Case Update: ALI v ALJ [2024]

A recent decision by the Australian Privacy Commissioner found that an employer breached the Privacy Act 1988 (Cth) by disclosing personal information about an employee following a workplace incident. The complainant noted that details of her medical event, subsequent status and full name was improperly disclosed.

The complainant experienced a medical episode while in the employer’s carpark, which was witnessed by 7 other employees. The incident was severe and resulted in CPR being performed, and an ambulance being called. Shortly after the incident, a staff member contacted the complainant’s husband and requested an update be sent to the complainant’s manager. A text message was sent stating, ‘[the complainant] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok’.

The Managing Director later sent an email to 110 head office employees, updating them on the incident and the health of the complainant, stating ‘As you are likely aware, [the complainant] experienced a medical episode this morning in the staff carpark… [the complainant] was taken by ambulance to Westmead hospital… [the complainant] is conscious and appears okay’. The complainant filed a complaint with the employer, noting that many of the email recipients did not know her or were not aware of the incident occurring prior to the email being sent.

The Commissioner considered the email to have been sent in good faith, and that the employee’s medical event was broadly referenced to. In this circumstance, the Commissioner noted that it would have been unreasonable for the employer to not provide an update to relevant staff following the incident and would have contributed to incorrect information being circulated. Additionally, the employer was obligated to update staff on the incident to reduce psychological harm, under work health and safety legislation.

Regardless, the Commissioner did consider the employer’s email and disclosure of personal information to breach the Act. Key determining factors included lack of consent provided by the complainant for the disclosure, disclosure of the complainant’s full name, and the use of personal information not falling under the employee records exemption within the Act. 

Following the Commissioner’s findings, employers must stop to consider the potential risks of sending an update related to a workplace incident.

Consider obtaining consent from the employee prior to sending an update. If the employee does not consent, consider whether it is necessary to disclose personal information within the email such as names, medical history, or health status. Also consider who the email is being sent to, for example, is the update being provided to witnesses of the incident, or whether it is being sent organisation-wide.