We live in an era where ‘one click’ on the wrong link can create a serious privacy risk for an organisation.
This topic has become particularly relevant in the past 12 months, with organised cybercrime groups targeting several high-profile Australian legal and consultancy firms, as well as Government departments. The resulting large scale data breaches can serve as a warning for all Australian businesses.
While there are many legal questions which may arise from a new cyber risk, a critical question that needs to be asked is:
Can an employer be liable for the acts of an employee where the employee’s actions cause a serious privacy breach?
The short answer is, yes
For example, a lot of Australian Modern Awards don’t require employers to pay employees to use their own personal phones for work purposes. So, the temptation for employers is to do exactly that.
This often leads to a large amount of client personal and commercial information ending up on the employee's phone, without any oversight by the employer. Worse still, the sensitive information may go with the employee when they leave the organisation. So, although the communication is between the employee and the client (or supplier, or key stakeholder), the business remains liable for the privacy breaches and related processes.
For these reasons, it is critical that businesses consider the ways in which employees communicate with clients or stakeholders, and how the business is protected in relation to those interactions by maintaining control over such information.
Failure to properly protect your business can have serious financial implications. For example, the maximum penalty for a ‘serious or repeated interference with privacy’ under the Act is:
- For a body corporate, the greater of:
- $50,000,000; or
- Three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the breach; or
- if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the breach.
- For a person other than a body corporate: $2,500,000.
Currently, the Privacy Act 1988 (Cth) (the Act)
applies to Australian Government agencies and organisations with an annual turnover more than $3 million a year, with some exceptions.
However, the Government has indicated a desire to expand the type of businesses under this obligation. The Government recently endorsed, in principle, the extension of the Act to cover small businesses. This means that smaller scale organisations may soon have to comply with more requirements under the Act.
The Act currently states that the conduct of a director, employee, or agent of a body corporate is considered to be an act of that organisation, as long as that conduct was within the scope of their actual or apparent authority. So, the organisation can be prosecuted for an offence based on the actions of an individual. Those prosecutions include civil penalties (fines) under the Act.
As well as the organisation being prosecuted, a person can also be liable for the acts of an employee or agent, unless the person can prove they took reasonable precautions
and exercised due diligence
to avoid the conduct.
This means that organisations need to have robust policies and procedures in place, guiding employee and organisational behaviour in order to protect the business against this risk. These processes will likely become more important for smaller scale organisations if the proposed changes are adopted, and the requirements of the Act are expanded.
Repercussions for a privacy breach can be significant, so organisations should take proactive action to ensure they are meeting their privacy obligations.
Organisations should consider:
- What is the state of our internal privacy culture?
- Are the privacy safeguards we have in place sufficient and fit for purpose?
- What level of control do we have over the personal information we collect and store. You should consider implications for allowing directors, employees, or agents to access information systems from work and/or personal devices. In particular, what personal information could a worker unlawfully download or disclose from your information systems through their personal devices?
- What training do we offer our workers regarding the responsible collection, use, storage, and disclosure of personal information?
- What further steps can we take to comply with the Act?
Hicksons specialist Workplace Relations
and Cyber Risk
lawyers have extensive experience in assisting employers and businesses with their privacy obligations, policies and procedures.
If you have any questions, please do not hesitate to get in contact.