In a recent decision of the Human Rights Review Tribunal an employer has been ordered to pay an ex-employee damages of $60,000 for interfering with the employee’s privacy.
The CEO invited the employee out of the office for a coffee meeting. During that meeting, the CEO gave the employee a letter detailing concerns about the employee’s performance. While they were out of the office, a director of the employer took the employee’s work laptop, personal USB flash drive, and personal cell phone from the employee’s desk without the employee’s consent or knowledge.
About a week later, the employee’s employment was terminated.
The employer later returned the personal cell phone, but did not return the personal information that had been stored on the work laptop or the employee’s USB drive.
Despite several requests over a long period of time, the employer failed to return the employee’s personal information and USB drive. Instead, the employer effectively blocked the employee’s attempt to obtain the return of his information, engaging in a range of tactics that delayed the return of the information.
The Tribunal found that the employer had collected the employee’s personal information when uplifting the laptop, cell phone and USB. It went onto find that the employer had breached information privacy principles 1, 2, and 4 of the Privacy Act 1993 because the employer had not collected the personal information for a lawful purpose or directly from the employee, and the personal information was collected in circumstances that were unfair and constituted an unreasonable intrusion on the employee’s personal affairs.
The Tribunal went on to determine that the breaches were an interference with the employee’s privacy as they had caused significant humiliation, injury to feelings and loss of dignity to the employee. In support of this finding, evidence had been provided by the employee that three weeks after the collection of his information, he was formally diagnosed with acute anxiety and depression, prescribed antidepressants, and sleeping medication. The employee had also started attending counselling.
The employer argued that the health conditions were caused by the loss of work, not by breaches of the collection principles. However, the collection does not need to be the sole cause of the consequences suffered.
Emails and other correspondence in evidence showed that the health conditions were attributable to distress about the collection of the information, including the inability to retrieve it, and not knowing who had seen it, and who was using and sharing the personal information
The Tribunal also found that the collection had caused the employee loss and detriment when he couldn’t complete his tax return on time, leading to a penalty. It also negatively affected his interests as it impacted his health, his career prospects and removed access for him to a personal USB and he did not have access to all his personal information that had been on his laptop.
The Tribunal found that an award of damages of $60,000 appropriately reflected the significant level of humiliation, loss of dignity and injury to feelings experienced by the employee because of the wrongful collection of his personal information.
A prompt return of the personal information wrongly collected would have significantly reduced the humiliation, loss of dignity and injury to feelings experienced and therefore the amount of any award.
This claim was decided under the Privacy Act 1993 because the actions all occurred prior to that act being replaced by the Privacy Act 2020. However, it is still relevant to conduct under the 2020 Act – information privacy principles 1 – 4 and the test to show an interference with privacy has remained largely unchanged.
The decision is: BMN v Stonewood Group Ltd [2024] NZHRRT 64.