Our German Desk
A recent decision by the Human Rights Review Tribunal (the Tribunal) provides a noteworthy reminder of the importance of privacy rights and obligations in the workplace. In BMN v Stonewood Group Limited [2024][1], the Tribunal awarded a former employee $60,000 in compensatory damages for injury to his feelings, loss of dignity, and humiliation caused by Stonewood Group’s breach of his privacy.
Background
The employee (BMN) was invited to coffee with a senior member of Stonewood Group’s staff and was surprised with a letter outlining concerns about his work performance. Meanwhile, another senior employee removed BMN’s work laptop, personal USB flash drive, and personal cell phone from his desk and locked them in an office. Less than a week later, Stonewood Group terminated BMN’s employment.
Over several months, BMN was denied the return of his property, including sensitive personal information saved within, such as medical and tax records. Instead, his devices were given to a third party forensic analyst, as Stonewood had concerns that BMN may have had information from other companies (other than Stonewood) and other inappropriate files on his laptop.
Upon a complaint from BMN, the Privacy Commissioner investigated the alleged breaches of the Information Privacy Principles (IPPs) under the (then operating) Privacy Act 1993 (the Act). After an initial finding by the Commissioner that there was an interference with BMN’s privacy, Stonewood gave assurances they would return his property. However, when this did not eventuate, proceedings in the Tribunal were commenced.
Breach of Privacy?
The Tribunal found that BMN’s privacy was breached by Stonewood in three ways:
- The collection of his information was for an unlawful purpose (IPP 1); and
- It was collected from an indirect source (IPP 2); and
- It was done in a manner which was unfair and an unreasonable intrusion upon his personal affairs (IPP 4).
In reaching this finding, the Tribunal clarified that the definition of “collection” is not limited to requests or a solicitation of the information. Actions such as taking a laptop, phone, or USB with the knowledge they contain personal information qualifies as a “collection”, even if acquiring the personal information was not the primary purpose for the action. Stonewood also could not establish any “reasonable grounds” which exempted it from collecting the information directly from BMN, or any lawful purpose for collecting BMN’s personal information. Stonewood’s witnesses confirmed during the hearing that despite knowing there would be personal information on the devices, they had not given any thought to privacy considerations when they formulated and then actioned the plan to remove the devices from BMN’s office.
In regard to IPP4, Stonewood sought to justify their collection by claiming that a forensic report of the laptop gave them a legal right to remove it. The Tribunal rejected this argument on the grounds that a report obtained after the fact could not retroactively justify the unlawful means – the requirements of IPPs 1-4 exist at the time of collection. Additionally, the Tribunal found there were ways the laptop could have been obtained without violating BMN’s privacy rights.
Given the finding that IPPs 1, 2, and 4 had been breached, the Tribunal then considered whether the breaches of the IPPs had any of the following consequences:
- Has caused, or may cause, loss, detriment, damage, or injury to that individual; or
- Has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of that individual; or
- Has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of that individual.
BMN gave evidence of significant injury to his feelings, along with a formal medical diagnosis, stemming from the collection of the personal information. Stonewood argued that the health conditions were actually caused by the loss of his job, rather than the collection of information, as the medical certificate referred to “employment issues”. However, the Tribunal did not accept this and saw the wrongful collection as the clear catalyst for the impact it had on BMN.
The Tribunal agreed that the subsequent actions from Stonewood could be described as a “campaign of harassment”, which adversely affected BMN’s interests, and that Stonewood’s actions caused significant humiliation.
Overall, the Tribunal found that the breaches resulted in all forms of harm, and BMN was entitled to remedies.
Remedy
As part of the remedies, the Tribunal issued a declaration of a breach of BMN’s privacy by Stonewood. The Tribunal also issued orders for BMN’s personal information and physical property be returned to him, and any information held by Stonewood be deleted.
Additionally, full pecuniary damages were awarded ($394.87) for costs incurred by BMN in attempting to obtain the return of his information, including a charge from the forensic investigators.
Perhaps the most striking aspect of this case are the damages awarded for injury to feelings, loss of dignity, and humiliation.
In the previous case of Hammond v Credit Union Baywide (Hammond) [2015], the Tribunal established that there are generally three bands of damages available for these types of harm.[2] For the least serious cases, damages are available up to $10,000; for serious cases, respondents can be ordered to pay between $10,000 and $50,000; and in the most serious cases such as the present, these can amount to more than $50,000.
When deciding a dollar figure to represent the harm caused by a breach of privacy, the Tribunal considers not just the breach itself, but subsequent behaviours as well.
Here, Stonewood not only engaged in ‘subterfuge’ when collecting the information, but it also behaved perversely to BMN afterwards. BMN tried multiple times to get his property and information back, eventually being forced to pay a fee to get these back. Therefore, the Tribunal made Stonewood pay $60,000 to reflect the significant levels of humiliation, loss of dignity, and injury to feelings suffered by BMN because of their actions.
Our Comment
This case is a stark reminder to employers that the principles under the Privacy Act 2020 (the current Act) must be heeded.
Employers do generally have the right to access and control company property. It is not uncommon for an employer to exercise this right and conduct an investigation when there are allegations of misconduct. However, this does not mean that employers enjoy unfettered access to these devices (and any personal information that may be contained within) and/or may depart from the obligations of good faith.
Contractual terms in employment agreements and policies should reflect these principles and employers should actively refer to them when seeking to obtain information from an employee and/or access company property. There is no point thinking about the privacy considerations after the fact – employers should assess possible privacy implications before taking action.
Likewise, employers should be open and honest (acting in good faith!) when engaging with employees and not mislead employees when gathering information. It is clear under both the Employment Relations Act 2000 and Privacy Act 2020 that soliciting information from people under false pretences does not bode well, can cause significant harm, and can result in substantial remedies.
If you have any questions about the privacy principles and/or employment relationships, please get in touch with our Employment Team or your usual contact at Hesketh Henry.
Alison and Madeline gratefully acknowledge Jonathan Twyman (summer clerk) as co-author of this article.
Disclaimer: The information contained in this article is current at the date of publishing and is of a general nature. It should be used as a guide only and not as a substitute for obtaining legal advice. Specific legal advice should be sought where required.
[1] BMN v Stonewood Group Limited [2024] NZHRRT 64.
[2] Hammond v Credit Union Baywide (Hammond) [2015] NZHRRT 6.
