The Human Rights Review Tribunal has ordered an employer to pay an employee $6,000, and made a declaration that her privacy was interfered with, following another employee unlawfully accessing their co-worker’s personal information.

An employee gave her co-worker a privacy waiver to access her Work and Income New Zealand (WINZ) information in order for her to determine her entitlement to assistance when she was sick but had not worked long enough to accumulate any sick leave.

After suffering two personal grievances at her work place, the co-worker then re-used the privacy waiver to make multiple requests to find out further information about the employee without her consent or authorisation.

The employee complained to the Office of the Privacy Commissioner that her privacy had been breached. 

It was found that the actions alleged in this complaint breached information privacy principles 1, 2, and 4:

  • Principle 1 (purpose for collection) states that personal information can only be collected for a lawful purpose connected with the business/organisation’s functions or activities, and necessary for that purpose

This principle was breached because the colleague’s inquiry to WINZ was not reasonably necessary in connection with the employer’s role as an employer.

  • Principle 2 (source of information) states that personal information should be collected directly from the person it is about, except in a limited number of exceptions (e.g. where the person authorises collection from someone else). 

This principle was breached because the personal information was not collected from the individual concerned and there were no reasonable grounds for the employer to believe the employee would have authorised the collection of that personal information for the purpose of an inquiry to WINZ. Additionally, the personal information could have been requested from the employee’s lawyer if proper procedure had been followed.

  • Principle 4 (manner of collection) requires personal information to be collected through a lawful and fair method that does not unreasonably intrude upon the personal affairs of the individual.

This principle was breached because it was unfair and unreasonably intrusive to re-use the employee’s privacy waiver in order to collect information that was potentially prejudicial to the employee in an employment context.

The employee suffered humiliation and injury to her feelings as a result of the privacy breaches. Because there were breaches of the privacy principles and harm was caused as a result of those breaches, the Human Rights Review Tribunal made a declaration that the employer breached the employee’s privacy and ordered $6,000 in damages against the employer.

This was a costly and time-consuming situation for the employer, which could have been readily prevented with robust privacy practices in place in the workplace.

To prevent a similar situation arising, employers should ensure that their employees receive thorough privacy compliance training and are competent in protecting the privacy of fellow employees, clients, and customers.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are. At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.