My take on this in the UK would be that by bypassing the “privacy disclaimer” and not accepting, as would be normal via the user id and password, your organisation is accepting responsibility for maintaining the privacy of the accessed site.
Thus making your organisation responsible for any breaches of said privacy.

The consequences of this will of course depend on what damage is done by the disclosure of the information, but could be substantial.
As already mentioned by tilly you need good legal advice in this specific area.