Privacy breach results in a $60,000 payout
Privacy breach results in a $60,000 payout
Tuesday 22 April, 2025
The Human Rights Review Tribunal has ordered Stonewood Group Limited (‘Stonewood’) to pay $60,000 compensation to a former employee (‘BMN’) for interfering with his privacy.
Background
In 2019 BMN was taken out for coffee by Stonewood’s Chief Operating Officer, where he was handed a letter outlining performance concerns. Stonewood’s Executive Director used that time to remove the employee’s work laptop, a personal USB, and his personal phone.
When the employee came back to the office he tried to get his items back. Stonewood only returned his personal phone. It claimed it never removed the personal USB. The employee was concerned because he had stored personal information on the USB and work laptop taken from his desk. This included sensitive files such as tax records and medical information. Despite repeated requests Stonewood failed to return this data, citing ongoing investigations into the content of the laptop. On one occasion Stonewood’s representative asked BNM to provide a flash drive to store the information and to pay a fee of $299. Even when BNM had complied with this request his personal information was not released.
For reasons not recorded in the decision, Stonewood dismissed BNM on 28 March 2019.
Complaint to the Privacy Commissioner
In June 2019 the employee complained to the Privacy Commissioner. The Commissioner issued a preliminary view that Stonewood had breached Information Privacy Principles (‘IPP’s), 1, 2, and 4 and that there had been an interference with BMN’s privacy. Stonewood provided assurance that the personal information would be returned by October 2019 and the investigation was discontinued. However, BMN did not receive the information from Stonewood.
Human Rights Review Tribunal
In January 2021 BMN filed claims with the Human Rights Review Tribunal (‘Tribunal’). He claimed Stonewood unlawfully collected and withheld his personal information which constituted an unreasonable intrusion on his personal affairs. He also claimed breaches of IPPs 1, 2, and 4 (related to collection of personal information); IPP 6 (related to requests for personal information); and IPP 11 (related to disclosure of personal information to third parties).
The Tribunal found Stonewood had breached the Privacy Act, including the IPPs related to collection of personal information. It concluded that Stonewood had collected this personal information when it removed his devices from his desk without his knowledge, describing it as ”subterfuge”.
Stonewood argued that it had merely received unsolicited information. However, the Tribunal ruled that the company had actively taken the devices and, by extension, the personal data contained on them. The Tribunal found there was no valid reason for bypassing the employee.
Further violations were found under IPP 4, which prohibits the unfair or unreasonable intrusion upon an individual's personal affairs. The Tribunal emphasised that the removal of the employee’s personal devices was carried out without his consent and in a manner that could not be considered reasonable.
However, the Tribunal decided that it did not have jurisdiction over the employee’s claims related to IPPs 6 and 11. This was because the Privacy Commissioner never investigated these claims.
$60,000 damages
The Tribunal found that the employee had suffered significant humiliation, loss of dignity, and injury to feelings, leading to acute anxiety and depression. Stonewood was ordered return all of the employee’s personal information and his USB, as well as deleting all personal information relating to the employee from their systems. Stonewood also had to pay the employee pecuniary losses of $394.87 and damages of $60,000 under s88(1)(c) of the Privacy Act for humiliation.
Why this case matters
The case is a reminder to employers that failing to address requests under the Privacy Act in a timely and reasonable manner can attract significant penalties.
The case is also of note for what it has to say about collecting information. Stonewood claimed it cannot have breached certain IPPs because it did not “collect” any personal information. It said the information it obtained was unsolicited. The Tribunal disagreed. It pointed to one of its recent decisions where it determined that “collect” is to be interpreted widely and can mean “acquire”. Personal information can be collected even when the person is unaware the collection occurred.
This affects employers who reclaim their devices, whether due to suspensions, dismissals, or simply updating equipment. Employers will need to be sensitive to employee requests related to any personal information on these devices.
