Hammond provides a new benchmark for compensating harm caused by a breach of the Privacy Act for unlawfully disclosing personal information.
The award centres on the "severe humiliation" Hammond suffered through the actions of her former employer, NZCU Baywide.
The Tribunal indicated that NZCU Baywide breached principle 11 of the Privacy Act, ie an entity holding personal information shall not disclose the information to a person or body or agency.
In this instance the information related to a photo - taken at a private dinner party - that Hammond had shared among friends on Facebook. The photo featured a cake with written obscenities referring to NZCU Baywide. Hammond was in the process of leaving the credit union for another employer. Her Facebook privacy setting meant only those who had been accepted by Hammond as friends had access to the image, with the Tribunal referring to
At the time there were approximately 150 such friends who Ms Hammond knew would share her sense of humour and believed would respect the privacy setting.Credit Union executives apparently became aware of the existence of the photo, with a NZCU Baywide human resources manager 'persuading' a junior employee to reveal the image. The manager made a screenshot of the photo and disclosed it to other senior managers.
The Tribunal stated that
the screenshot was then distributed to multiple employment agencies in the Hawke’s Bay area by email which, along with contemporaneous phone calls from NZCU Baywide, warned against employing Ms Hammond. At the same time an internal email was sent by the Chief Executive Officer of NZCU Baywide to staff disclosing information about the circumstances in which Ms Hammond had earlier resigned from NZCU Baywide. NZCU Baywide also placed severe pressure on her new employer to terminate her (Ms Hammond’s) employment.The Tribunal comments that the photo had become the basis for a
sustained campaign by the company to inflict as much harm and humiliation as possible by ensuring she could not be employed in the Hawkes Bay areamaking her new position untenable, forcing her to resign because of the threat by NZCU Baywide to boycott her new employer, causing her to be unemployed for 10 months and severely affecting her close relationships
NZCU Baywide admitted to breaching principle 11 and apologised to Hammond.
The Tribunal stated that on the balance of evidence, it had established that Hammond had experienced loss, detriment, damage or injury, as set out in section 66 of the Privacy Act. It was also satisfied that there had been significant humiliation, loss of dignity and injury to her feelings. Accordingly, it awarded damages of NZ$98,000 for humiliation, loss of dignity and injury to feelings.
It awarded further damages of NZ$38,350 for loss of income, NZ$15,543 for legal expenses and NZ$16,177 for the loss of a salary benefit Hammond might have expected to obtain.
The Tribunal notes
Hammond received favourable comments and commendations from auditors, managers and staff from within different departments and from different towns. Even Mr Grant Porter, the Chief Operating Officer, conceded in cross-examination at the hearing that Ms Hammond was a valuable member of NZCU Baywide.
Nevertheless Ms Hammond soon experienced frustration when she found some members of the executive team, particularly Mr Gavin Earle, Chief Executive Officer, Mr Porter and Ms Julie Baxter (Lending Manager) did not listen to her when she cautioned that in her view NZCU Baywide was at commercial and financial risk for failing to adhere to the Privacy Act. Citing this as an example she said she soon learnt the executive team banded together to ensure their decisions were never questioned. On another occasion when she approached Ms Baxter (the person to whom she reported) and provided a document Ms Hammond had created to ensure the Board could make informed decisions when signing off on loans, Ms Baxter’s response was “the Board just do as they are told”.In considering application of the Act the Tribunal states
Although the context of the interferences with privacy alleged by Ms Hammond includes the posting of a picture of a cake on a Facebook page, the application of the information privacy principles is nevertheless a straightforward process. The facts do not call for observations to be made about the application of those principles in the context of social networking sites. Contrast Senior v Police  NZFLR 356 (HC) and Hook v Stream Group (NZ) Pty Ltd  NZEmpC 188 at  to . A further point to be made is that the manner in which the case has been framed by the parties has made it unnecessary for the Tribunal to consider the possible application of the New Zealand Bill of Rights Act 1990, particularly the s 14 protection of “the freedom to seek, receive, and impart information and opinions of any kind in any form” [emphasis added].
The legal issues fall into two distinct categories. First, those relating to the alleged breaches of the “collection” principles, being Principles 1 to 4. Second, those relating to the alleged breaches of the “disclosure” principle, being Principle 11. We address the two categories separately. Whether a breach of the collection principles – Principles 1 to 4
The closing submissions for NZCU Baywide conceded that by downloading a screenshot of the cake from Ms Hammond’s Facebook page personal information about Ms Hammond was collected. It was also conceded the screenshot was not obtained directly from Ms Hammond. It was accepted that with Ms Hammond’s Facebook page security settings in place, her page was not accessible to the public at large.
However, it was contended (in the context of Principle 1) that the information had been collected for a lawful purpose connected with a function or activity of NZCU Baywide, including the need to protect its commercial reputation and to address potential misconduct by an employee. It was argued Ms Hammond was on garden leave at the time and owed NZCU Baywide a duty of fidelity.
In relation to Principle 2 it was claimed NZCU Baywide held a belief on reasonable grounds Ms Hammond had authorised the collection of the information. As to Principle 3 it was said NZCU Baywide did not have to comply with the requirement that information be collected directly from Ms Hammond as it held one of the beliefs listed in Principle 3 subcl (4). In relation to Principle 4 the defence was that the information had not been collected by means which were unfair or which intruded to an unreasonable extent on Ms Hammond’s personal affairs.
We do not intend exploring these issues for the simple reason that even if all issues are determined in Ms Hammond’s favour, her claim under Principles 1 to 4 is nevertheless bound to fail. The reason is that she has not established to the probability standard a causal connection between the alleged breaches of Principles 1 to 4 and the forms of harm listed in s 66(1)(b)(i) to (iii) of the Privacy Act. Unless such causal connection is established, the claim must fail. See Winter v Jans HC Hamilton CIV-2003-419-854, 6 April 2004 at  and .
In our view this case falls to be determined under Principle 11 alone.