News and Publications

Information Privacy Principle 11 (IPP 11) of the Privacy Act 2020 (Act) provides that an organisation may only disclose personal information for the purpose that it was obtained.

A recent Human Rights Review Tribunal case – Cummings v KAM Transport Limited [2025] provides a reminder to employers of IPP11, and to exercise care when sharing personal information about their employees, and that they may face significant liability if they do so.

Background:

Mr Cummings was a senior truck driver with over 35 years’ experience. Under KAM’s policy and Mr Cumming’s Individual Employment Agreement (IEA), KAM could direct Mr Cummings to take random drug tests.

On 26 August 2020, Mr Cummings was selected for a random drug test but refused to undertake one. Under KAM’s policy and the IEA, this refusal was considered misconduct and Mr Cummings was suspended from work pending commencement of a disciplinary process.

A week later, Mr Cummings returned to work after completing a negative drug test. On his return to work, he discovered that his colleagues who were not part of KAM’s management team, knew of his refusal to undergo a drug test. The rumours morphed into gossip that he was a drug dealer/user.

Mr Cummings reported this privacy violation to KAM and asked it to investigate the breach.   He was disappointed when KAM’s investigation concluded that there was no breach of his privacy. Feeling that KAM did not take any accountability and chose to brush his concerns under the carpet, he resigned from his employment.

Held:

The Tribunal found that KAM disclosed Mr Cummings’ drug test refusal to an employee who was not part of the management team.  Kam had no good reason for doing so.  The Tribunal held that that the disclosure was not authorised under IPP 11 and that if employers were allowed to disclose information without restriction, it would be contrary to the aspects of the broader scheme of the Act.

The Tribunal found that the disclosure of Mr Cummings’ refusal to take a drug test involved highly sensitive personal information, leading to significant harm. Upon hearing rumours, Mr Cummings felt emotionally distressed and fearful of being targeted by gangs during his long-haul drives. After resigning, he reported experiencing insomnia, depression, and anxiety. Although KAM argued that his harm arose from his decision to resign, the Tribunal concluded the harm was directly linked to the breach of IPP 11 through the unauthorised disclosure of his personal information.

The Tribunal declared that KAM interfered with Mr Cumming’s privacy and ordered it to pay him $30,000 in damages for humiliation, loss of dignity and injury to feelings.

Message for Employers

Information about an employee’s refusal to take a drug test is personal information and must be handled with care and in accordance with the Privacy Act.

Employers should ensure that managers understand such information should remain private and must not be shared, especially with employees who don’t need to know (including not in a managerial role).

If you are uncertain about what is personal information or are concerned that such information may have been shared, please contact us.  We regularly provide privacy advice and training to our clients and look forward to discussing with you.

Disclaimer: We remind you that while this article provides commentary on employment law, health and safety and immigration topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace.