Gehan Gunasekara: Privacy training essential

A screenshot of an expletive-laden cake proved costly for Baywide. Photo / Getty Images

Paying only lip service to legislation can be expensive for firms - and individuals.

'We take our obligations under the Privacy Act seriously" is a common refrain, sadly, observed more in the breach. This was the case in the ruling of the Human Rights Review Tribunal in a case involving a former employee who iced a cake expressing her feelings towards her former employer at a private function before uploading its image on to her Facebook page, with privacy settings limiting access to her friends.

Despite the employer stating its supposed adherence to the Privacy Act the evidence produced at the hearing was anything but. It emerged that the plaintiff and her colleague had been among the best qualified and talented employees at the agency in question (the credit union Baywide) which led senior managers who felt threatened by them to persecute them. Ironically, one of the concerns that had been raised by the plaintiff was Baywide being put at legal risk for non-compliance with the Privacy Act among other legal requirements.

This was just the beginning of the saga, however. After the plaintiff and her colleague had resigned and a report of their private party came to the attention of some staff at Baywide, there was an enormous over-reaction on the latter's part. In the first place Baywide's human resources manager coerced a junior employee, a Facebook friend of the plaintiff's, to allow access to her Facebook profile in order that a screenshot of the expletive-laden cake could be obtained.

This image was then widely circulated to recruitment agencies throughout the region in order to damage the plaintiff's future employment prospects. The junior employee also resigned shortly thereafter - the employer bullying resulting in the loss of three talented employees.

Finally, Baywide applied economic pressure on the plaintiff's new employer - a subcontractor to Baywide - to fire her under the 90-day rule, although in the event she left of her own accord so as not to cause undue financial and personal hardship to her new employer.

The plaintiff, who had held a senior position at Baywide, struggled to find employment for a considerable time thereafter and was ultimately able to work only at a much lower level which was humiliating and demeaning, personally and professionally. In addition, she was unable to approach recruitment agencies due to Baywide's actions, being forced to approach employers directly, and was uncertain on each occasion whether the screenshot of the cake had been disclosed to them. These facts were undoubtedly taken into account in the tribunal's unprecedented award of $168,000 in damages against Baywide, the largest single award for breach of the Privacy Act.

It was material also that Baywide had not come clean right away when the Privacy Commissioner investigated the case and their eventual apology was found to be insincere.

The tribunal also made specific orders requiring retraction of the messages with the screenshots to all those to whom they had been sent, a formal apology and, most important of all, a training programme be implemented by Baywide, at its own expense and under the Privacy Commissioner's supervision, of staff as to their obligations under the Privacy Act.

The case provides a salutary lesson on the need for better privacy training within organisations as well as awareness of legal and compliance issues generally. A research project I have conducted recently has found the Privacy Act often arises in employment disputes. This is hardly surprising, because in the tribunal's own words "unrestrained use of personal information can cause devastating, if not irreparable harm to an individual".

The research, moreover, has found the Privacy Act is a two-edged sword because it is often drafted into individual and collective employment agreements. Thus, employees have been disciplined for breaching the act. Employers have also faced liability to customers for employee contraventions of the act. The lesson therefore is that organisations need to pay more attention to the Privacy Act than to pay it mere lip service.

Gehan Gunasekara is an associate professor in commercial law at the University of Auckland business school and is researching the impact of the Privacy Act in employment.