When your employee's conduct is not your (privacy) problem

The Privacy Act 1988 (Cth) (Privacy Act) regulates the information handling practices of APP entities—being a government agency or an organisation that meets the relevant definition in the Privacy Act—however, agencies and organisations act through their employees, and it is how employees handle personal information in the performance of their work that has a direct impact on the entity’s overall compliance with the Privacy Act.

In the recent decision of the Privacy Commissioner of ‘ATE’ and ‘ATF’ (Privacy) [2025] AICmr 10 (13 January 2025) (ATE and ATF), the Privacy Commissioner explored the extent to which an APP entity is responsible for the conduct of their employee where that employee has mishandled personal information held by the entity.

The facts of ATE and ATF

Briefly, the facts that lead to the privacy complaint are as follows.  The organisation operates a mobile and satellite telecommunications network.  The complainant had a dispute with the organisation about the recovery of a mobile phone number he had previously held.  While working on the complaint to restore the mobile phone number, a junior employee of the organisation became aware of the complainant’s criminal history by conducting a Google search of the complainant and reading several media articles reporting on the complainant’s criminal conduct.  The junior employee brought the media articles to the attention of their senior manager.

Later that day, the senior manager became aware of the complainant’s criminal offending (presumably by reading the media articles published about the complainant) and contacted the journalist who had authored a media article about the complainant’s criminal conduct.  During that call, the complainant’s personal information was disclosed.

Shortly after the call, the journalist published a newspaper article which discussed, among other things, the complainant’s efforts to recover the mobile phone number while he was in custody, gave the complainant’s full name and alleged the complaint was campaigning from his prison cell to reactivate the mobile phone number he had used while committing criminal offences.

The day the article was published, the complainant was confronted by correctional officers in prison who allegedly accused him of smuggling illegal items (including a mobile phone) into jail.

The complainant subsequently complained to the OAIC about the organisation having disclosed his personal information to a journalist which was contrary to the Privacy Act.

The law

The Australian Privacy Principles (APPs) regulate the collection and handling of personal information by Australian government agencies and certain private sector organisations (APP entity).  An APP entity is prohibited from doing an act, or engaging in a practice, that breaches an APP. If an APP entity interferes with the privacy of an individual, they will have breached an APP.

Under s 8(1)(a) of the Privacy Act, an act or practice engaged in (or information disclosed by) a person employed by an APP entity in the performance of the person’s employment will be treated as having been done by, engaged in or disclosed by the APP entity.

Practically, this means that the conduct of an APP entity’s employees when they are doing their work will be taken to be the conduct of the organisation for the purposes of the Privacy Act—accordingly, if your employee discloses personal information in the course of their work then the organisation will be liable for their conduct.

Critically though, the employee’s conduct needs to be in the performance of the person’s employment for the organisation to be liable—so that happens when the employee goes rogue?

The decision – the rogue employee defence

In ATE and ATF, the organisation conceded that its senior manager has disclosed the complainant’s personal information to the journalist but argued the organisation was not responsible for the privacy breach because they were the actions of a ‘rogue employee’ – that is, the conduct was outside the scope of the senior manager’s employment such that the organisation was not liable for any breach of the Privacy Act.

The Privacy Commissioner agreed and determined that the organisation did not breach the complainant’s privacy because the disclosure was a result of a rogue employee who acted outside the scope of their employment.

The rogue employee defence

In her reasons, the Privacy Commissioner discusses the limit of an APP entity’s liability for the conduct of employees.  The Commissioner described s 8(1) of the Privacy Act as “implement[ing] a statutory form of vicarious liability and is, in effect, a restatement of the common law” which provides that an employer is directly liable for the conduct of their employee in circumstances where the employee is regarded as the ‘directing mind and will’ of an entity, such that their actions may be those of the entity itself (paragraphs [44] and [54]).

In order to assess whether the employee is acting in the performance of the person’s employment, two questions need to be asked and answered:

1. Firstly, what was the course or scope of the employee’s employment?
2. Secondly, was the employee’s act within the course or scope of the employment?

In answering the first question, the Privacy Commissioner noted that whether an employee’s actions are in the course or scope of their employment will depend on the facts and circumstances of each case. In this case, the senior manager did not have a formal position description so the Privacy Commissioner had regard to affidavit lead by the organisation’s CEO which set out the role of the senior manager. The Privacy Commissioner was satisfied that this evidence defined the scope of the senior manager’s role. Importantly, the senior manager’s role did not include liaising with the media.

In answering the second question, the Privacy Commissioner noted that the question did not require evidence that the employee’s conduct was authorised by the organisation but, rather evidence that the act or practice was within the scope of the individual’s employment, even if the act or practice was not authorised.  For example, if part of your employee’s role includes engaging with the media, then you will be liable for the information they disclose, even if the information they disclose on a particular occasion is unauthorised.

You will not be liable if the employee’s act or practice is “utterly unconnected” with any duties the employee is engaged to do.

The relevant analysis is as follows:

• [54] - It is not a question of whether an employee was authorised by their employer to conduct the act, but rather a matter of considering the nature of what the employee was employed to do on behalf of the employer. The court has previously noted that “an unauthorised, intentional or even criminal act may be committed in the course or scope of employment, and therefore render the employer liable”.
• [55] - Importantly, there must be a sufficient connection between the act and the employee’s ordinary employment duties. That is, the conduct must be “so connected with authorised acts that it may be regarded as a mode – although an improper mode – of doing them”.
• [56] - Where an act is “utterly unconnected with anything the employee was employed to do, it would be outside the sphere of employment”. In this respect, an employee will likely be regarded as being on a “frolic of [the employee’s] own”, which will not attract liability for the employer.

In this case, having regard to all of the facts and circumstances including:

• the scope of the senior manager’s duties (which did not include engaging with journalists)
• the terms of the organisation’s code of conduct and employment guide (which stated, relevantly, only the CEO was authorised to talk to the media), and
• evidence that the organisation had taken steps to terminate the employment of the senior manager because of the conduct

the Privacy Commissioner was satisfied that the senior manager’s conduct was outside the scope or course of the senior manager’s employment such that the organisation was not liable for the conduct.

The organisation was found not to have breached the Privacy Act in all of the circumstances.

Key takeaways

The decision in ATE and ATF provides clear guidance on the extent to which an organisation will be liable for an employee’s conduct under the Privacy Act.  APP entities should:

• ensure that their employees understand the scope of their responsibilities and that the scope of those duties are clearly documented, and
• train employees on the operation of the Privacy Act so your team know how the Privacy Act applies as they perform their work and so your organisation can demonstrate that it has taken reasonable steps to ensure compliance with the Privacy Act given the organisation will be vicariously liable for the conduct of its employees when they collect and handle personal information in the performance of their duties.

In case you missed it, this year’s Privacy Awareness Week theme is ‘Privacy – its everyone’s business’ (see Privacy Awareness Week | OAIC) which runs from 16 – 22 June.