A recent case illustrates the importance of robust, mandatory privacy training for staff, to avoid privacy breaches – or, if a breach does happen, in order to avoid liability for when a rogue employee goes off on a privacy-invading frolic of their own.
A rogues’ gallery of privacy violations
Up until the recent case of CJU, public sector agencies responding to privacy complaints in the NSW Civil and Administrative Tribunal (the Tribunal) have successfully pursued the argument that if a disclosure was not authorised within the terms of the NSW Disclosure principles (IPP 11 or HPP 11), the agency can simply claim that as the disclosure was not authorised, it must, by definition, have been the act of a rogue employee – for which the agency is not liable, because the rogue employee’s actions should not be attributable to the agency.
In the words of the Tribunal, the ‘rogue employee’ defence is “that not only are the actions unsanctioned by the agency, but the individual is acting in effect contrary to direction and in a rogue and aberrant manner”.
This idea of agencies being able to escape liability for the unauthorised actions of a ‘rogue’ employee date back to 2006, when the NSW Court of Appeal found that not every action by an employee can be attributed to their employer, under the NSW privacy statutes: “Where … the “use” or “disclosure” of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as “use” or “disclosure” by the Department or conduct of the Department. … it was not, in my opinion, Parliament’s intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents”.
The Court of Appeal thus found that the Department of Education was not responsible for the actions of their employee when he disclosed information in his “private capacity” as a soccer coach, rather than in his employed capacity as a teacher at the school – even though it was in his capacity as a school teacher that he discovered the information in the first place.
As a result of that decision, in multiple cases since 2006 the Tribunal has applied the ‘rogue employee’ defence to the benefit of government agencies seeking to avoid liability for privacy breaches caused by the conduct of their staff. In each case the agency escaped any liability for a breach of the Disclosure principles, and as a result the victims received no remedy.
However in our view there is considerable space between conduct that is authorised by the law (being conduct in compliance with IPP 11/HPP 11, or allowed under an exemption to the relevant principle), and conduct that is not only not authorised, but is also so outside the normal standard of conduct for that agency, and motivated by malice or corruption, that the responsible employee should be prosecuted under the criminal offence provisions of the legislation. It is in this middle ground that an agency should – and as a result of a recent case, can – be held liable for an unauthorised disclosure.
Rogues no more: the effect of the CJU case
The CJU case provides an example of a disclosure that was not authorised by the agency, but nor was it malicious or corrupt. And critically, the adequacy of staff training was a pivotal element in determining that the agency was liable for the conduct.
In CJU v SafeWork NSW, the respondent admitted that an unauthorised disclosure had occurred. In the words of the Tribunal: “The respondent’s case was that the Disclosure was a discrete breach of information privacy made in good faith by Mr Covi who was trying to be helpful in responding to an enquiry from a government agency’s solicitor”.
The Tribunal sought to test whether or not the disclosure was indeed made in good faith, questioning why the employee disclosed more information than was requested by the solicitor, without first seeking the consent of the subject. The Tribunal did so by enquiring into the employee’s understanding of his privacy obligations, and what privacy training he had received. Evidence was provided which showed Mr Covi had completed the agency’s online induction training course.
He should have known better: the link between inadequate training and liability
The Tribunal reviewed the agency’s training materials, which offered an overview of the IPPs and informed staff of their legal responsibilities. The Tribunal described the assessment as consisting of “only 10 relatively simple questions”, and noted that Mr Covi said the online course had taken him no more than half an hour, and possibly materially less.
The Tribunal found that “the training steps that have so far been carried out by the respondent are inadequate to convey to staff their responsibilities concerning the disclosure of personal information obtained during the exercise of the powers and functions of the respondent”.
The Tribunal concluded that the evidence “suggests a step taken in ignorance of the applicant’s rights rather than acting in bad faith or maliciously to harm or undermine the applicant’s interests”. The result was therefore a disclosure that was not authorised under the law (and thus was a breach of IPP 11), but because the employee had not been adequately trained in his privacy responsibilities, his actions were attributed to ignorance, rather than bad faith.
In these circumstances, the agency could not claim the ‘rogue employee’ defence, and it was found liable for the breach.
The need for comprehensive privacy training
The effect of CJU is clear: train your staff properly, to reduce both the likelihood of, and liability for, privacy breaches.
The Tribunal characterised the “inadequate training concerning information privacy protection” as “giving rise to a sufficient risk of a future breach”.
To be effective, privacy training must set out clear examples of what is and is not allowed under the privacy law applicable to that organisation, in a way that speaks to their employees’ experiences. Training content must be thorough, and not simply recite the law.
The style must be interactive, to keep staff paying attention. The concepts must set a high enough bar that staff cannot simply cruise through; staff should be challenged, and stretched, by training. The final assessment must likewise be challenging, and must generate proof of understanding and completion for each employee. Hosting your online training in a Learning Management System can help, by enabling you to report to management on the rollout of your training program, keep a track of who has completed training, and retrieve evidence of completion for particular personnel in the event of a privacy breach.
And make sure staff training is repeated, or periodic updates provided. After conducting a ‘sweep’ of Victorian public sector agencies’ compliance, the Office of the Victorian Information Commissioner OVIC recently advised that organisations “should provide refresher training for privacy, not just during employee induction.”
Only once you have a robust, comprehensive and high quality staff training program in place, can your organisation then argue, in the event of an unauthorised disclosure, that the responsible employee was ‘rogue’, such that your organisation should not be liable for their actions.
Salinger Privacy offers quality comprehensive, interactive online privacy awareness training modules, which can be purchased off-the-shelf, or further customised to suit your organisation. See more at www.salingerprivacy.com.au/training/online-training/
Photograph (c) Shutterstock
An earlier version of this article was first published in the Law Society of NSW Journal, May 2019 edition.