The Privacy Commissioner has recently held that a woman's privacy was breached when her former employer sent an email to its employees saying she had been dismissed for possessing illicit drugs (Case Note 276280 [2018] NZPriv Cmr 2).

The email fell within the meaning of "personal information" under the Privacy Act 1993, which includes any information about an identifiable individual.

Employment relationships are fraught with situations where an employee provides personal information to an employer. For example, at the start of the employment relationship, where personal information is collected through the use of pre-employment questionnaires and psychometric testing, or at the end of employment, where employees may provide personal information relating to their resignation, for example illness or family commitments.

What can be difficult for employers is distinguishing what information is personal, and therefore protected by the Privacy Act, and what information is not.

In this particular case, the woman's former manager sent an email to over 100 employees. The email referred to the employee by name and stated that she had been dismissed for possessing illicit drugs on company premises. The email also noted that there had been a number of issues with the woman's performance.

Information Privacy Principle 11 states that personal information should not be disclosed, unless one of the specified exceptions applies. The specified exceptions include circumstances where:

  • disclosure is one of the purposes for which the information was obtained;
  • disclosure is authorised by the individual concerned;
  • or the information is publicly available and it would not be unfair or unreasonable to disclose the information.

The Privacy Commissioner did not accept the company's argument that there was no breach of privacy because the reasons for the employee's dismissal were already widely known around the workplace.

The Commissioner accepted that the employee "suffered significant humiliation, loss of dignity or injury to her feelings as a result of the company's actions". It viewed that "while there was gossip in the workplace, a disclosure made in an email from a senior manager had considerably more weight, and would have been significantly more humiliating and embarrassing".

This case comes as a timely reminder for employers that an employee's personal information should be kept private and confidential, even in dismissal or resignation situations where information may already be widely known. A practical way to mitigate potential liability under the Privacy Act in these situations is to agree on a statement with the employee about what will be communicated to staff and stakeholders on their departure.

In the absence of an agreed statement regarding a dismissal or resignation, the employer should not normally disclose the reasons and should decline to comment if asked.

Employers should also ensure they have an appointed Privacy Officer, responsible for encouraging and ensuring compliance with the information privacy principles. This is required under the Privacy Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.