Record damages against New Zealand's biggest credit union are being held up as a warning to employers to stay out of workers' personal lives.
The Human Rights Review Tribunal has ordered NZCU Baywide to pay $168,000 after the credit union distributed an image posted by former worker Karen Hammond on Facebook.
The image of a cake iced with swear words about the company on her private Facebook page was distributed to employment agencies.
The finance workers' union described the case as one of the worst examples of employee bullying it had seen.
Maxine Gay of the First Union said snooping on private online content was like peering through someone's back window, and the damages awarded were a warning to employers to stay out of workers' personal lives.
"The level of surveillance, the level of micro-management, that employers want to exhibit ... they've got to have some caution when they start to invade people's lives outside work."
A lawyer specialising in internet privacy, Rick Shera, said the Tribunal had made an example of the credit union. The amount awarded showed how much of an issue privacy had become in the age of social media.
"We've had the Privacy Act for some time, but I think as the growth of social media and online environments has occurred there's also starting to become a realisation that along with that must come a heightened awareness of privacy."
Ms Hammond said the case had taken a huge toll on her life and left her humiliated, but she did not regret putting the image of the cake on Facebook.
"What's regrettable is the actions of NZCU Baywide. This was a private posting. This was purely [for] friends only. I was trying to cheer up a friend, as well as myself."
She said she lost employment opportunities, the case caused major grief for her family, and the financial impact meant her partner had to leave the region to find work.
NZCU Baywide said in a statement that it accepted the ruling and was genuinely sorry.
Read the full decision by the Human Rights Review Tribunal
'Nothing completely secure'
Internet New Zealand acting chief executive Andrew Cushen said Ms Hammond had taken the right steps by keeping her profile private, but said on the internet, nothing was completely secure.
It was now commonplace for employers to look up employees on the internet, Mr Cushen said, and if their profiles were public, then they were fair game.
However the fundamental privacy issues were not new.
"A couple of years ago, pre-Facebook, then the scenario would be the same if a physical photo had been taken and that photo got shared with the wrong person around the lunchroom," he said.
"These challenges aren't new, we've been dealing with them for a long time. It's just that the internet changes the way they can be felt."
Employer gained access to Facebook page
In March 2012, Ms Hammond uploaded to her Facebook page a picture of a cake made by her for a private dinner party for a close friend of hers, Jantha Gooding. Both Ms Hammond and Ms Gooding had recently left NZCU Baywide.
In its decision, the Human Rights Review Tribunal said what would otherwise have been an unexceptional set of circumstances was transformed by two factors. First, the top of the cake had been iced with the words "NZCU F**K YOU". The privacy setting on Ms Hammond's Facebook page meant only those accepted by her as "friends" had access to the photograph.
Second, the Tribunal said NZCU Baywide gained access to the Facebook page by forcing a young employee to provide access to the page and then taking a screenshot of the cake.
That screenshot was then distributed to multiple employment agencies in the Hawke's Bay area by email which, along with contemporaneous phone calls from NZCU Baywide, warned against employing Ms Hammond.
At the same time an internal email was sent by NZCU Baywide chief executive Gavin Earle to staff disclosing information about the circumstances in which Ms Hammond had earlier resigned. NZCU Baywide also placed severe pressure on her new employer to terminate her employment.
In addition to damages, NZCU Baywide has been instructed to send a retraction to the employment consultancies it sent the Facebook image to.
The financial damages exceed the previous highest amount awarded of $40,000 and the Privacy Commission said it set a new benchmark for compensating harm caused by unlawfully disclosing personal information.