The Privacy Commissioner has found that TD Drilling 2014 Ltd, also trading as TD Drilling Ltd (TD Drilling) breached principles 5 and 6 of the Privacy Act in withholding and then losing employee information in the course of an employment dispute.
Mr R was an employee for TD Drilling. He became concerned that his colleagues had been taking drugs at work, and he notified his boss Mr S, and asked for the matter to be treated in confidence.
Mr S later denied this confidentially agreement, and called a work meeting, announcing that drug testing would take place because Mr R had reported the alleged drug use. This concerned Mr R as a number of his colleagues had a history of violence, drug use and imprisonment and he feared retaliation. Mr S then confronted Mr R in front of five fellow employees, and publicly accused him of causing trouble in the workplace.
In these circumstances Mr R considered his employment at TD Drilling to be untenable, and he left the next day. He then laid a claim with the Employment Relations Authority (ERA). He also submitted a complaint with the Privacy Commissioner, alleging his lawyers had requested his personal information from TD Drilling, but this had not been responded to.
Mr R’s complaint raised issues under principle 11 of the Privacy Act, which says an agency cannot disclose personal information it holds about an individual unless one of the exceptions apply. It also raised issues under principle 6, which says individuals have a right to access personal information an agency holds about themselves, unless one of the withholding grounds apply.
Early into our investigation, the ERA reached its decision. The ERA found that TD Drilling had unjustifiably dismissed and disadvantaged Mr R, and ordered it to pay him $22,115 in lost wages and compensation. The ERA found that revealing Mr R as the source of the drug revelations had put him in a dangerous position, and almost nothing had been done to address his concerns.
We discontinued our investigation into the disclosure of information, but continued to examine TD Drilling's response to Mr R's request for personal information.
Request for personal information
TD Drilling released a small amount of information about Mr R. However, Mr R noted a significant amount of his employee information was missing. After further follow up, TD Drilling claimed that it had lost or misplaced his files when it had moved premises.
This raised issues under principle 5 of the Privacy Act, which says that an agency must have reasonable safeguards in place to prevent the loss, misuse, or disclosure of personal information.
TD Drilling had ignored Mr R’s request (when the information existed and would have been useful for Mr R), and then had subsequently lost the information by the time our Office investigated.
Looking after employee information is a basic and important responsibility for all employers. It was especially so in this case, as there was a serious employment dispute. It is our view there was serious negligence, or even recklessness in how this information and the information request was treated when a dispute arose.
We note TD Drilling acted poorly throughout, including its behaviour that resulted in the employment dispute, and its subsequent behaviour throughout our investigation.
The Privacy Commissioner found that TD Drilling had breached principles 5 and 6 of the Privacy Act. TD Drilling and Mr R subsequently settled this dispute, with TD Drilling agreeing to pay the amount awarded by the ERA.
We considered TD Drilling’s behaviour and practices to be unacceptable. Our investigations are almost always confidential, but we considered applying our naming policy https://www.privacy.org.nz/naming-policy to publicly identify the company in order highlight bad practice, and to remind small businesses that they too have privacy obligations towards their employees. We remain concerned about the security of personal information of other employees in the company.
We offered TD Drilling an opportunity to comment, but it did not respond.
Contact: Sam Grover 021 959 050 to interview Privacy Commissioner John Edwards.
Note for editors: This is the third recent application of the Privacy Commissioner’s policy on naming respondents.
- On 5 December 2016 the Privacy Commissioner publicly identified Law Debt in relation to breaching the Privacy Act: https://www.privacy.org.nz/news-and-publications/statements-media-releases/privacy-commissioner-finds-debt-collector-failed-to-check-accuracy/
- On 19 December 2016 the Privacy Commissioner named The Department of Corrections in relation to its actions in handling the Benjamin Lightbody complaint: https://www.privacy.org.nz/news-and-publications/case-notes-and-court-decisions/case-note-277412-2016-nz-privcmr-13-corrections-failed-to-comply-with-access-request-from-inmate-seriously-assaulted-in-prison/