Employers are often fairly complacent about the fact that personal information that they hold regarding their employees, and the use or disclosure of that information, will automatically come within the terms of the employee records exemption. But a recent case decided by the Australian Privacy Commissioner highlights that while information may initially be collected and used for a legitimate purpose, it may subsequently be accessed for a different, improper purpose, and hence risk a breach of the National Privacy Principles (“NPPs“).

The Australian Privacy Commissioner has found that the Commonwealth Bank of Australia (“CBA”) breached the privacy of one of its customers when it improperly disclosed her personal financial information to her former employer (the Commonwealth Bank Mortgage Innovation Agency) (“MIA”) at a time when Fair Work Commission proceedings in relation to the termination of her employment were on foot.

As her former employer, MIA was a business selling CBA financial products. It was an authorised user for the purpose of accessing CBA customers’ financial information through the bank’s customer management software. The CBA contended that the accessing of her accounts by MIA was not in breach of the NPPs as it was for a legitimate business purpose, that is, it was necessary in order to investigate the propriety of her loan applications. The former employee alleged that the principal of MIA accessed her accounts for the purpose of tracking her financial position during the course of the FWC proceedings and hence obtained an advantage in settling her FWC claim.

On this point the CBA was found to have improperly given access to her personal information for a secondary purpose. The CBA were also found to have failed to take reasonable steps to protect her personal information from misuse in continuing to allow MIA access once it knew of the FWC proceedings and of the potential conflict of interest. The Australian Privacy Commissioner observed that “the principal of an external mortgage agency, with whom the complainant is currently involved in a FWC dispute, would not be an appropriate person to conduct such an investigation. “

In terms of a remedy, the Privacy Commissioner was not satisfied that there was a causal connection between the improper accessing of her accounts and the settlement of her FWC claim to justify an award of economic loss. However compensation for non –economic loss in the sum of $10,000 was awarded for the distress caused to the former employee as a consequence of the manner in which the BCA handled her personal information.

Potentially risky situations for employers include where they have the means to access, for example, a former employee’s financial information, and the employer is in a dispute with that individual, but continues to access their information. Another scenario likely to be problematic is where there is a conflict of interest that should preclude an employer from continuing to access such information, but it maintains its right to access such information, or fails to take steps to prevent potential misuse. Finally contractors fall outside the coverage of the employee records exemption, so care must be exercised to ensure that the collection, use, disclosure and granting access to contractors’ personal information is undertaken for a legitimate purpose at all times.