The risks to Australian organisations associated with the management of information have been widely discussed amongst business leaders and in the media since changes to The Privacy Act 1998 (Privacy Act) took effect on the 12 March 2014. From our perspective, what has not been discussed is personal liability which relates to employees with a responsibility for the management of organisational information.

With the assistance of K&L Gates LLP, we set out to understand if any such liability could exist. What we unearthed, has provided pause for cautionary thought and business consideration.

The Privacy Act itself sets out personal information handling requirements for Australian Privacy Principle (APP) entities, which are defined as both agencies and organisations. Whilst agencies and organisations can be liable for civil penalties of up to $A1.7 million for serious breaches, the good news is that the Privacy Act does not impose any liability for breaches upon individual directors, officers or employees of APP entities.

However, document retention processes and policies could still attract a range of potential personal liability issues for a company’s directors and officers. This personal liability could arise from their duties under the Corporations Act 2001. Any person falling within the definition of an officer is subject to the requirements and duties of this Act.

This definition is both extensive and far-reaching. It includes a director or secretary; a person who makes, or participates in making, decisions that affect the whole or a substantial part of the business; a person who has the capacity to significantly affect the corporation’s financial standing; and, a person whose instructions or wishes the directors are accustomed to act.

It is accepted in Australia that directors and officers are not liable for a company’s torts or civil wrongs merely by reason of their office. Nonetheless, a plaintiff or complainant could bring a claim against directors and officers personally at common law under the tort of negligence.

The recent James Hardie case has shown that, whether a person falls within the definition of “officer” under the Corporation Act requires a factual analysis of the person’s role, responsibilities and decision making ability within the business. In addition to this case, recent Australian case law lends support to the proposition that it’s not just directors who can face personal liability. It may include company executives operating at a senior managerial level if he or she makes, or participates in making, decisions that affect the whole, or a substantial part, of the business.

Furthermore, where a director or officer of a company holds another title, for example, the position of records manager, he or she is likely to be treated as an officer. This could expose this person to liability for any breach of duty owed under the Corporation Act in respect of his or her conduct both as a director and in his or her other role or position.

Destroying Evidence

In the criminal context, it is important to be aware of state, territory and Commonwealth legislation in Australia that prohibits a person destroying a document where the document is, or may be, required in evidence in a legal proceeding. Although, the legislation varies in each jurisdiction, generally each provision requires an element of ‘intention’.

Criminal law generally recognises that intention can in some circumstances include recklessness, wilful blindness and negligence. However, the legislation relating to the destruction of litigation documents requires specific intention which means that recklessness, wilful blindness or negligence is not sufficient to prove the elements of the relevant crime. For example, in the case of R v Selim, the court found that, in order to be guilty of destroying evidence, the person must be aware or reasonably contemplate at the time the document was destroyed, that legal proceedings may be initiated in the future.

The maximum penalty of destroying documents that may be required in evidence in a legal proceeding will depend on which jurisdiction governs the crime. However, penalties include imprisonment for up to 10 years and a range of fines. To minimise the risk of severe penalties, a company should suspend any automatic document destruction processes to preserve all potentially relevant evidence where there is a real prospect that they may be involved in litigation.

Reducing Risk

There are steps that can be taken to reduce risk and seek to limit the potential exposure of directors and officers to personal liability. The organisation should regularly check that there is a comprehensive and appropriate process in place to encourage compliance with document retention requirements and to detect potential legal issues. If a company does not yet have a document retention policy, it should ensure that one is created to prevent the destruction of important documents or equally, the retention of unnecessary documents.

Management could also consider commissioning a periodic independent external audit of the company’s document retention and destruction practices to ensure that the company is complying with the policies, procedures and practices aimed at document retention.

It is important that all employees are aware of company policy and documented procedures. Putting the correct training in place can also reduce the risk of document related claims being made against the company and its officers.

There is no doubt that this is a very challenging space for organisations and employees to navigate. Unfortunately, our world now dictates that this swell of information being created will only increase. It is therefore critical for organisations to move swiftly to put in place the correct processes to safeguard the business, their customers and their own employees from risk.

Greg Lever is Managing Director of Iron Mountain Australia