The Privacy Act 1988 (Cth) imposes requirements on certain organisations when dealing with personal information about individuals. In particular, if health information is collected about the individual for a purpose, it must not use or disclose the information for another purpose unless the individual consents to the use or disclosure of the information, or the individual would reasonably expect the use or disclosure for that other purpose.

There is an exemption if the use or disclosure relates to personal information about an employee contained in a record held by the employer, where the use or disclosure is directly related to the employment relationship between the employer and employee.

In ALI v ALJ (2024), an employee claimed the employer had breached her privacy by disseminating personal information about a medical event and her subsequent status in the email. The employee had a medical episode in the employer’s carpark, which was the result of a pre-existing medical condition not disclosed to the employer. Later that day, the employee’s manager emailed staff to reassure them that the employee was “recovering well”. The email referenced the employee’s personal and sensitive information.

The employer had collected this information from a text message sent by the employee’s husband. The employer requested the information to ensure the employee’s welfare and for work health and safety compliance purposes, including any associated incident reporting, thereby for inclusion in a record.

The employer argued the employee records exemption applied to the email because the medical event occurred at the workplace during working hours, there was a current employment relationship between the employee and employer, the employer held records about the employee including her emergency contact details and health status for attendance at work, and the email was directly related to the employment relationship and the employee records.

The Australian Privacy Commissioner ruled that sending the email directly related to the employment relationship between the employer and other employees to whom it owed a duty of care. However, the sending of the email, which identified the employee by her full name and included her sensitive information, to 110 other staff, did not directly relate to its employment relationship with the employee. Therefore, the employee records exemption did not apply.

The Commissioner ruled the employer had used the employee’s personal information for the purpose of updating its staff. This was not for the primary purpose for which the information was collected, which was to comply with work health and safety laws.

While the employee’s husband volunteered the information, there was no consent to it being passed on in a staff-wide email. Neither the employee nor her husband would have reasonably expected the employer would use such information in an email to staff in the manner it did, which identified her by her first and last name.

While laws imposed certain obligations on the employer in relation to ensuring the health and safety of its staff, these did not require or authorise the employer to use the employee’s personal information in the way that it did. The employer could have discharged its obligations to other staff without identifying the employee by name.

Accordingly, the Privacy Commission ruled the employer had breached the Privacy Act 1988 (Cth) by sending the email and ordered compensation be paid to the employee.