‘QF’ & Others and Spotless Group Limited (2019)
The Australian Workers’ Union (AWU) (Victorian Branch) had an agreement with Cleanevent Australia Pty Ltd (a subsidiary of Spotless Group Limited (Spotless)) that the AWU would not seek to increase the terms and conditions of its union members for 3 years, provided Spotless paid up to $25,000 per annum in union fees for its employee members.
In 2011 and 2012, Spotless made the union fee payments to the AWU. At the same time, Spotless provided the AWU with a list of 100 casual employees, which the AMU added to its membership roll. After an investigation by the Royal Commission into Trade Union Governance and Corruption, it was found Spotless had provided the list of employees to the AWU without regard as to whether the employees were members or wished to be members of the AWU. Many employees were not aware of their membership to the AWU or that Spotless was paying their union membership fees.
One employee subsequently complained to the Office of the Australian Information Commissioner (OAIC) that Spotless had breached the Privacy Act 1988 (Cth) (Privacy Act).
Spotless admitted the disclosures but relied on the employee records exemption.
The exemption permits employers not to comply with the Privacy Act when handling an employee’s personal information for a purpose that is directly related to the employment relationship.
- found Spotless had breached a number of the Australian Privacy Principles and was not satisfied that the employee records exemption applied, as the purpose of supplying the list of employees was not a sufficient connection to the employment relationship;
- was not satisfied that the employees would have consented to the release of their information and they would not have reasonably expected those disclosures to occur;
- ordered Spotless to issue an apology to the employees whose names were given to the AWU, as well as provide them with $60,000 in compensation; and
- ordered Spotless to engage an independent reviewer to review its privacy compliance procedures, to follow the recommendations of the reviewer and thereafter report back to the OAIC.
Employers should ensure that:
- their privacy policies and procedures are compliant with the Australian Privacy Principles; and
- management and employees are provided with training and are aware of their obligations to maintain privacy of personal information.