Privacy Breach during Unfair Dismissal Case

  • 19 Dec 2016
Key Points
  • Commissioner found CBA improperly used Complainant’s personal financial information to advance a Fair Work Commission case.
  • Commissioner found CBA data security practices were not sufficient in circumstances.
  • Commissioner ordered CBA to pay compensation of $10,000 to Complainant for non-economic loss.

On 25 November 2016, Australian Privacy Commissioner Timothy Pilgrim gave his determination regarding the case of a former employee (Complainant) who asserted that a principal of Commonwealth Bank (CBA) (being both her bank and her former employer) accessed her financial information without a legal primary purpose in order to advance their case against her in the Fair Work Commission.

CBA was found to have breached its obligations under two of the National Privacy Principles (NPP), being:

  1. NPP 2 – Use and Disclosure; and
  2. NPP 4 – Information Security.
Use and Disclosure

Under the NPP, use and disclosure of personal information about an individual for the primary purpose of managing a customer’s banking business is not a breach.

CBA argued that the numerous accesses by the principal to the Complainant’s financial information were related to assessing the Complainant’s home loan application and the provision of information to CBA’s security department.

The Complainant questioned, and the Commissioner agreed that, given the surrounding circumstances of the Fair Work Commission proceedings between CBA and the Complainant which involved the principal, the principal was not an appropriate person to conduct such investigations, and amounted to improper use.

Information Security

Under the NPP, a business holding personal information must take reasonable steps to protect the information from misuse, loss, and from unauthorised access, modification, use or disclosure.

Because CBA’s information security practices had allowed the improper use to occur, the Commissioner was satisfied that CBA ought to have had other practices in place to protect the Complainant’s information from such misuse, and the data security practices were not reasonable.

Damages and Determination

The Complainant sought compensation for economic loss, non-economic loss together with aggravated damages.

Though the Commissioner was not satisfied that there was a basis for awarding compensation for economic loss or aggravated damages, the Commissioner considered it appropriate to award the Complainant compensation for non-economic loss on the basis of the type of information breached, and the resulting distress suffered by the Complainant.

The Commissioner made the following orders:

  1. A written apology to be issued to the Complainant within 6 weeks of the determination;
  2. CBA to review its information handling policies, particularly in respect of acknowledged or potential conflict of interest; and
  3. The Complainant is entitled to compensation of $10,000 for the non-economic loss suffered.

Although the facts in this case are a little unusual it is a timely reminder to employers that their obligations to protect the privacy of information they hold about an employee, which does not fall within the employee records exemption, continues after the employment ends, and in circumstances such as this matter extra measures may need to be taken to ensure the security of that information.

Post by Jack Guthrie, Sarah Jones and John Kell

Most Popular Articles


When can the unqualified be qualified? Non-lawyers engaging in legal practice - when is it OK and when is the law broken

Only lawyers can provide legal advice, but anyone can provide legal information. When thinking of the difference, you might ask your friend or colleague to provide information about a serious illness; however you would seek out a qualified medical professional in relation to its treatment.

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.

Thanks, but no thanks – I don’t want to inherit

It seems odd that anybody would reject an inheritance, but for some beneficiaries, there are valid reasons they do not wish to receive their inheritance.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.