A recent decision of the Australian Privacy Commissioner has provided a valuable reminder to employers of the importance of not mismanaging an employee’s personal information, such as WorkCover claims history.
In a recent case, an employee lodged various WorkCover claims against the Department of Defence (Defence), which was referred to Comcare as the authorised insurer.
The employee had previously worked for Department of Human Services (DHS) and in early 2014 also lodged a WorkCover claim with Comcare regarding an injury sustained in 2009 whilst an employee of DHS. Comcare accepted the DHS claim in April 2014, and subsequently closed the DHS claim in September 2014.
However, in February 2016, the employee received an email from Comcare advising that a new pilot program would change the way his current WorkCover claim with DHS would be managed. Comcare also emailed an excel spreadsheet with the employee’s personal information to DHS and the insurer Allianz (which was acting as a contracted service provider to Comcare).
Comcare conceded that the spreadsheet disclosed the employee’s name, contact details, injury dates and WorkCover claims history to DHS and Allianz even though the employee no longer worked with DHS and did not have an active WorkCover claim with DHS for Allianz.
The employee lodged a complaint against Comcare with the Office of the Australian Information Commissioner under the Privacy Act 1998 (Cth) alleging that Comcare had disclosed details of his WorkCover claims history with his current employer, Department of Defence to his previous employer, DHS.
Application of Australian Privacy Principles
The Australian Privacy Principles state that an entity may use or disclose an individual’s personal information when it is done for the same purpose for which the information was collected (the primary purpose). Use or disclosure for another purpose (a secondary purpose) is only permitted where the individual has consented to the use or disclosure of the information or where an exception applies, such as disclosure of the information for a secondary purpose related to the purpose of collection.
Comcare admitted that it made the disclosure to DHS and Allianz in error – i.e. the wrong attachment was provided in the spreadsheet.
Whether a contravention of the Australian Privacy Principles has occurred depends on if, at the time of the incident, Comcare had taken reasonable steps in the circumstances to protect the personal information it held in relation to the employee.
The reasonable steps that an employer should take to ensure the security of personal information will depend upon circumstances that include:
- the nature of the employer
- the amount and sensitivity of the personal information held
- the possible adverse consequences for an individual in the case of breach
- the practical implications of implementing the security measure, including time and costs
In this instance it was held that the personal information held by Comcare will often, as in this case, concern health information in relation to an individual’s current employment. As such, there appears to be a foreseeable risk of adverse consequence to the individual concerned if their personal information is subject to an unauthorised disclosure. This is relevant in considering the degree to which Comcare should secure the personal information it holds.
The Australian Privacy Principles required Comcare to test the processes it uses to aggregate information which it intends to disclose in bulk to external third parties (such as DHS and Allianz), in order to minimise the risk of exposing the personal information it holds to an unauthorised disclosure.
Comcare was held to have breached the Australian Privacy Principles and interfered with the employee’s privacy by improperly disclosing personal information about the employee to DHS and Allianz. It also failed to take reasonable steps to secure the employee’s personal information relating to his claims with defence against unauthorised disclosure.
Comcare made an apology but was ordered to pay $3,000 to the employee for non-economic loss suffered as a result of Comcare’s interference with his privacy for the embarrassment, hurt, humiliation and distress caused.
Comcare was also ordered to review its current quality assurance procedures and develop clear quality control measures regarding what personal information is disclosed in automated bulk data transfers. Comcare was further required to report back to the Australian Privacy Commissioner, within six months, on the results of this review and confirm that the quality control measures have been implemented.
Employee records exemption
Employers will be aware that in some circumstances the handling of employee records in relation to current and former employment relationships by an employer is exempt from the Australian Privacy Principles.
An employer is exempt from the operation of the Privacy Act where its act or practice is related directly to:
- the employment relationship between the organisation and the individual; and
- an employee record held by the organisation.
This is a broad exemption but it should not be automatically assumed that all information an employer holds in relation to its employees is an employee record. Where in doubt, advice should be sought prior to the making of any disclosure.
‘JO’ and Comcare  AICmr 64