What happens when an employer uses an employee's personal information?
A recent decision by the Human Rights Review Tribunal provides a noteworthy reminder of the importance of privacy rights and obligations in the workplace. In BMN v. Stonewood Group Limited [2024] NZHRRT 64, the tribunal awarded a former employee $60,000 in compensatory damages for injury to his feelings, loss of dignity, and humiliation caused by the employer’s breach of his privacy.
The employee (BMN) was invited to coffee with a senior member of Stonewood Group’s staff and was surprised with a letter outlining concerns about his work performance. Meanwhile, another senior employee removed BMN’s work laptop, personal USB flash drive, and personal cell phone from his desk and locked them in an office. Less than a week later, Stonewood Group terminated BMN’s employment.
Over several months, BMN was denied the return of his property, including sensitive personal information saved within, such as medical and tax records. Instead, his devices were given to a third-party forensic analyst, as Stonewood had concerns that BMN may have had information from other companies (other than Stonewood) and other inappropriate files on his laptop.
Upon a complaint from BMN, the Privacy Commissioner investigated the alleged breaches of the Information Privacy Principles (IPPs) under the (then operating) Privacy Act 1993. After an initial finding by the Commissioner that there was an interference with BMN’s privacy, Stonewood gave assurances they would return his property. However, when this did not eventuate, proceedings in the tribunal were commenced.
The tribunal found that BMN’s privacy was breached by Stonewood in three ways:
In reaching this finding, the tribunal clarified that the definition of “collection” is not limited to requests or a solicitation of the information. Actions such as taking a laptop, phone, or USB with the knowledge they contain personal information qualifies as a “collection,” even if acquiring the personal information was not the primary purpose for the action.
Stonewood also could not establish any “reasonable grounds” which exempted it from collecting the information directly from BMN, or any lawful purpose for collecting BMN’s personal information. Stonewood’s witnesses confirmed during the hearing that despite knowing there would be personal information on the devices, they had not given any thought to privacy considerations when they formulated and then actioned the plan to remove the devices from BMN’s office.
In regard to IPP4, Stonewood sought to justify their collection by claiming that a forensic report of the laptop gave them a legal right to remove it. The tribunal rejected this argument on the grounds that a report obtained after the fact could not retroactively justify the unlawful means – the requirements of IPPs 1 to 4 exist at the time of collection. Additionally, the tribunal found there were ways the laptop could have been obtained without violating BMN’s privacy rights.
Given the finding that IPPs 1, 2, and 4 had been breached, the tribunal then considered whether the breaches of the IPPs had any of the following consequences:
BMN gave evidence of significant injury to his feelings, along with a formal medical diagnosis, stemming from the collection of the personal information. Stonewood argued that the health conditions were actually caused by the loss of his job, rather than the collection of information, as the medical certificate referred to “employment issues.” However, the tribunal did not accept this and saw the wrongful collection as the clear catalyst for the impact it had on BMN.
The tribunal agreed that the subsequent actions from Stonewood could be described as a “campaign of harassment,” which adversely affected BMN’s interests, and that Stonewood’s actions caused significant humiliation.
Overall, the tribunal found that the breaches resulted in all forms of harm, and BMN was entitled to remedies.
As part of the remedies, the tribunal issued a declaration of a breach of BMN’s privacy by Stonewood. The tribunal also issued orders for BMN’s personal information and physical property be returned to him, and any information held by Stonewood be deleted.
Additionally, full pecuniary damages were awarded ($394.87) for costs incurred by BMN in attempting to obtain the return of his information, including a charge from the forensic investigators.
Perhaps the most striking aspect of this case are the damages awarded for injury to feelings, loss of dignity, and humiliation.
In the previous case of Hammond v. Credit Union Baywide (Hammond) [2015] NZHRRT 6, the tribunal established that there are generally three bands of damages available for these types of harm. For the least serious cases, damages are available up to $10,000; for serious cases, respondents can be ordered to pay between $10,000 and $50,000; and in the most serious cases such as the present, these can amount to more than $50,000.
When deciding a dollar figure to represent the harm caused by a breach of privacy, the tribunal considers not just the breach itself, but subsequent behaviours as well.
Here, Stonewood not only engaged in “subterfuge” when collecting the information, but it also behaved perversely to BMN afterwards. BMN tried multiple times to get his property and information back, eventually being forced to pay a fee to get these back. Therefore, the tribunal made Stonewood pay $60,000 to reflect the significant levels of humiliation, loss of dignity, and injury to feelings suffered by BMN because of their actions.
This case is a stark reminder to employers that the principles under the Privacy Act 2020 (the current Act) must be heeded.
Employers do generally have the right to access and control company property. It is not uncommon for an employer to exercise this right and conduct an investigation when there are allegations of misconduct. However, this does not mean that employers enjoy unfettered access to these devices (and any personal information that may be contained within) and/or may depart from the obligations of good faith.
Contractual terms in employment agreements and policies should reflect these principles and employers should actively refer to them when seeking to obtain information from an employee and/or access company property. There is no point thinking about the privacy considerations after the fact – employers should assess possible privacy implications before taking action.
Likewise, employers should be open and honest (acting in good faith!) when engaging with employees and not mislead employees when gathering information. It is clear under both the Employment Relations Act 2000 and Privacy Act 2020 that soliciting information from people under false pretenses does not bode well, can cause significant harm, and can result in substantial remedies.
Alison Maelzer is a Partner in the Employment Law Team at Hesketh Henry in Auckland. Madeline Wrigley is a Solicitor in the Employment Law Team at Hesketh Henry in Auckland. Alison and Madeline gratefully acknowledge Jonathan Twyman (summer clerk) as co-author of this article.
