When are you eligible for a legal remedy when an agency breaches your privacy? The answer, as with most things in the legal realm, is “it depends”.

This was one of the issues the Human Rights Review Tribunal grappled with in a recent judgement.

Here’s what happened:

A woman worked for the National Library for a number of years. In 2011, the library was folded into the Department of Internal Affairs (DIA) and restructured. During this restructure, the woman was made redundant.

Two years later, she made an information request under Principle 6, asking  for everything the DIA held about her.  As well as asking for everything the DIA held, her request specifically mentioned a number of documents, such as her official personnel file and handwritten notes from interviews she had with library staff.

The DIA responded with almost all of the information, along with reasons why they could not release some of the information – for example, some of the information had been deleted in keeping with the DIA’s document destruction policy, and some of the information did not exist.

The woman believed that the DIA was still withholding information, so she made a complaint to our office. We found that the DIA staff did in fact have handwritten notes about the woman. They shared these notes with her and we closed the file.

The Tribunal finds a breach . . .

The woman alleged that the DIA’s withholding of these notes had caused her serious harm. She took her case to the Tribunal, which found that the DIA had in fact breached her privacy by withholding the handwritten notes.

The fact that the DIA withheld the notes wasn’t taken in isolation. Rather, the DIA was found in breach because not only did it withhold the notes, it did so in the context of knowing that taking notes was a common practice, and the people handling the personal information request did not ask whether hand written notes existed. This was enough to constitute a privacy breach.

 . . . But no harm

However, the Tribunal also found that the breach did not cause harm. While the woman did outline her harm, that harm was related to the general experience of being made redundant and a number of other unpleasant circumstances – there was no causal relationship between the harm she suffered and the fact that the DIA did not release the handwritten notes.

Furthermore, the content of the notes was not materially dissimilar from the summary report. While this is not an excuse for withholding the notes, it also means that any harm that could have been prevented by releasing the notes would also have been prevented by releasing the summary report – which the DIA did do.

In light of these facts, the Tribunal did not award any damages.

What have we learned?

There are a couple key takeaways from this case:

1. 1. Context is everything. The DIA was found to have breached the woman’s privacy not just for withholding the handwritten notes, but for withholding them while also knowing that staff generally take handwritten notes and failing to make a specific inquiry as to whether these notes existed.

1. 1. Harm must be causal. In sensitive situations with many different factors, it’s easy to correlate the harm from the overall situation with the specific privacy breach. This is not enough in a legal sense, though – to reach the threshold of a damages award, you need to be able to clearly show that the harm was caused by the specific privacy breach.   

 Photo credit: Library by Tara Ross, via Flickr