dignity or injury to her feelings as a result of the company’s actions.
Ultimately, a private settlement was reached between the parties, so we do not know what this ended up costing the company. However, it is probably safe to assume the experience would have consumed significant resources (both time and money) the company would have preferred to invest elsewhere.
So what could the company have done differently? It is entirely usual to notify employees about staff changes, and it is also understandable that an employer might look for opportunities to reinforce their zero tolerance of drugs in the workplace.
The lesson from this example is that the two messages should be kept quite separate. The reasons for an employee’s dismissal or departure should be kept confidential unless the employee has agreed it can be disclosed. Ideally, any message to the wider company about an employee’s departure should be first approved by the departing employee and not disclose any unapproved personal information.