CCM v Western Sydney University [2016] NSWCATAD 234

BXK v Western Sydney University [2016] NSWCATAD 235

Shortly after the Jurecek decision was handed down, Western Sydney University avoided liability for an alleged breach of privacy under the Privacy and Personal Information Protection Act 1998 (NSW). The breach was alleged following emails sent by two University employees which had disclosed the personal information of other University employees without their knowledge or consent.

In response to an application made with the Fair Work Commission seeking a stop bullying order, two academics accused of bullying behaviour revealed personal information about other employees who were not involved in the bullying The employees, whose personal information had been disclosed, brought proceedings against the University, before the NSW Civil and Administrative Tribunal, alleging that the University, as the employer, was liable for the breach of their privacy which resulted from the academics’ conduct.

The University submitted that it did not unlawfully use or disclose the applicants’ personal information because the emails were sent in the academics’ private capacity as respondents to the bullying claim. Both of the academics were named personally as respondents and faced personal liability as a result.

Accordingly, the Tribunal found the disclosure of personal information by each academic was for a purpose extraneous to any purpose of the University, and therefore the University could not be held liable for the resulting breaches of privacy.

In the digital age, the ways in which a person’s privacy may be breached are ever growing. Given the significant amount of personal information employers collect about employees on a regular basis, it is important for employers to actively consider the procedures in place to protect their employees’ privacy and comply with legislative obligations.