Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Record damages awarded for cake photo breach Charles Mabbett
2 March 2015

justice

It began with a photo shared privately among friends and set in motion events that resulted in a precedent setting award for damages for a privacy breach.

This week, the Human Rights Review Tribunal awarded Karen Hammond over $168,000 dollars, largely in part for the severe humiliation she suffered through the actions of her former employer, NZCU Baywide.

The amount is ground breaking because it exceeds by a wide margin the previous highest award of $40,000 set in 2003 (Hamilton v The Deanery) and sets a new benchmark for compensating harm caused by a breach of the Privacy Act for unlawfully disclosing personal information.

The Tribunal said in its decision that NZCU Baywide was in breach of principle 11 of the Privacy Act, which states an agency that holds personal information shall not disclose the information to a person or body or agency.

The information related to a photo that Ms Hammond had shared among a circle of friends on Facebook. The photo featured a cake with written obscenities referring to NZCU Baywide, which was her employer at the time - although she was in the process of leaving the company for another employer. The privacy setting meant only those who had been accepted by Ms Hammond as friends had access to the photo, taken at a private dinner party.

The Tribunal said the company management received evidence of the photo and the human resources manager then coerced a junior employee to reveal the photo on her Facebook page. The manager made a screenshot of the photo and disclosed it to other senior managers. The screenshot was then distributed to several employment agencies in the Hawke’s Bay area by email, and was accompanied by phone calls from NZCU Baywide warning against employing Ms Hammond.

The Tribunal said the photo had become the basis for a “sustained campaign by the company to inflict as much harm and humiliation as possible by ensuring she (Ms Hammond) could not be employed in the Hawkes Bay area” and to get her dismissed by her subsequent employer.

The campaign against Ms Hammond made her new position untenable, forcing her to resign because of the threat by NZCU Baywide to boycott her new employer. She was unemployed for 10 months and was not been able to find employment in her preferred field of finance. Her close relationships were severely affected and the stress caused significant harm to her family. The Tribunal noted that she and her partner had struggled financially and emotionally.

The company did admit to breaching principle 11 and had apologised to Ms Hammond. However, the Tribunal said on the balance of evidence, it had established that loss, detriment, damage or injury, as set out in section 66 of the Privacy Act, had occurred to Ms Hammond. It was also satisfied that there had been significant humiliation, loss of dignity and injury to her feelings.

The Tribunal awarded damages of $98,000 for humiliation, loss of dignity and injury to feelings. Further damages were awarded, including $38,350 for loss of income, $15,543 for legal expenses and $16,177 for the loss of a salary benefit Ms Hammond might have expected to obtain, but for the interference to her privacy.

The decision sets a new benchmark for compensating harm caused by a breach of the Privacy Act for unlawfully disclosing personal information.

5 comments

,

Back

Comments

  • We have been told for years that putting anything onto Facebook, regardless of the audience you attempt to limit it to, is tantamount to publishing it to the world. This ruling reverses this presumption. Why?

    Posted by Phil, 03/03/2015 9:00am (2 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

  • Did the employer not have a duty to warn other employers about the ex-employees conduct (portraying the employer in a negative light on facebook)?

    I think that, if asked, the employer should have been able to tell other employers that the ex-employee had portrayed it in a negative light on facebook.

    However, I agree that the employer should not have sent the photo (as that was disclosure of arguably personal information and vindictive).

    Posted by Privacy/Employment Law Student, 12/03/2015 11:30am (2 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

  • This was truly a groundbreaking case, and it is to be hoped that the generally low levels of compensation awarded elsewhere will follow suit. A few comments:

    1. Somewhat surprisingly perhaps (see above), the Tribunal did not take into account the conduct of the plaintiff in giving rise to the situation by making the offensive cake and then uploading it on to Facebook (paras 161-163). Although there is no specific provision in the Privacy Act or Human Rights Act that corresponds to s 125 of the Employment Relations Act (“Remedy reduced if contributory behavior by employee”), the Tribunal might have taken the plaintiff’s contributing conduct into consideration under its equity and good conscience jurisdiction (Human Rights Act 1993, s 105 (“Substantial merits”), via s 89, Privacy Act (“Certain provisions of Human Rights Act 1993 to apply”). There is a precedent for this in the early Privacy Act case of Mayes v Owairaka School Board of Trustees (1997) 3 HRNZ 707 (Complaints Review Tribunal), where no order for damages was made for a breach of principle 6 on the basis that the Tribunal found that the plaintiffs’ conduct had contributed to their own suffering. While damages were certainly called for in this case on the basis of the disclosures, maybe a small discount could have been factored in?

    2. The Tribunal did not find that any of the collection principles had been breached, nor did it feel that it needed to make such a finding. It would have been interesting, however, to have the Tribunal’s reasoned views on two issues.

    Firstly, there was a potential issue as to whether or not the “publicly available information” exception in principle 2(2)(a) applied to facts. The comments of the Tribunal indicated that this exception did not apply as the Facebook information was private, intended only for the plaintiff’s Facebook “friends”, which numbered around 150. This is a large number of people. Facebook friends are not necessarily “real” friends. In Hook v Stream Group (NZ) Pty Limited [2013] NZEmpC 188 (9 October 2013), the Employment Court discussed generally the privacy expectations arising from the committal of personal information to Facebook, and commented:

    It is well established that conduct occurring outside the workplace may give rise to disciplinary action, and Facebook posts, even those ostensibly protected by a privacy setting, may not be regarded as protected communications beyond the reach of employment processes. After all, how private is a written conversation initiated over the internet with 200 “friends”, who can pass the information on to a limitless audience? (para 29)

    The Employment Court also commented that “problems with privacy on social media tend to stem from a sort of recklessness” (para 37). The Court also noted that the High Court in Senior v Police [2013] NZFLR 356 had taken judicial notice that information placed on a Facebook page is not intrinsically “private”, as hundreds of people may have access to it, and the information concerned may in turn be communicated to many others; see also the decision of the full bench of Fair Work Australia in Linfox Australia Pty Ltd v Stutsel [2012] FWAFB 7097, which noted (at para 34) the reach of social media communications. As if to reinforce the lack of real privacy expectations on using Facebook, the Tribunal had nothing to say about how simple it was to pressure an employee to access and disclose personal information from Facebook ("private setting" and all) to the defendant.

    Second, it is arguable that there had been a breach of principle 4, in that the Facebook information had been collected unfairly or in a manner that intruded “to an unreasonable extent upon the personal affairs of the individual concerned.” This would have raised the issue whether or not principle 4 covers situations where the unfair collection is made from a third party, or is unreasonably intrusive when it is made through a third party, or can be reasonably intrusive in relation to a third party but still affects the individual concerned.

    Although breaches of the collection principles might not have necessarily sounded in damages, even declaratory relief could have had precedent value. The issue is an important one given that the collection was made from one of the defendant’s employees. An employer's collection of personal information from an employee’s Facebook page raises an important privacy issue and it is not likely to be a rare occurrence.

    3. The Tribunal did not invoke the developed jurisprudence on the meaning of “disclosure” (not only in the Privacy Act but elsewhere) when it held (at para 141) that information that is already known by the recipient is still “disclosed” for the purposes of the Privacy Act when an agency repeats information already known to the recipient. The Tribunal’s approach to the issue in this case runs counter to previous Tribunal authority: see Privacy Law and Practice, PVA6.14(c)(i) “Disclosure where information already disclosed by someone else, or already known.

    4. In relation to the business pressure put on the plaintiff’s employer by the defendant, forcing her to resign, it is questionable whether this constituted an interference with the plaintiff’s privacy (para 149.4). Although this conduct was worthy of condemnation, it is difficult to see how it had anything to do with the plaintiff’s rights under the Privacy Act.

    5. The Privacy Act training order imposed by the Tribunal (paras 185-187, para 189.9) under s 85(1)(d) and (e) is problematic. Section 85(1)(d) empowers the Tribunal to make an order “that the defendant perform any acts specified in the order with a view to remedying the interference, or redressing any loss or damage suffered by the aggrieved individual as a result of the interference, or both”. Section 85(1)(e) empowers the Tribunal to grant “such other relief as the Tribunal thinks fit”. The Privacy Act training order for NZCU is problematic in three respects.

    Firstly, there is High Court precedent that such training orders fall (or used to fall, before the Human Rights Act was amended in 2001) outside the Tribunal’s jurisdiction: see NZ Van Lines Ltd v Proceedings Commissioner [1995] 1 NZLR 100 (no jurisdiction to order anti-harassment policy in conjunction with Human Rights Commission), W v P, HRRT Decision No 2/99, 16 February 1999 (Complaints Review Tribunal followed NZ Van Lines Ltd case). The reason for this is that such orders do not constitute a “remedy” or “relief” in so far as the plaintiff is concerned, since the plaintiff was no longer an employee of the defendant. See PVA85.6 Section 85(1)(d) Order that the defendant remedy the interference or redress any loss or damage suffered by the aggrieved individual and PVA85.7 Section 85(1)(e): “Such other relief as the Tribunal thinks fit”.

    Secondly, while such training orders are now explicitly provided for under s 92I(3)(f) of the Human Rights Act (as amended in 2001), this is not a provision that applies to proceedings under the Privacy Act (see s 89). For training orders recently granted under the Human Rights Act, see Nakarawa v AFFCO New Zealand Limited [2014] NZHRRT 9 (24 February 2014), Meulenbroek v Vision Antenna Systems Ltd [2014] NZHRRT 51 (14 October 2014), and Satnam Singh v Shane Singh and Scorpion Liquor (2006) [2015] NZHRRT 8 (9 March 2015).

    Thirdly, it is not clear from the Hammond decision that the plaintiff had actually sought the training order, however desirable such an order might seem in the circumstances. Rather, on the face of it appeared to be an order that, in the language of s 85(1)(e), the Tribunal thought fit to make. However, in BHP NZ Steel Ltd v O’Dea (1997) 4 HRNZ 456, the High Court stated obiter that this discretion was “not a licence for the Tribunal to come in from left field and make any order it chooses without notice, or argument, or submission” (p 478). Such an order must be sought by the party seeking relief. The Court went on to state that “This sort of catch-all provision is to deal with incidental and ancillary matters. It should not be interpreted as an open cheque to provide any relief which the Tribunal, after the hearing has concluded but before a decision is given, determines might be appropriate. The basic requirements of natural justice and fair hearing are not abrogated by such a provision.” In the BHP NZ Steel Ltd case, the Tribunal had granted relief other than that sought by the plaintiff.

    6. Notwithstanding the above comments, it was satisfying to see an egregious employer have the book thrown at it.

    Posted by Paul Roth, 16/03/2015 5:19pm (2 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries