A woman worked as a receptionist for Manawatū Community Law Centre (the Centre) on a one-year contract. During her employment she alleged workplace bullying and harassment and filed personal grievance claims.

Against this backdrop, the Centre’s WINZ advocate (Ms A) made two requests to WINZ for the receptionist’s personal information:

• The first request was made in July 2016 immediately following an acrimonious performance review meeting with the manager of the Centre. The information request asked whether the receptionist was still receiving a benefit from WINZ or any WINZ assistance.
• The second request was made in March 2017, at which time the receptionist was on leave having filed two personal grievance claims against the Centre. This request asked for a wide range of personal information about the receptionist, including copies of WINZ file notes dating back to January 2012, and details of any outstanding debts.

On both occasions, Ms A attached a privacy waiver form that had been signed by the receptionist in May 2016.  That waiver had been given for the purpose of enabling WINZ assistance to be provided to the receptionist. The receptionist complained that the Centre’s actions in requesting information from WINZ and using that information in the context of an employment matter, breached her privacy.

The Centre denied breaching the receptionist’s privacy and argued it wasn't unreasonable for it to re-use the privacy waiver.  It also argued that its employee, Ms A, had acted without its authority, had “gone rogue”, and that the Centre was therefore not responsible for her actions.

The Privacy Commissioner’s findings

The receptionist’s complaint was first investigated by our Office, which concluded that the Centre had breached privacy principles 1,2, and 4, but not principle 10.

We also concluded that the Centre’s actions caused harm to the receptionist, and that there was an interference with her privacy.

The Human Rights Review Tribunal decision [2021] NZHRRT 10

The Tribunal agreed with our assessment that it was unfair and unreasonably intrusive for Ms A to re-use the privacy waiver (and that this breached privacy principle 4).  The privacy waiver had been given for the narrow purpose of enabling WINZ assistance to be provided to her, and could not reasonably be relied on to authorise the collection of information within the

Further, the Tribunal found that the requests breached privacy principle 2 as there were no reasonable grounds to believe that the receptionist had authorised the disclosure or that any of the other exceptions applied, and that the second (but not the first) request breached privacy principle 1 due to the breadth of the information sought. 

The Tribunal also found that use of her social welfare number to obtain further information about her in the context of an employment dispute breached privacy principle 10. 

Harm

The receptionist gave evidence that she felt ‘disgusted and hurt’ that the Centre went behind her back twice to get information it was not entitled to, with the purpose of discrediting her in an ongoing investigation relating to her allegations of workplace bullying.

The receptionist said that when she found out about the privacy breach, she felt vulnerable and that her personal information had been exposed for the purpose of trying to belittle her.

The Tribunal was satisfied that the receptionist suffered significant humiliation and injury to her feelings as a result of the privacy breaches.

The Tribunal also found that the Centre was vicariously liable for the actions of Ms A in making the requests to WINZ, as she was acting in her capacity as an employee.

Damages awarded

While the receptionist had sought damages of between $98,000 - $200,000 (being the ‘category three’ band in Hammond v Credit Union Baywide), the Tribunal did not accept that the case was analogous.

The Tribunal made a declaration that the Centre had interfered with the receptionist’s privacy by breaching privacy principles 1, 2, 4 and 10, and awarded damages of $6,000. Costs have been reserved.