OPSM: breach of data leads to loss of major contract
facebook Twitter LinkedIn RSS
In this edition
- the loss of a $33.5 million contract shows the importance of complying with privacy laws;
- two cases illustrating ways of managing moonlighting by employees; and
- creative donations in WHS Enforceable Undertakings.
OPSM: breach of data leads to loss of major contract
You might be forgiven for thinking that eyeware and eyecare services provider OPSM, and its related entities, would have their focus firmly on clearly looking over all aspects of their client contracts. However, the recent loss by OPSM’s parent company Luxotica Retail Australia (Luxotica) of a $33.5 million contract with Medibank Health Solutions (MHS) to provide services to the Australian Defence Force (ADF) due to a breach of Luxotica’s privacy obligations in its contract with MHS, is a reminder of how important it is for organisations to read and understand the terms of their agreements and their compliance obligations. The collection, use and secure storage of personal information in accordance with privacy principles may well be included as an explicit term of your contracts.
In 2012, MHS awarded Luxotica the exclusive right to supply 80,000 ADF personnel with eye services through OPSM stores (MHS has a contract with the ADF to manage and coordinate its healthcare services). Under its agreement with MHS, Luxotica was required to keep the medical records of the ADF personnel, which contained personal information, in Australia. However, Luxotica breached this term of its agreement by sending ADF medical records overseas. This did not happen in an overt and obvious way – the records were sent to Luxotica’s own server that happened to be located overseas.
Luxotica’s breach of contract was discovered by MHS as part of its regular review process.
What does this mean for your business?
Most service agreements contain contractual obligations requiring the service provider to maintain and protect the confidentiality of ‘confidential information’. A contract may or may not explicitly incorporate the Privacy Act 1988 (Cth) (Privacy Act) requirements, but as a matter of law, where an organisation that turns over more than $3 million and/or provides a health service deals with personal information it must comply with its obligations under the Privacy Act and the Australian Privacy Principles (APPs).
- The countries in which such recipients are likely to be located, if it is practicable to specify those countries in the policy; and more importantly,
- Before sending personal information overseas, the organisation must take reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs, either because that country has similar privacy requirements, or because of other privacy safeguards (eg contractual obligations).
This case shows how important it is for organisations to understand how and where their data is stored and handled. Organisations whose data is stored in the Cloud or international organisations whose head office or data centres are overseas, must take steps to ascertain where the server/s for their Australian operations are located. It is critical that each organisation should conduct an audit of the personal information it collects, and identifies what it then does with it.
According to a report released by the Ponemon Institute entitled ‘2014: Cost of Data Breach Study: Australia’, the cost of lost business associated with cybersecurity breaches has increased over the last five years, from an average of $660,000 in 2010 to an average of $850,000 in 2014. Businesses need to review their data security policies and procedures in addition to understanding their contractual obligations and understand how to mitigate any risk of loss that may arise if data security or the privacy of personal information is compromised.
Have you reviewed your privacy policies and contractual obligations lately?
Employees and second jobs: what can and can’t you control?
It’s not uncommon for employees to have more than one job, either in the same industry or otherwise. But where the issues of the obligations and duties owed to an employer become murky is when an employee’s out-of-hours activities have the potential to have an adverse effect on that employer’s business and interests.
Some employers attempt to protect their interests by including specific contractual provisions in employment agreements or implementing policies outlining the restrictions and procedures that need to be followed by employees undertaking other employment or activities. Two cases considered by the Fair Work Commission (Commission) provide useful guidance to employers on when their employees’ out-of-hours conduct can be considered ‘serious misconduct’, justifying their termination, and how to ensure that their employment terms are drafted to best protect their business’ interests.
First, we go to what can be the bane of most employers, social media. The story of a case involving an employee’s misuse of LinkedIn is played out in Bradford Pedley v IPMS Pty Ltd T/A peckvonhartel  FWC 4282 (BP). In BP, Bradford Pedley was appointed as a Senior Interior Designer at an architecture and design company. Prior to his appointment at PVH, Mr Pedley told his employer that he intended to continue to carry out private design work in his own time through his own business Reveal ID. PVH did not prevent him from this pursuit.
Two years later, Mr Pedley sent a group email to some of his LinkedIn connections telling them about his own business and announcing that he was ‘seeking to expand Reveal ID to a full time design practice over the coming year.’ PVH saw the email and dismissed Mr Pedley for breach of his employment contract. The contract included wording to the effect that Mr Pedley could not be engaged or associated with any business or activity that:
- competes with PVH;
- adversely affects PVH’s reputation; or
- hinders the performance of Mr Pedley’s duties.
The Commission found that PVH had validly dismissed Mr Pedley because his LinkedIn email attempted to solicit PVH clients to work with Reveal ID and this amounted to ‘serious misconduct’ under the Fair Work Act in that it:
- was inconsistent with the continuation of the contract of employment; and
- caused serious and imminent risk to the reputation, viability or profitability of the employer’s business.
The Commission’s decision in BP is in contrast to its later decision in Adidem Pty Ltd T/A The Body Shop v Suckling  FWCFB 361. In that case, Nicole Suckling was employed by The Body Shop as a Consultant Support Adviser for its online sale division. Ms Suckling’s role required her to take and make phone calls with independent contractors to record details of sales and other activities. During her employment at The Body Shop, Ms Suckling entered into an independent consulting agreement with a company called PartyLite Pty Ltd (PartyLite), which sold candles to independent consultants who then on-sell them to consumers. The Body Shop also sold candles.
The Body Shop terminated Ms Suckling’s employment when she refused to resign from PartyLite.
Ms Suckling’s employment contract contained a conflict of interest clause that stated: ‘it is considered an employee cannot be totally committed to The Body Shop if working for a competitor. Thus, whilst working for The Body Shop employees cannot simultaneously work for any other enterprise this Company considers a market place competitor; to do so is considered misconduct and may lead to termination of employment.’
The Commission found that Ms Suckling had been unfairly terminated from her employment at The Body Shop and ordered that The Body Shop pay her $20,084.68, representing five months pay. The Commission’s reasoning was based on the fact that Ms Suckling was not actually ‘working’ for PartyLite, she was working for herself, meaning her conduct was not in breach of the conflict of interest clause in her employment agreement with The Body Shop because she was not ‘working’ for a competitor. An underlying factor was that this case dealt with a junior employee, whose candle-selling in her spare time was unlikely to significantly impact on her employer or her ability to do her ‘support advisor’ role.
Lessons from BP and The Body Shop
The outcome of the BP case demonstrates the benefits of having a well-drafted restraint clause in an employment contract. BP’s prevention of Mr Pedley from ‘being associated’ with a competitor was an effectively drafted contractual restriction. The Body Shop’s clause, on the other hand, was not as effective in achieving the intention of the employer. Both cases show the importance of employers:
- Setting clear expectations, preferably in employment agreements, relating to their employees’ out-of-hours employment or activities which could have a detrimental effect on the business; and
- Following through with general and social media policies which adequately explain the business’ approach and tolerance for their employee’s online activities.
How do you manage your employees’ moonlighting activities?
Enforceable Undertakings: a popular way to achieve WHS objectives
The option for an organisation to enter into an enforceable undertaking (EU) with authorities in relation to a breach of the model Work Health and Safety (WHS) laws is proving to be a popular means of achieving compliance with WHS laws. So far this year, six EUs have been entered into in Queensland and one in New South Wales.
An EU is a useful tool that is available to regulators as an alternative to prosecution and the resulting court action, penalties and fines where an alleged breach of the applicable State and Territory WHS laws has occurred. A party that is subject to the EU is legally obligated to carry out the agreed corrective action without the need to go through a lengthy court process. The terms of an EU are proposed by the business and must be agreed upon by the health and safety regulator. An EU may be considered if there are remedial steps that the organisation can take to remedy the breach by improving safety in the workplace. It is not available for the most serious (Category 1) offences under the WHS laws.
An EU is a promise by an organisation which obliges them to refrain from, or carry out, specific activities to improve not only work health and safety, but which may also deliver benefits to industry and the broader community. The relevant state or territory regulator monitors the organisation to ensure that the EU commitments are being delivered. If an accepted EU is not complied with, the regulator may apply for a court order to enforce compliance and impose financial penalties.
An EU can contain some very creative terms and achieve things a court order cannot. WHS authorities have issued guides that detail what an EU must contain. Among the more interesting requirements are adopting strategies that will deliver worker, industry and community benefits.
In one example, a company promised to pay $5,000 per year, for the next three years to the Westpac Rescue Helicopter, as the increased funding would improve the response to traffic incidents, a key work health and safety risk in the company’s operations.
The estimated value of the EUs which have been entered into in Queensland and NSW are worth noting ($427,335 in NSW for Terex Australia Pty Limited EU). They are significant but are likely to be less than any court and legal fees which the businesses involved would incur if they were prosecuted by the regulator in court.
The maximum penalty for failure to comply with an EU is $50,000 for an individual or $250,000 for a body corporate. You should note however, that maximum penalties for Category 2 offences which do not follow the EU route and proceed to prosecution range from $300,000 for an officer, to $1.5 million for a company.
Have you done a WHS health check recently?
How can CompliSpace help?
CompliSpace’s comprehensive range of cost effective human resources policies, procedures, training and testing modules, ensure that managers and staff know what is expected of them and have key tools and information at their fingertips at all times.
This enables a business to meet its workplace relations obligations while building a positive corporate culture, capturing knowledge and saving time. For more information, contact us on the details below:
P: 1300 132 090
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on 1300 132 090 and we will be happy to assist.
Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?