Privacy Act – Proposed reforms concerning “doxxing” and case of interest

This legal alert discusses the proposed reforms to the Privacy Act 1988 (Cth) (Privacy Act) concerning “doxxing” and a recent case of interest, where an employer was found to have breached the Privacy Act by providing an update to employees about the health of an employee following a medical incident in the workplace.

EMA Legal is available to assist employers to understand their obligations under the Privacy Act.

1. Get ready for more changes – Privacy Act reforms on the way

In addition to other changes being introduced to amend the Privacy Act, the Government has announced it will bring forward reforms, to ensure that the release of private information online, with intent to cause harm, is unlawful.  This will be relevant to those entities who are covered by the Privacy Act and the Australian Privacy Principles.

This form of harm to individuals known as ‘doxxing’ or ‘deepfakes’ responds to domestic and family violence threats through misuse of online platforms to harm others, particularly women. The reforms will ensure perpetrators face serious criminal penalties, including the potential for gaol time.

So what is doxxing…?

It is a reference to the ‘dropping of documents.’  It is the practice, or actions taken to reveal a person identified, with specific information about that person  to allow them to be publicly shamed, to harass them or cause them harm, to allow them to be identified where previously anonymous, contacted, located, or subject to identification by the release of their sensitive information or private or intimate information, which may damage their standing and reputation.  A simple example might be accessing a person’s personal mobile and sharing intimate photos texts or other material such as health or banking information, by sharing it online. The definition which was subject to consultation is in these terms:

‘The intentional online exposure of an individual’s private information or personal details without their consent.’

What are the penalties for breach?

Serious invasions of privacy in breach of the intended reforms will be prosecuted by way of breach of the Act  as a statutory tort, where:

• The privacy invasion was serious;
• The person had a reasonable expectation of privacy;
• The invasion was an intentional or reckless act; and
• The public interest in privacy outweighs any ‘countervailing public interest’.

This new cause of action is in addition to other individual rights available to a person under the Act and other legislation to counter cyberbullying. For example, rights to correct, delete or amend the information. Certain exemptions will apply, for example, to support the ability to report on public figures, and public interest journalism.

Privacy Act review generally

The Government released its Privacy Act review report announcing the last of Government responses to proposals in February 2023. The privacy review report can be accessed here. It is expected that reforms to the Privacy Act will be introduced to Parliament in August 2024.

2. Case of interest – obligations when using an employee’s personal information

In a recent decision of the Australian Privacy Commissioner, an employer was found to have contravened ‘Australian Privacy Principle’ (APP) 6 when it disclosed the personal information of an employee in a staff email update about her condition following a medical episode in the workplace.

In April 2021, an employee of a trade wholesale distribution business had a medical episode at work in the employer’s car park, as a result of a pre-existing medical condition. The incident was witnessed by approximately 7 other employees[1], some of whom attended to provide CPR to the employee until such time as medical assistance arrived.

The worker’s husband later sent a text message to her manager as follows:

‘[the complainant] is being checked out by the doctors and is out of the woods for now. Very sore and tired but otherwise appears ok.’

The employer’s Managing Director thereafter sent the following communication to approximately 110 staff at the workplace, naming the employee:

‘As you are likely aware, [the complainant] experienced a medical episode this morning in the staff car park. It is believed that [the complainant] collapsed as she was removing items from the boot of her car. After receiving support from [the respondent’s] Staff, [the complainant] was taken by ambulance to Westmead hospital and her husband, [the complainant’s husband], was contacted. [The complainant’s husband] contacted [the complainant’s manager] about 30 minutes ago and informed [the complainant’s manager] that [the complainant] is conscious and appears okay. She is just sore and tired. [The complainant] will return home after final medical checks by the Doctor. This has been a traumatic experience and we are all relieved that [the complainant] is recovering well.’

The employee subsequently made a complaint to her employer in respect of the communication, noting that most of the 110 recipients did not know about the incident. The employee was dissatisfied with the employer’s response and ultimately resigned from her employment.

The worker subsequently made a complaint to the Office of the Australian Information Commissioner alleging (in summary) a breach of the Privacy Act, and that as a result of that breach, she had suffered loss. The worker sought compensation for the same.

The employer, an APP Entity for the purpose of the Privacy Act, denied the breach. It placed reliance on the “employee records” exception in the Act, and otherwise said that it did not breach the employee’s privacy by sending the email.[2]  The employer asserted that it was complying with its obligations under the Work, Health and Safety Act 2011 (NSW) to ameliorate other employees’ concerns and discharge its obligations under that Act by sending the email.

The Commissioner considered the “employee record” exemption under the Act, which provides:

An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

1. a current or former employment relationship between the employer and the individual; and
2. an employee record held by the organisation and relating to the individual.

The Commissioner found that the sharing of the employee’s personal information to employees following the workplace incident was not “directly related to” the “employment relationship between the employer and the individual”.   Instead, the sharing of information was related to the employer’s relationship with other employees in the workplace. The exemption could not be relied upon by the employer.

The Commissioner also did not consider that the WHS Act required or expressly authorised the employer to use the employee’s personal information in the way that it did.[3]

The employer’s use of the employee’s personal information was in breach of the Privacy Act. The employee was awarded $3,000.00 for her non-economic loss and a small amount for other reasonably incurred expenses.

What does this mean for employers?

The Privacy Act has a broad definition of “personal information” – it can include a person’s name, for example, which the Commissioner described as the “heart of” the worker’s grievance.

When sharing employee information an employer should consider the primary purpose for which it was collected, and the reason that it is being shared. The sharing of an employee’s personal information should always be approached with caution.

ALI and ALJ (Privacy) [2024] AICmr 131