Who’s liable if my employee breaches someone’s privacy?

In terms of the Privacy Act, agencies are generally held responsible for the actions of their employees. This means that if an employee breaches someone’s privacy, the agency will be liable in the first instance. The employee may also be liable in certain circumstances.

An agency has a defence against liability if it can demonstrate that it has taken all reasonable steps to prevent its employees from committing the breach in question.

What steps are reasonable will depend on the circumstances, but may include measures like:

• Ensuring that staff are trained, so they are aware of their obligations under the Privacy Act;

• Putting in place clear policies around how personal information is collected, used and secured;

• Ensuring these policies are clearly explained to staff; and

• Having systems in place to monitor staff access to client or customer information.