It’s hard to read about liability without feeling like you’re sneaking your way through a regulatory minefield. There’s a little too much to wrap your head around, the stakes seem just a little too high and isn’t it all someone else’s problem? Can’t you just handball it up the chain of command? Surely responsibility lies solely with management or department heads. Surely this is the boss’ problem!

It’s easy to ignore potential liabilities when it comes to individuals dealing with privacy or sensitive information. To arm yourself against vulnerability and risk, it’s important for employees to be empowered with knowledge and sufficient training. Safeguard against any risk and give your business the best chance it has to succeed in facing these regulatory minefields.

Since March 2014, when changes were made to the 1998 Privacy Act, the risks to Australian organisations associated with information management have been widely discussed among business leaders. Organisations are now well aware that any lack of preparedness could lead them vulnerable to fines or penalties. However, when it comes to personal liability, specifically relating to employees responsible for the management of organisational information, there seems to be a gap in the conversation. With the assistance of K & L Gates LLP we sought to close that gap and have found cause to consider business practices.

Personal Liability and the Corporations Act

The Privacy Act sets out personal information handling requirements for Australian Privacy Principle (APP) entities, both agencies and organisations. While entities can be liable for civil penalties of up to $1.7 million for serious breaches, the Privacy Act does not impose any liability for breaches upon individual directors, officers or employees.

So that’s the good news! But you’re not out of the woods yet.

Document retention processes and policies, however, can attract a range of potential personal liability issues for company’s directors and officers. This personal liability can arise from duties outlined under the 2001 Corporations Act. Any person falling within the definition of an officer is subject to the requirements and duties of this Act. This definition includes a director or secretary, a person who makes, or participates in making, decisions that affect the whole or a substantial part of the business, a person who has the capacity to significantly affect the corporation’s financial standing and any person upon whose instructions or wishes the directors are accustomed to act.

It is accepted in Australia that directors and officers are not liable for a company’s torts or civil wrongs just by holding the office they hold, however, claims can be brought against directors and officers personally at common law under the tort of negligence.

An acknowledgment of your role as an officer would not simply be a matter of your job title. As demonstrated in the James Hardie case, the Corporation act demands a factual analysis of your position, responsibilities and decision making abilities in the business. Recent Australian case law supports the proposition that it’s not just directors who could face liability but also company executives operating at senior managerial levels if they make, or participates in making, decisions that affect a whole or a substantial part of the business.

If a director or an officer of a company holds another title such as records manager, they are likely to be treated as an officer. This could expose this person to liability for any breach of duty owed under the Corporation Act in respect of their conduct both as director and in their other position.

Destroying Evidence  

In Australia, there is state, territory and Commonwealth legislation that prohibits a person from destroying any document that is, or may be, required in evidence in a legal proceeding.

Although legislation varies in each jurisdiction there is generally a provision which considers ‘intention’. Criminal law generally recognises that ‘intention’ can include recklessness, wilful blindness and negligence. However, legislation relating to the destruction of litigation documents requires specific intention. This means that recklessness, wilful blindness and negligence are insufficient to prove the elements of the relevant crime. For example, in the case of R v Salim the court found that in order to be guilty of destroying evidence, the person must be aware or be able to reasonably conclude at the time of the document being destroyed, that legal proceedings may be initiated in the future.

Penalties for destroying documents needed as evidence in legal proceedings could be as severe as 10 years’ imprisonment. You could be vulnerable for just the proverbial slap on the wrist (comparatively), facing a range of fines, depending on your jurisdiction. To minimise the risk of severe penalties, a company should suspend any automatic document destruction processes to preserve all potentially relevant evidence where there is a real prospect that they may be involved in litigation.

Reducing Risk

Don’t let any panic ensue just yet. Be assured there are steps that your business can take to reduce risk and limit the potential exposure of directors and officers to personal liability. Organisations should regularly check that there is a comprehensive and appropriate process in place to encourage compliance with document retention requirements and to detect potential legal issues. If a company does not yet have a document retention policy, it should ensure that one is created to prevent the destruction of important documents and the retention of unnecessary documents, both equally important.

Taking these steps not only safeguards your business against vulnerabilities, but also allows for cleaner, smoother, more efficient processes.

Management could also consider a periodic independent audit of the company’s document retention and destruction practices to ensure the company is complying with all necessary policies and procedures. It’s vital that all employees are aware of company policy and documented procedures. Putting the correct training in place also helps reduce the risk of document related claims being made against the company and its officers.

Navigating liability is an undeniably challenging task for organisations and their employees. We live in, however, an age of increasing content and information and the demand for clear, effective and legally sound practices will only become greater. It’s critical for organisations to move swiftly to put in place the correct processes to safeguard their business, their employees and their customers from risk.