As small business owners of close-knit teams, we all know how quickly gossip can spread. But what if that casual chat in the cab of the truck or at the reception desk turns into a serious privacy breach? A recent Human Rights Review Tribunal decision shows just how costly that can be—both financially and legally.
Let’s unpack what happened and highlight what you can do to protect your business.
Real Case: How a Workplace Rumour Cost a Business $30,000
In 2020, a truck driver at KAM Transport was selected for a random drug test. He initially refused, which under his employment agreement was considered serious misconduct. He was stood down while the matter was investigated. All that is good form – no problem yet. But just as an aside, isn’t it sobering that we all know exactly where this incident took place? We are talking about privacy, but KAM Transport have not lost all their rights to privacy in this matter.
Anyway, a week after being stood down, he agreed to the test, passed it, and returned to work. But soon after, a client’s employee told him that people had heard he was a drug dealer and had been fired. That rumour didn’t just damage his reputation—it triggered a legal claim.
The driver resigned and took his complaint to the Privacy Commissioner, and eventually to the Human Rights Review Tribunal.
What the Privacy Act Says About Sharing Employee Information
The key legal issue in this case was a breach of Information Privacy Principle 11 (IPP 11) under the Privacy Act 2020, a piece of law that came into play just weeks before this event. This specific principle restricts when and how personal information can be disclosed—even within your own business.
The Tribunal found that someone at KAM had shared the driver’s private information with a staff member who had no legitimate reason to know. Under IPP 11, personal information must not be disclosed unless one of the permitted exceptions applies, such as where disclosure is directly related to the purpose for which the information was collected or where the individual has authorised the disclosure. That internal leak led to the damaging rumour.
The result? KAM Transport was ordered to pay $30,000 in damages for humiliation, loss of dignity, and injury to feelings. Importantly, damages under the Privacy Act are awarded where a breach causes “harm” as defined in the Act, which can include humiliation, loss of dignity, or injury to feelings.
Why This Matters for Your Business
This case is a powerful reminder that workplace gossip can become a legal liability. Even if the information is shared internally, if it’s not on a need-to-know basis, it could breach the Privacy Act. Employers are responsible for ensuring that employees handling personal information understand and comply with the Privacy Act’s obligations.
Here’s what you need to keep in mind:
1. Confidentiality is Non-Negotiable
If you’re handling sensitive employee matters—like disciplinary action, drug testing, or health concerns—keep that information strictly limited to those who need to know.
2. Train Your Managers and Supervisors
Make sure your leadership team understands their obligations under the Privacy Act. This case demonstrates that a casual comment can have very serious consequences.
3. Review Your HR Policies
Ensure your privacy and confidentiality policies are up to date and clearly communicated. Don’t assume your team knows what’s appropriate—spell it out. You want a document to refer to if this is ever an issue in your business.
4. Create a Culture of Trust
Encourage professionalism and respect in your workplace. If you reflect on your business honestly and acknowledge this represents a big culture shift for you, think about getting some help with that. We know a number of people who are great at coaching and training teams to improve culture – it can be done! A culture that discourages gossip is not only healthier—it’s legally safer.
Protecting Your Business from HR Risks
At FixHR, we work with small business owners across New Zealand to help you stay compliant, confident, and in control of your HR. This case is a timely reminder that privacy breaches don’t just happen online—they can happen over a coffee.
If you’re unsure whether your current processes are up to scratch, let’s talk. A quick review now could save you a costly headache later.
