Limits on the Employee Record Exemption in the Privacy Act

A recent Determination issued by the Office of the Australian Information Commissioner (OAIC) looks at the Privacy Act’s employee record exemption.  Plus it considers whether aggravated damages should be awarded. 

(Aggravated damages are only available where, for example, behaviour has been high-handed, malicious, insulting or oppressive – quite a high bar for poor behaviour that is not often reached, resulting in very few aggravated damages awards over the years).

For more guidance on how not to deal with ex-employee’s personal information, and to protect your organisation from damages awards, read on….

What happened?

The complainant worked for Fortrend but resigned on 18 November 2022. While working out their 30-day notice period, the complainant reported experiencing hostility from the Managing Director. This included the Managing Director making threats in a phone call to the complainant saying they would ‘go to war.’  The complaint took stress leave, with a medical certificate provided by a psychiatrist.

While the complainant was on stress leave, the Fortrend Managing Director continued to contact the complainant in a way that the complainant found to be stressful and threatening.  A further period of stress leave was taken based on a second medical certificate (dated 9 December 2022).

The main issue arose after the complainant left. According to the complainant, the Managing Director informed clients that the complainant had a nervous breakdown and was unfit for work, referencing medical documentation as proof of the claim.  To support that claim, the Managing Director allegedly sent the complainant’s medical certificate dated 9 December 2022 to a client. 

Fortrend denied breaching privacy laws or disclosing the Medical Certificate and, amongst other defences, relied on the employee record exemption to argue that if there had been any disclosure of the medical certificate, it was exempt under the Privacy Act.  

The Commissioner preferred the version of events provided by the complaints who provided a detailed account of what occurred, supported by contemporaneous file notes and emails. In contrast, the respondent was found to have provided unreliable information and few details about the events surrounding the disclosure. 

What was the outcome?

The Privacy Commissioner found that Fortrend (via the acts of its CEO) had interfered with the complainant’s privacy by disclosing the complainant’s Medical Certificate to the complainant’s client.  The disclosure was for an unrelated secondary purpose and in circumstances where the complainant did not consent and the exceptions in APP 6.2 did not apply. 

Perhaps not unsurprisingly in the circumstances, the Commissioner virtually threw the book at Fortrend. It required Fortrend to: 

• within 7 days of the determination, issue a written apology to the complainant acknowledging the privacy interference; and 
• within 30 days of the determination, pay the complainant $10,000 for non-economic loss and $3,500 for aggravated damages’
• within 3 months of the determination, engage an independent reviewer with privacy expertise to undertake a review of the respondent’s privacy policies, procedures and processes, including privacy training; 
• within 6 months of the determination, require the independent reviewer to produce a report outlining their findings and any recommended actions;
• within 2 weeks of receiving the independent reviewer’s report, provide a copy of the report to the Commissioner; 
• within 6 months of receiving the independent reviewer’s report, report to the Commissioner on what it has done to implement those findings and recommendations. 

The requirement to retain an independent expert to review and report on Fortrend’s privacy policies, procedures and processes, including privacy training, and to act on their recommendations can be quite onerous.  In effect, the organisation is at the mercy of the independent expert and their view on what privacy policies, procedures and processes should be implemented.

Employee records exemption

Section 7B(3) of the Privacy Act provides that an act done, or practice engaged in, by a private sector employer, is exempt if the act or practice is directly related to:

• a current or former employment relationship between the employer and the individual; and
• an employee record held by the organisation and relating to the individual.

The OAIC found the medical certificate was an employment record – having been created for the purposes of the complainant’s employment. So, the issue was  whether the respondent’s alleged disclosure of the complainant’s medical record was directly related to the employment relationship between the complainant and the respondent.

Not surprisingly, the OAIC also found that the disclosure was not an act or practice directly related to a current or former employment relationship:

… there does not appear to have been any employment related purpose for disclosing the Medical Certificate to the Client, I do not consider the disclosure was related to the respondent’s employment relationship with the complainant.

Damages  – Non-Economic Loss

The complainant was awarded $10,000 for non-economic loss, that is loss where there is no financial or property loss.  Examples of non-economic loss include pain, humiliation, hurt feelings, anxiety and distress.  It has traditionally been quite hard to claim for this type of loss because of its more intangible nature.

In their submissions, the complainant stated that: 

It was a humiliating experience to have to explain to my clients that I was not having a “mental breakdown” as described to them by [Managing Director] and to then have to further discuss my private medical certificate.

The complainant also submitted in a statutory declaration that the impact went well beyond the actual disclosure:

It was a serious and deliberate abuse of power designed to inflict maximum harm and embarrassment to me by taking advantage of his knowledge of my private medical situation and information. He further exacerbated this by the untrue statement that I had suffered a nervous breakdown. His conduct was deeply hurtful and humiliating. It has caused both personal and professional distress, including anxiety and depression which I continue to deal with to this day. This is confirmed by the letter from my treating psychiatrist attached.

In assessing the quantum of non-economic loss, the Commissioner took the following Determinations into consideration:

• ‘ABQ’ and Serco Group Pty Limited (Privacy) [2022] AICmr 52 (16 June 2022): where the complainant was awarded $2,500 for hurt feelings arising from the unauthorised disclosure of their personal information to various third parties. 
• NCKX and Australian Information Commissioner [2024] AATA 1100 (10 May 2024): where the then Administrative Appeals Tribunal set aside a decision of the Australian Information Commissioner to award compensation of $5,000 for non-economic loss. The tribunal was guided by the principal that awards for compensation should be restrained, but not minimal, and concluded that a restrained award was $10,000 for non-economic loss. The case involved the publication of the complainant’s personal information on a publicly accessible register over a period of 30 days. 
• ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 (12 June 2020): where the complainant was awarded $10,000 for psychological damage and distress caused by the unauthorised disclosure of the complainant’s sensitive information to an incorrect recipient. 
• DK’ and Telstra Corporation Limited [2014] AICmr 118 (30 October 2014) in which the then Commissioner stated ‘the complainant has suffered significant anxiety and distress including I believe a well-founded fear for his physical safety and that of his partner, as a result of the breach’. The complainant was awarded compensation for non-economic loss of $18,000.

Based on the prior cases, the complainant’s statutory declaration and the letter from their psychiatrist, the Commissioner awarded $10,000 in non-economic loss.

Aggravated Damages  

The complainant sought $15,000 by way of aggravated damages.  

The award of aggravated damages is quite rare and reserved for particularly poor behaviour or serious breaches.

Circumstances where aggravated damages may be awarded include where: 

• the respondent has behaved ‘high-handedly, maliciously, insultingly or oppressively’; 
• the ‘manner in which a defendant conducts his or her case may exacerbate the hurt and injury suffered by the plaintiff;’ 
• the conduct can be described as being ‘improper, unjustifiable or lacking in bona fides;’
• the circumstances in which the respondent’s conduct takes place, such as in an employment relationship, may themselves give rise to an element of aggravation. 

In determining whether to award aggravated damages, the Commissioner took the following Determinations into consideration:

• VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45 (2 September 2020): where the complainants were awarded $1,500 for aggravated damages, arising from the respondent’s conduct which was insulting, demonstrated a disregard for the complainants privacy rights and exacerbated the harm suffered by the complainants. 
• ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (19 June 2022): where the complainant was awarded $2,000 for aggravated damages as a result of the respondent’s conduct which was insulting and exacerbated the complainant’s injury by harming her feelings of dignity. The respondent also failed to engage with the OAIC until a late stage in the investigation, causing delay in resolving the matter. 
• ‘QF’ & Others and Spotless Group Limited [2019] AICmr 20 (28 May 2019): where the Australian Information Commissioner added an award of aggravated damages to the complainants in the amount of $1,500 due to the conduct of the respondent, particularly its indifference towards its privacy obligations in the context of an employment relationship.

Ultimately, the Commissioner awarded $3,500 – the highest award for aggravated damages to date referring to the following factors relevant to the decision:

• That access to the information was via the employment relationship – where the respondent owed a duty of confidentiality and mutual trust to the respondent;
• that the disclosure was made with intent to harm the respondent;
• that the respondent had not co-operated during the investigation and had provided unreliable and inaccurate information.

Other things to note

The privacy wheels continue to turn slowly.

• The complainant made their complaint to the OAIC on 27 April 2023. 
• Nearly 2 years later – on 30 January 2025 – the OAIC opened an investigation. 
• A preliminary view was sent to the parties for comment on 30 June 2025. The complainant and respondent both provided submissions in response
• The determination is dated 15 September 2025 – some 2.5 years from the complaint being made.

Some other points worth noting:

• For those making complaints, you need to be patient and resilient, which is often difficult if you’ve  also suffered trauma, stress or anxiety as the result of a privacy breach.
• Make sure you have as much evidence as possible to support your case – including contemporaneous file notes.
• Co-operation with the Commissioner when carrying out an investigation is always a good idea.  Here, the behaviour of the respondent clearly added to the award of aggravated damages.