Privacy issues in employment
Recent case law has highlighted once again how costly it can be for an employer to breach the privacy of an employee.
Privacy hit the spotlight ten years ago when the Human Rights Review Tribunal (the HRRT) awarded $168,000 in remedies for a significant privacy breach.[1] The latest cases are a salutary reminder for employers to understand and comply with their privacy obligations, or risk considerable financial remedies being awarded against them.
BMN v Stonewood Group Ltd [2024] NZHRRT 64
Stonewood’s Chief Operating Officer invited BMN (a Stonewood employee) to coffee, where he was issued a letter detailing performance concerns. While BMN was away from his desk, another senior employee removed his work laptop, personal USB flash drive, and personal cellphone.
BMN requested the return of his personal information, but Stonewood only gave his cellphone back. A week later, Stonewood terminated BMN’s employment, but did not return the USB (which it denied taking) or the personal information from the laptop.
Eventually, Stonewood agreed to return the personal information on certain conditions, such as BMN sending in a USB drive, paying $299 and signing an undertaking. However, despite BMN complying with these conditions, Stonewood still did not return the personal information.
The HRRT determined that a number of information privacy principles had been breached.
Information Privacy Principle 1 was breached because BMN’s personal information had been collected for an unlawful purpose. Stonewood knew there would be personal information on the devices, and it acknowledged there was no good reason to collect it.
Information Privacy Principle 2 was breached because in deliberately collecting the personal information while he was away from the office, it had not collected the information directly from BMN.
Information Privacy Principle 4 was breached because the information was collected in a manner which was manifestly unfair and an unreasonable intrusion upon BMN’s personal affairs.
The HRRT held that Stonewood’s actions were an interference with privacy in accordance with section 66 of the Privacy Act 2020 and awarded damages of $60,000 for humiliation, loss of dignity and injury to feelings. In particular, the HRRT was influenced by BMN’s medical issues caused by the privacy breaches, and Stonewood continually declining to provide the personal information and constantly changing its requirements when BMN requested the information.
Cummings v KAM Transport Limited [2025] NZHRRT 8
Mr Cummings, a driver for KAM, refused a routine drug test and was stood down. Subsequently, after Mr Cummings did later undertake and pass a drug test, Mr Cummings attended a work site where an employee of KAM’s client accused him of being a drug dealer.
Mr Cummings later discovered the KAM Branch Manager had informed another KAM employee, Mr Kremm, that he had failed a drug test, leading to the damaging and untrue rumour that he had been dismissed for dealing drugs. Although KAM denied having said anything to Mr Kremm, the HRRT held that KAM had disclosed Mr Cummings’ personal information to Mr Kremm.
Even though this was an internal disclosure within KAM, the HRRT concluded it was a breach of Information Privacy Principle 11 (disclosure of personal information) within the scope of employment. Mr Kremm “had no need to know such sensitive personal information about Mr Cummings as part of his employment duties“.
Although Information Privacy Principle 11 is ambiguous as to whether internal disclosures are permissible, the HRRT commented that there is “nothing…to suggest… personal information may be disclosed by employees within an agency without restriction“. The HRRT added further that “disclosure of personal information within an agency may result in significant damage to the privacy interests of an individual“.
The HRRT held that the disclosure had caused Mr Cumming harm amounting to significant humiliation, loss of dignity and injury to feelings, and awarded him $30,000. However, it did not award damages for lost wages as it considered that, despite the privacy breaches, Mr Cummings’ employment was not untenable at the time of his resignation.
Strauss v Fire and Emergency New Zealand [2025] NZERA 227
The Employment Relations Authority (ERA) has held that Fire and Emergency New Zealand’s (FENZ’s) disciplinary process against an employee, Mr Strauss, was in breach of the Privacy Act 2020, and was consequently unjustifiable and a breach of good faith. As such, the disciplinary process, which had been paused due to Mr Strauss’ injunction application, should not continue.
At issue in this case was a concern that had arisen about transactions relating to a mess allowance FENZ pays to fire stations to purchase communal items such as tea, coffee, and biscuits. The employee had set up a personal account, labelled “Blue Watch Mess – Station” to pool leftover money and make purchases for Wigram Blue Watch to cook shared meals.
When the employee left the Blue Watch and was stationed elsewhere, FENZ gained access to the account for administrative purposes, only to consider there were “discrepancies“. FENZ then decided to commence a disciplinary process.
The ERA noted that “the Privacy Act can be relevant to an employment relationship and is in this case“. Its view was that FENZ’s actions breached five of the Information Privacy Principles, including collecting personal information it was not authorised to collect, doing so in a way that was unreasonably intrusive, and failing to notify the employee of the collection.
In particular the ERA held that the use of the employee’s bank account to collect and pool money for Wigram Blue Watch did not change the account from a personal one to an employer controlled one, stating “an employer cannot take control over an employee’s property because it has been intermingled with employer property or colleagues’ property or has been used for work purposes“.
Ultimately, the ERA considered that the evidence was “improperly and unlawfully obtained and in breach of the Privacy Act 2020″,…taint[ing] all…aspects of FENZ’s actions,…breach[ing] the duty of good faith and not act[ing] as a fair and reasonable employer could in all the circumstances“.
If you would like to discuss any privacy issues arising in your workplace, please contact our Employment Team.
[1] Hammond v Baywide Credit Union [2015] HRRT 6.
View PDF version.