The Privacy Commissioner’s determination in the matter of CP and the Department of Defence illustrates one significant difference in the treatment of federal agencies and private sector organisations under the federal Privacy Act.
This case involved an employee of the department who had made a claim for worker’s compensation in respect of an injury alleged to be work-related. The department referred the employee to an independent medical practitioner for an assessment of whether or not the employee was fit for duty. The independent practitioner recommended that his assessment be provided to the employee’s usual treating GP, rather than being provided directly to the employee. The department sought permission from the employee to pass the assessment on to his treating GP, but the employee objected.
Despite the objection, the department provided the assessment to the employee’s treating GP.
The Commissioner determined that this disclosure contravened IPP 11 (the disclosure principle that applied to agencies prior to March 2014). Compensation for non-economic loss was awarded in the sum of $5,000, based on evidence from the employee’s treating psychologist that the employee had suffered humiliation and distress caused in part by the unauthorised disclosure of the independent practitioner’s assessment. The department sought to discredit the psychologist’s report on the basis that the psychologist relied only on an account of events provided by the employee. The Commissioner did not accept this criticism, and said that the psychologist undertook sufficient evaluation of the individual to make a diagnosis.
Had the employer been a private sector organisation, the result may have been quite different. The private sector employer would, no doubt, have argued that their conduct was exempt from the operation of the Privacy Act (by virtue of s7B(3)). To make this argument out, the employer would need to establish that the assessment of a claim for worker’s compensation was directly related to the employment relationship and that the contents of the independent practitioner’s assessment was an “employee record”. However, the “employee record” exemption applies only to “organisations” and not to “agencies”, so this was never an option for the department (and would not be an option had the conduct occurred after March 2014, even though the Australian Privacy Principles are drafted so as to apply evenly to “APP entities”).