In March 2025, the Human Rights Review Tribunal ordered KAM Transport Limited to pay $30,000 to a former employee after it found the company had breached the employee’s privacy. The case arose from an internal disclosure of sensitive information that led to damaging rumours about the employee, including a false allegation that he was involved in drug dealing. The Tribunal’s findings reinforce that privacy obligations extend to internal conversations and that “casual” workplace gossip can expose employers to legal and reputational risk.
BACKGROUND
Cummings, a long-serving truck driver, was selected for a random drug test at work in August 2020. He refused to take the test, triggering a disciplinary process as permitted under his employment agreement. After returning a negative test a week later, he resumed his duties. However, within days of his return, a forklift driver at a client’s site confronted him with a rumour that he had been dismissed for failing a drug test and was a drug dealer. It soon became clear that the rumour had originated within KAM and had spread both internally and externally.
POOR CONDUCT BY THE EMPLOYER
The Tribunal accepted Cummings’ evidence that the source of the leak was KAM’s branch manager, who had disclosed the drug test refusal to a driver with no management responsibilities. That employee then passed the information on to others, including staff at a client site. KAM denied that the disclosure had happened and therefore did not try to justify it under any of the exceptions in the Privacy Act. The Tribunal found that the internal disclosure did occur.
WHAT THE TRIBUNAL CONSIDERED
The Tribunal focused on Information Privacy Principle 11 (IPP 11) in the Privacy Act 2020, which says personal information must not be disclosed unless one of the specific exceptions applies. One of those exceptions, set out in IPP 11(a)(i), allows disclosure where it directly relates to the reason the information was collected in the first place. However, KAM didn’t rely on that exception or any other exception. The Tribunal also referred to IPP 10, which limits how personal information can be used within a business.
The Tribunal made three key findings on the facts:
- The information was sensitive: It related to a refusal to take a drug test, which carries stigma and reputational risk.
- The person it was shared with didn’t need to know it: The recipient was not a manager and had no role in the disciplinary process.
- No legal exception applied: The disclosure wasn’t necessary for any operational reason and wasn’t permitted under the Privacy Act.
The Tribunal found that the disclosure caused Cummings significant emotional harm. KAM argued the comments made to Cummings were in jest, and that the situation had been blown out of proportion. The Tribunal disagreed. It accepted that Cummings was deeply affected by the disclosure. He felt humiliated, lost confidence, experienced anxiety and depression, and feared for his safety when travelling to some areas.
Cummings later resigned, stating that the incident had irreparably damaged his trust in his employer. However, the Tribunal declined to award him compensation for lost income, noting that KAM had made efforts to support him and that the privacy breach, while serious, did not directly lead to his resignation.
THE TRIBUNAL’S FINDINGS
The Tribunal ordered KAM to pay $30,000 to Cummings for the emotional harm he experienced. It also made a formal finding that KAM had breached his privacy rights. The award was based on the seriousness of the leak, the sensitivity of the information, and the long-term impact on Cummings. The Tribunal placed the case within the middle of the range of seriousness for privacy breaches and said it did not see any aggravating conduct from KAM’s leadership beyond the original disclosure.
KEY TAKEAWAY
This case serves as a strong reminder that privacy obligations apply to all communications, including those within the workplace. Information about staff drug testing, disciplinary issues, or health concerns must only be shared on a strict need-to-know basis. A single disclosure outside of the scope of the Privacy Act, even if well-intentioned, can cause emotional harm and significant liability, as well as significant damage to a business’s reputation and relationships.
FURTHER INFORMATION
If you would like to know more, please contact the Jackson Russell Business Law team. We can help you understand your obligations under the Privacy Act and provide support with training, policies, incident response and contractual safeguards.
