Last month, I questioned whether New Zealand’s privacy laws were fit for purpose. The Privacy Act 2020 was drafted in 2013 so it could not have anticipated the large-scale collection, use, and transfer of personal information or the invention of generative artificial intelligence and biometrics.

It is my view that if we want to keep pace with the digital world, then our current regulatory regime is in need of an overhaul. However, it is still working well in some respects, and this month, I wanted to give credit where credit is due by focusing on some cases where significant compensation has been awarded for privacy breaches in an employment context.

What damages can be awarded for

The Privacy Commissioner cannot award money for a loss or injury caused by a breach of the act. Only the Human Rights Review Tribunal can make an award of damages after a formal hearing. Damages in employment cases can be substantial, especially when the breach involves unauthorised disclosure or failure to protect sensitive employment data. Emotional harm is the primary basis for compensation, though pecuniary loss may also be awarded if financial harm is proven. The following cases are cautionary tales for employers who have an obligation to protect their employees’ personal information.

Disclosing refusal to take a drug test: $30,000

In Cummings v KAM Transport Ltd [2025] NZHRRT 8, the complainant was employed as a professional driver. He was required by his company to undertake a random drug test, which was a term of his conditions of employment. On 26 August 2020, the complainant was randomly selected to undertake a drug test and he refused. When he became aware of false rumours about his drug test and its outcome being discussed amongst his colleagues, he claimed that his privacy had been breached.

The tribunal found that the company had interfered with the complainant’s privacy by disclosing personal information regarding his refusal to undertake a drug test, without his consent. This personal information had been shared with parties who had no need to know such sensitive personal information and this caused him harm, which amounted to significant humiliation, loss of dignity and injury to his feelings, given his long career and status as a senior employee. There was a sufficient causal connection between the harms suffered and the disclosure that justified an award of damages of $30,000.

Taking and refusing to return devices: $60,000

In BMN v Stonewood Group Limited [2024] NZHRRT 64, the complainant was invited to a coffee meeting outside the office. While he was away, Stonewood Group’s executive director removed his work laptop, personal mobile and USB drive from his desk without his knowledge. A week later, the complainant’s employment was terminated and despite repeated requests, his former employer failed to return his personal devices, which contained sensitive personal information such as tax records and medical data.

The tribunal ruled that Stonewood Group had actively taken the complainant’s personal data rather than merely receiving unsolicited information. The complainant suffered acute anxiety and depression and the tribunal acknowledged the impact on his tax filing and career prospects. A sum of $60,000 was awarded in damages for significant humiliation, loss of dignity, and injury to feelings. An award for pecuniary loss of $394.87 was also made for actual financial loss incurred due to the breach.

Distributing a photo of a unique cake: $168,000

In Hammond v Credit Union [2015] NZHRRT 6, the complainant had recently resigned from her job at NZCU Baywide. She privately shared a photo of a cake with written obscenities referring to her former employers on Facebook. The privacy setting ensured that only her accepted friends could view it. However, NZCU Baywide coerced a junior employee into revealing the photo, took a screenshot and distributed it to employment agencies in the Hawke’s Bay area, warning them against hiring her.

The company’s actions led to a sustained campaign to prevent the complainant from securing employment in the region. She was forced to resign from her new job due to NZCU Baywide’s threats, and remained unemployed for 10 months. The complainant and her partner struggled financially and emotionally with significant stress affecting their family.

The tribunal found that NZCU Baywide misused the complainant’s personal information from social media and that their actions caused severe humiliation, loss of dignity and injury to feelings. It awarded damages of $98,000 for humiliation and emotional distress, $38,350 for loss of income, $15,543 for legal expenses and $16,177 for loss of salary benefits.

This case set a new benchmark for privacy breach compensation in New Zealand, far exceeding previous awards. All three cases reinforce the importance of protecting personal information in workplace disputes because there are serious consequences for employers who fail to do so.

Please note that this article is not a substitute for legal advice, and if you have a particular matter that needs to be addressed, consult with a lawyer. Danielle Beston is a barrister who specialises in transport law, and she can be contacted at danielle.beston@bestonlegal.nz or 021 326 642.