Legal Update – July 2020
Data breaches involving an individual’s personal, medical and financial/credit information can result in reputational damage and financial losses. The Australian privacy law provides for an individual affected by a data privacy breach to seek compensation from the organisation involved in the breach.
Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016 – 30 June 2020 by the Office of the Australian Information Privacy Commissioner in relation to privacy breaches.
CASE | PRIVACY PRINCIPLES BREACHED | COMPENSATION RECEIVED |
‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020) | IPP 11 | $3,000 for non-economic loss |
‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (19 June 2020) | APP 12 | $3,000 for non-economic loss
$2,000 for aggravated damages |
‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020) | APP 6 – APP 11 | $10,000 to 1st complainant & $3,000 to 2nd complainant for non-economic loss
$3,400 to 1st complainant for economic loss |
‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr 60 (22 August 2019) | NPP 1.5 | $1,500 for non-economic loss |
‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr 48 (28 June 2019) |
APP 10.2 | $15,000 for non-economic loss |
‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AlCmr 20 (28 May 2019) | NPP 2 and 4 |
A total of $60,000 for non-economic loss shared between 14 Complainants |
‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AlCmr 51 (23 March 2018) | NPP 2 | No compensation was awarded |
‘LU’ and Department of Defence (Privacy) [2017] AlCmr 61 (26 June 2017) | IPP 4 and 10 |
$10,000 for non-economic loss $3,000 for expenses reasonably incurred |
‘LS’ and ‘LT” (Privacy) [2017] AlCmr 60 (26 June 2017) | APP 12.5 and 12.9 | $1,000 for non-economic loss |
‘LP’ and The Westin Sydney (Privacy) [2017] AlCmr 53 (7 June 2017) |
APP 3.5 | $1,500 for non-economic loss |
‘LB’ and Comcare (Privacy) [2017] AlCmr 28 (24 March 2017) | IPP 4 and 11 | $20,000 for non-economic loss
$3,000 for expenses reasonably incurred |
‘LA’ and Department of Defence (Privacy) [2017] AlCmr 25 (17 March 2017) | APP 6 | $12,000 for non-economic loss
$3,420 for expenses reasonably incurred |
‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AlCmr 81 (25 November 2016) | Sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) | $10,000 for non-economic loss
$5,830 for expenses reasonably incurred |
‘JO’ and Comcare [2016] AlCmr 64 (21 September 2016) | APP 6 and 11 | $3,000 for non-economic loss |
‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AlCmr 44 (30 June 2016) | APP 11.1 and 11.2 | $3,500 for non-economic loss |
‘IX’ and Business Service Brokers Pty Lts t/a TeleChoice [2016] AlCmr 42 (30 June 2016) | APP 11.1 and 11.2 | $3,500 for non-economic loss |
‘IV’ and ‘IW’ [2016] AlCmr 41 (27 June 2016) | APP 6.1 and 10.2 | $10,000 for non-economic loss |
‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AlCmr 37 (27 June 2016) | APP 6 and 11 | $3,000 for non-economic loss |
THE DECISIONS
ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30
Date of Decision: 30 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The complainant’s bank statement which disclosed the following ‘personal information’ to the complainant’s ex-partner:-
- the date and types of places where the complainant made purchases (supermarkets, petrol stations, cafes and restaurants and the complainant’s medical and health providers); and
- the name of the suburb or area of the place that those purchases were made by the complainant (‘locational information’).
The complainant had sought to keep her location unknown to her ex-partner as she claimed to fear harm from him.
Privacy Breach:
In 2012 the complainant applied to the Child Support Agency and former Department administering child support (‘CSA’) for a change of assessment to the amount of child support then being paid by her ex-partner. Both the complainant and the ex-partner objected to the decision made by the CSA and sought an internal review of the CSA decision.
The CSA proceeded to collect the complainant’s personal bank information from the complainant’s bank using its statutory collection powers and did not advise the complainant it was doing so. But being unhappy with the internal review decision, the complainant applied to the Social Security Appeals Tribunal (the ‘Tribunal’) for a review of that decision.
As part of the Tribunal review process, the CSA provided the complainant’s bank statement to the Tribunal and the complainant’s ex-partner.
This was the first time that the complainant became aware that her personal information had been collected by CSA.
Whilst the Commissioner found that the CSA had not breached the complainant’s privacy in collecting the complainant’s personal information and that disclosure of the types of places at which the complainant made purchases was relevant to the decision under review by the Tribunal, it was the Commissioner’s view:-
- that the complainant was not reasonably likely to be aware that the respondent would disclose documents obtained from third parties about which the complainant was not aware; and
- that disclosure of the ‘locational information’ contained in the bank statement was not relevant to the decision under review and therefore, the complainant was unlikely to be aware that information of that kind would be disclosed.[i]
The Commissioner noted that the CSA had redacted the complainant’s address from the bank statement before submitting it to the Tribunal and that the CSA was therefore aware that it was entitled to redact irrelevant information.[ii]
Breach of Information Privacy Principle (IPP) 11 – by the respondent’s disclosure to the Tribunal and the complainant’s ex-partner, of the complainant’s ‘personal information’ in documents obtained from a third party of which the complainant had no notice, when the complainant was not reasonably likely to have been aware and had not been made aware by the respondent that such information was the kind that is usually disclosed or required or authorised by law to be disclosed to the Tribunal and her ex-partner.
Damages Award:
$3,000 for non-economic loss
‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22
Date of Decision: 19 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Held:
The respondent was a registered psychologist and was the complainant’s psychologist between February and November 2014. The Commissioner considered and found that the respondent was an APP entity (ss 6C and 6FB of the Privacy Act 1988 (Cth)) as he was providing a ‘health service’, which includes a service for psychological health.[iii]
The complainant’s ‘personal information’ was contained in the respondent’s clinical records for the complainant, which included the complainant’s name and her health information.
Privacy Breach:
The complainant, through her representatives, wrote to the respondent on 30 October 2017 and again on 8 November 2017 requesting a complete copy of the complainant’s clinical records held by the respondent. Two further unsuccessful attempts were made by the complainant’s representatives to contact the respondent by telephone.
With no response from the respondent, the complainant lodged a complaint with the OAIC on 15 February, 2018. The OAIC made a number of attempts to engage with the respondent and to facilitate to complainant’s access of her personal information – but the respondent did not provide access to the complainant.
Breach of Australian Privacy Principle (APP) 12.1 and APP 12.9:-
- Breach of APP 12.1 – by the respondent denying the complainant access to her ‘personal information’; and
- Breach of APP 12.9 – by the respondent failing to provide the complainant a notice setting out why access was refused and the mechanisms available to complain about the refusal.
Damages Award:
$3,000 for non-economic loss
$2,000 for aggravated damages
AND
A declaration that the respondent must send a copy of the complainant’s clinical records to an authorised person nominated by the complainant OR if this is not possible, a statutory declaration to be provided to the complainant setting out a detailed explanation why this is not possible.
In determining the award for damages, the Commissioner noted that the evidence provided by the complainant (including from the complainant’s health and medical professionals and social worker) “[tended] to support a finding that factors other than the privacy breach caused much of the psychological harm claimed by the complainant.” [iv]
In deciding to award aggravated damages, the Commissioner took into account the respondent’s delay in engaging with the OAIC until late in the investigation, the tone and unsubstantiated comments made by the respondent about the complainant and “the manner of the respondent” which the Commissioner found had been insulting towards the complainant and unjustified [v]
‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21
Date of Decision: 12 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed: .
The Commissioner found that the respondent had breached the Privacy Act 1988 (Cth) by the unauthorised disclosure of the following ‘personal information’ of the complainants which included sensitive health information and information about the complainants’ sexual orientation. The ‘personal information’ was disclosed in 2 emails sent to the same incorrect email address of an unknown third party:- :
- In respect of both complainants:-
- The complainants’ names;
- The clinic at which both of the complainants had previously participated in a medical study and that they were considering participating in a further study;
- That the complainants were in a same sex relationship with each other;
- That the complainants were HIV positive.
- In respect of the first complainant:-
- The complainant’s personal and work email addresses;
- The complainant’s place of work;
- That the complainant had an appointment with a particular doctor and the date of that appointment;
- That the complainant’s HIV positive status had been diagnosed recently.
Privacy Breach:
Both of the complainants were patients of the respondent clinic. They had previously been part of a global study into aspects of HIV transmission facilitated by the respondent and were considering participating in a further medical study. The complainants had previously provided the respondent with their respective correct email addresses – the first complainant provided, in the first instance, his work email address which contained the name of his place of employment.
On 22 December, 2017 two emails were sent by the respondent to the complainants. The first email used the correct work email address provided by the first complainant and an incorrect email address for the second complainant, which belonged to an unknown third party. The second email was sent to the correct personal email address of the first complainant but to the same incorrect email address for the second complainant. The emails were sent only 15 minutes apart, containing the same names of the complainants and the same subject matter. The second email had a consent form for the medical study attached.
That same afternoon, the first complainant notified the respondent, by return/reply email, that the respondent had used the incorrect email address for the second complainant. Over one month later, on 29 January, 2018, and after a follow up email from the first complainant on 25 January, 2018, the respondent emailed a letter to the complainants offering an apology for the ‘inconvenience and disappointment’ and advising that it was investigating the incident.
Breach of Australian Privacy Principle (APP) 6 and 11.1
- Breach of APP 6 – by disclosing the complainants’ personal information without the complainants’ knowledge or consent.
- Breach of APP 11.1 – by failing to take reasonable steps to protect the complainants’ personal information from unauthorised disclosure.
Damages Award:
To the first complainant
- $10,000 for non-economic loss; and
- $3,400 for economic loss (for costs associated with seeking treatment from a psychologist for stress and psychological harm caused to the first complainant by the disclosures.)
To the second complainant
- $3,000 for non-economic loss
In making an award for economic loss to the first complainant the Commissioner placed ‘significant weight’ [vi] on the two psychologist reports provided as evidence of the damage caused to the first complainant by the unauthorised disclosures.
‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr60
Date of Decision: 22 August 2019
Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The Respondent maintained a public record database (‘PRD’), collated from publicly available sources, such as daily court lists.
The Commissioner found that the following information which was published and disclosed in the Respondent’s PRD, without the Complainant’s knowledge, contained ‘personal information’ about the Complainant within the meaning of Section 6 of the ‘Privacy Act.:-
- The names of the parties to a proceeding in the NSW Civil and Administrative Tribunal (‘NCAT’) being the Complainant and the NSW Land and Housing Corporation;
- The number of that proceeding;
- The hearing date of that proceeding (19 February 2014)
- The venue for that proceeding.
The Complainant’s name in that PRD listing was listed as her first initial followed by her surname.
Privacy Breach:
Breach of National Privacy Principle (NPP) 1.5 by the Respondent collecting personal information about the Complainant from someone else without taking ‘reasonable steps’ to ensure that the Complainant was or had been made aware of the matters listed in National Privacy Principle (NPP) 1.3 – including how the personal information was collected and used.
The Complainant only became aware of the listing in the Respondent’s PRD when she was alerted to it by an employee of a real estate agent in late February, 2014 while she was looking for private rental accommodation.
When asked by that real estate to confirm it, the Complainant confirmed that she was the party referred to in that PRD listing.
The PRD listing was again accessed by another real estate agency on 5 March 2014.
The Complainant applied to NCAT to have the PRD listing removed on 4 April 2014.
The Complainant submitted information:-
- that had she been made aware of the listing she would have been better prepared to discuss the situation with real estate agents; and
- that by the time she was made aware of the PRD listing, the damage had already been done and she had to contact the Respondent and commence proceedings in the NCAT at her own expense, causing her and her family significant distress and inconvenience.
Damages Award:
$1,500 for non-economic loss
‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48
Date of Decision: 28 June 2019
Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Requested:
In connection with and for the purposes of verifying information provided by the Complainant in the Complainant’s home loan applications with certain credit providers:-
- The Complainant’s credit history with the Respondent;
- Repayment status of Complainant’s credit card with the Respondent..
Privacy Breach:
The Complainant previously held a credit card for his business with the Respondent (‘CBA credit card’).
On 15 November, 2013, the Respondent had assigned to the Credit Corp Group (CCG) ‘all its right, title and interest’ in the Complainant’s remaining CBA credit card debt . The following month the Complainant sold his house as he was unable to refinance his home loan to pay off an unrelated debt.
On 15 January 2015 CCG wrote to the Complainant advising that the CBA credit card debt had been paid off and finalised.
Between 2013 and 2014, the Complainant and his wife applied for home loans with six (6) different credit providers, all of which were declined.
In March 2015, the Complainant and his wife again applied for a joint home loan, this time with Liberty Financial Pty Ltd (Liberty). This home loan application was conditionally approved by Liberty but subsequently declined, resulting in the Complainant being unable to proceed with the purchase of a property in May 2015.
Upon being phoned by the Complainant’s wife, Liberty advised her that it had declined their loan application because they had failed to disclose an outstanding credit card debt to the Respondent.
Relevant CBA phone call transcripts were provided:-
- of phone conversations between the CBA and various credit providers (but not Liberty) discussing the Complainant’s credit history with the CBA in connection with the Complainant’s loan applications; and
- of the CBA’s telephone conversation with the Complainant on 5 June 2015 during which the Complainant was told that his CBA credit card debt was showing as still outstanding.
The Australian Information Commissioner and Privacy Commissioner noted that the Complainant had acknowledged that he consented to the Respondent’s use and disclosure of his personal information and did not dispute the permitted use of information.
Breach of Australian Privacy Principle (APP) 10.2 by:-
- the Respondent using and disclosing personal information about the Complainant which was inaccurate, out-of date and/or incomplete; and
- the Respondent not taking reasonable steps to ensure that the personal information it used and disclosed about the complainant was accurate, complete and/or up-to-date.
Damages Award:
The Complainant’s wife submitted statements regarding the effect of the disclosures on the Complainant. She also provided her statutory declaration in support of the claim for non-economic loss in which she described the resulting and ongoing stress and ‘shame’ being suffered by the Complainant and their family.
$15,000 for non-economic loss.
The Commissioner considered that an additional award of aggravated damages was not appropriate because in awarding the Complainant compensatory damages for hurt and humiliation, the Commissioner had “taken into account that this is not a case of a single privacy breach but rather there were three substantiated uses and/or disclosures of the inaccurate, incomplete and/or out-of-date information; that the interference with the complainant’s privacy took place over a prolonged period of time; and that each time the inaccurate, incomplete and/or out-of-date information was used or disclosed it impacted on the complainant’s emotional wellbeing.”[vii]
(Note that an amount of $800,000 for non-economic loss was claimed by the Complainant.)
‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20
Date of Decision: 28 May 2019
Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The names of the Complainants, as part of lists of names of casual employees of Cleanevent (‘List of Names’).
The disclosures were made without the knowledge or authority of the Complainants, as part of an arrangement between Cleanevent and the Australian Workers’ Union (AWU) which included:-
- lists of names of casual employees of Cleanevent (which included the names of the Complainants) being provided by Cleanevent to the AWU;
- payments being made by Cleanevent to AWU for AWU membership of those persons named in the List of Names;
- the payments made by Cleanevent not being dependent on applications being made for membership of the AWU by the Complainants or any other persons named in the List of Names; and
- in the case of those Complainants who were not already AWU members at the time of the disclosures, not being made aware of their purported membership or receiving any benefits of AWU membership.
Privacy Breach:
The fourteen (14) Complainants were employees of Cleanevent Australia Pty Ltd (Cleanevent), a subsidiary of the Respondent.
The Complainants became aware of the disclosures by Cleanevent to the AWU in May 2015 through the proceedings of the Royal Commission into Trade Union Governance and Corruption (Royal Commission).
At the time of the disclosures, 6 Complainants were not an AWU member, while 8 Complainants were already AWU members.
The Respondent acknowledged that the disclosures had occurred.
The Respondent’s Privacy Policy (dated April 2011) which included that ‘we may disclose your information to a third party in the event it is legal to do so and/or we are compelled to do so by law’ was found by the Commissioner to be “insufficient to ensure that employees were aware of the kind of use and disclosure of employee information that was subsequently undertaken by the Respondent in relation to the arrangement between Cleanevent and the AWU” [viii].
Breach of National Privacy Principle (NPP) 2 and 4 by:-
- Breach of NPP 2 – Respondent improperly disclosing, through its related entity Cleanevent, the Complainants’ personal information to the Australian Workers’ Union (AWU), with Respondent’s approval but without the Complainants’ authority or knowledge;
- Breach of NPP 4 – Respondent failing to take reasonable steps to protect the complainants’ personal information from misuse and unauthorised disclosure.
Damages Award:
A total of $60,000 for non-economic loss (including an aggravation component) comprised of:-
- $39,000 – made up of $4,500 for each of the 6 Complainants who were not an AWU member at the time of the disclosures AND $1,500 for each of the 8 Complainants who were already a substantive AWU member at the time of the disclosures; and
- $21,000 as aggravated damages – being $1,500 for each Complainant.
In their submissions, the Complainants’ had documented their work ethic, their long years of service and their feelings of anger, outrage, injustice and betrayal on becoming aware of the disclosures. They also expressed that they had been experiencing feelings of ‘stress and/or anxiety’ at the actions of their employer – though no additional evidence was provided on these matters.
The Respondent, on the other hand, contended that the Complainants had acted unreasonably in the circumstances, resulting in a protracted process and ongoing costs.
The Commissioner noted that the Respondent’s conduct took place in the context of an employment relationship – a relationship of confidence and trust – and accepted that the Respondent’s apparent indifference towards its privacy obligations in respect of employee information, was a source of additional hurt for the Complainants.
‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51
Date of Decision: 23 March 2018
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
One of the Complainants made the complaint on behalf of him/herself and the other Complainants – acting as the representative complainant for a class of 328 complainant members in total (after opt outs).
The Complainants were employees of two related companies in the concrete/construction industry which were providing services under contract to a third unrelated company (‘Contractor Company ’)‘
The Complainants were members of a superannuation fund operated by the Respondent;
The following personal information was disclosed in three (3) emails forwarded by the Respondent to an employee of the Contractor Company:-
- The Complainants’ full name;
-
- The Complainants’ date of birth;
- The Complainants’ superannuation member number;
- The Complainants’ most recent employer superannuation contributions; and
- The Complainants’ duration of employment.
- AND In the case of some of the Complainants, the emails also identified any voluntary contributions and employee salary-sacrifice contributions made by those members
Privacy Breach:
The Respondent breached of National Privacy Principle (NPP) 2 by disclosing the Complainants’ personal information to an external organisation for a secondary purpose without the Complainants’ consent to that disclosure.
The Respondent’s Privacy Policy described the purposes for which personal information could be disclosed to third parties and expressly stated that “Your personal information will not be used or disclosed for any other purpose without your consent, except where required by law.” [ix]
However, the Respondent’s safeguards in place to protect the security of members’ personal information were found to be reasonable in the circumstances.
Damages Award:
The Commissioner was not satisfied on the information or statements provided by any of the individual members of the class, that they had suffered any actual loss or damage.
The Commissioner also declined to make an award for damages for non-economic loss. While acknowledging there may have been ‘hurt feelings’ upon becoming aware of the breach, the Commissioner decided that, in the circumstances of the matter, “the most appropriate form of redress is… a public apology that explains the circumstances of breach and what systems [the Respondent] has in place to minimise the risk of the breach recurring” [x]
‘LU’ and Department of Defence (Privacy) [2017] AICmr 61
Date of Decision: 26 June 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
- the Complainant’s name, postal address and date of birth;
- the Complainant’s Personnel Management Key Solution (PMKeyS) number, a unique employee number allocated to Defence personnel, which provides access to phone number and personal email address information; and
- the Complainant’s health information
contained in a redacted investigation report (‘Comcare Report’) produced by Comcare, the agency responsible for workplace compensation in the Respondent.
Privacy Breach:
At the time of the disclosures the Complainant was employed by the Respondent in one of its Divisions (the ‘Complainant’s Division’).
At the Complainant’s request, Comcare had investigated whether the Complainant’s employment with the Respondent had contributed to her contraction of a form of cancer and produced an investigation report about its findings (Comcare Report).
A redacted version of the Comcare Report, which had not been properly redacted to de-identify the Complainant, was subsequently made publicly available through the freedom of information log on Comcare’s website.
The disclosures by the Respondent occurred:-
- when, in connection with another Respondent employee’s concerns about an alleged “cancer cluster”, the Respondent sent an email (the ‘Email’) to approximately 1,270 staff in the Complainant’s Division, including the Complainant, which included a link to the redacted Comcare Report; and
- when the Respondent provided a copy of the redacted Comcare Report to a consulting firm which the Respondent had engaged to investigate allegations concerning workplace practices.
The Complainant subsequently became aware that a copy of the redacted Comcare Report had been saved in a general folder of the Respondent’s defence records management system which could be freely accessed by Respondent employees and staff of the Complainant’s Division
The Complainant was referred by the Respondent for psychological and psychiatric assessment.
The Respondent breached Information Privacy Principle (‘IPP’) 4 and 10 by:
- Failing to protect the Complainant’s personal information (including sensitive health information) against loss, unauthorised access, use, modification or disclosure and other misuse, by such security safeguards as was reasonable to take in the circumstances ; and
- Improperly using the Complainant’s personal information and sensitive health information for a purpose not directly related to the purpose of collection.
Damages Award:
$10,000 for non-economic loss
$3,000 to reimburse the Complainant’s expenses reasonably incurred in making the complaint and having the complaint investigated.
The Complainant provided:-
- a copy of her medical and case assessment reports confirming that she underwent psychological and psychiatric assessments following the privacy breaches;
- a copy of the Complainant’s receipts and invoices for legal costs
The Commissioner took into account that the Respondent’s audit log recorded that five (5) individuals had accessed the redacted Comcare Report during the one year period that it had been available in a general folder of the Respondent’s defence records management system and that four of them were in key executive roles within the Complainant’s Division and the fifth was the employee who had raised the concerns about the alleged cancer cluster.
The Commissioner also noted that part of the Complainant’s distress was caused by Comcare’s interference with her privacy, and that the Commissioner had awarded the Complainant $20,000 for non-economic loss in the Complainant’s matter against Comcare. [xi]
‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60
Date of Decision: 26 June 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Requested:
- Clinical notes for the respondent’s treatment of the complainant
- Hospital records for the complainant’s inpatient treatment
- Written passages by the complainant
- Second opinion reports
- Character references
Privacy Breach:
Respondent was a consultant psychiatrist.
Complainant was a patient of respondent between 2003 and 2013.
Respondent administered electroconvulsive therapy (ECT) on the complainant.
In 2014, the complainant made a complaint to the Medical Board of Australia (Board) about the administration of the ECT.
As a part of the Board’s investigation, the respondent provided a response to the Board which included personal information relating to the complainant’s treatment by the respondent.
The complainant requested access to the personal information provided by the respondent to the Board. The respondent refused to provide the complainant with access to the information.
Breach of Australian Privacy Principles (APP) 12.5 and 12.9 by:
- Breach of APP 12.5 – Respondent failing to consider what steps, if any, may have addressed any concerns as to the effect of access on the complainant’s health, having regard to the circumstances and meeting the needs of the entity and the complainant
- Breach of APP 12.9 – Respondent failing to provide the complainant with a written notice setting out the reasons for refusal and mechanisms to complain about the refusal
Damages Award:
$1,000 for non-economic loss
The complainant provided information to the OAIC that she experienced “pressure” from “this protracted frustrating process”.
‘LP’ and The Westin Sydney (Privacy) [2017] AICmr 53
Date of Decision: 7 June 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Privacy Commissioner found that ‘personal information’ was disclosed, not sensitive information or health information
The phone call disclosed that the complainant was unhappy with the room downgrade and regarded it as ‘obviously unacceptable’.
Privacy Breach:
The Westin Sydney recorded a telephone conversation involving the complainant, without the complainant’s knowledge and in doing so, obtained the complainant’s personal information unfairly, in breach of APP 3.5.
Damages Award:
$1,500 for non-economic loss
‘LA’ and Department of Defence (Privacy) [2017] AICmr 25
Date of Decision: 17 March 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the complainant’s hospital admissions for a period from the 1970s to 1980s
Privacy Breach:
Breach of APP 6 by disclosing information that was collected for a particular purpose, for some other purpose, without the consent of the complainant
Complainant was employee of the Royal Australian Air Force
The Department of Defence released the personal information to the complainant’s son, upon receiving a request from the complainant’s son for access to the information
Damages Award:
$12,000 for non-economic loss
$3,420 for expenses reasonably incurred
The disclosure of information included disclosure of the complainant’s entire medical history including a prior gambling addiction, which had an adverse effect on the complainant’s psychological health and family relationships.
‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81
Date of Decision: 25 November 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information:
Credit information of a person who was not the complainant was included on the complainant’s credit report, because the complainant and the person whose credit information was included on the complainant’s credit report had a similar name and lived in the same apartment building
Privacy Breach:
Veda had breached sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) by:
- Failing to take such steps as were reasonable in the circumstances to ensure that credit information it collected about the complainant was accurate, up-to-date, and complete
- Failing to take steps as were reasonable in the circumstances to ensure that credit reporting information it disclosed was, having regard to the disclosure, accurate, up-to-date, complete and relevant
- Using or disclosing credit reporting information that was false or misleading in a material particular
- Failing to give each recipient of the incorrect information written notice of correction within a reasonable period
Veda confused two individuals (the complainant and another person with a similar name who lived in the same apartment building) and included all of the second person’s poor credit information (including details of a judgment debt of $7,000) on the complainant’s credit report
This impacted on the complainant’s ability to conduct business as per usual, because his credit cards were blocked as a result and suppliers would not supply goods to him for his business until they received payment from him
Damages Award:
$10,000 for non-economic loss
$5,830 for expenses reasonably incurred
‘JO’ and Comcare [2016] AICmr 64
Date of Decision: 21 September 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the complainant’s workers’ compensation claims to Comcare regarding workplace injuries sustained by the complainant whilst working for the Department of Defence and the Department of Human Services
The information disclosed included:
- Complainant’s name
- Complainant’s postal address
- Complainant’s email address
- Complainant’s injury dates
- Registered dates
- Claims status: accepted/rejected
- Claims status: open/closed
Privacy Breach:
Comcare breached APP 6 and 11 by:
- Disclosing information about workplace injuries at the complainant’s current employer to his former employer and an insurance company
- Failing to take reasonable steps to protect the complainant’s personal information from unauthorised disclosure
Damages Award:
$3,000 for non-economic loss
‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 44
Date of Decision: 30 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
The complainant’s driver’s licence, Medicare card and a copy of a telecommunications contract signed by the complainant
Privacy Breach:
TeleChoice breached APP 11.1 and 11.2 by:
- Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
- Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed
A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria
The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place
TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident
Damages Award:
$3,500 for non-economic loss
‘IX’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42
Date of Decision: 30 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
The complainant’s name appeared on the A Current Affair program about the abandonment of TeleChoice customer information on footage of a manila folder spilling out of the shipping container’s entrance onto the ground
Privacy Breach:
TeleChoice breached APP 11.1 and 11.2 by:
- Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
- Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed
A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria
The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place
TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident
Damages Award:
$3,500 for non-economic loss
‘IV’ and ‘IW’ [2016] AICmr 41
Date of Decision: 27 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Medical diagnosis of the complainant of ‘delusional depression’
Privacy Breach:
Breach of APP 6.1 and 10.2 by disclosing complainant’s personal information to six (6) individual third parties
Respondent was a medical doctor who disclosed the information by email to six individual third parties. Complainant was also a recipient of the email
Damages Award:
$10,000 for non-economic loss
The Privacy Commissioner had regard to the following factors when determining the amount of non-economic loss to award:
- The sensitive nature of the personal information that was disclosed
- The fact that as a patient of the respondent’s, the complainant was in a position of vulnerability
- The fact that the disclosure was made to six third parties
- The responsibility of the respondent as a medical professional to have a sound understanding of his privacy obligations
‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AICmr 37
Date of Decision: 27 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the insurance policies held by the complainant with NRMA Insurance, which included the following information:
- Policy types
- Policy numbers
- Details of the complainant’s car make, model, year and registration number
- The complainant’s full property address
Privacy Breach:
NRMA had breached APP 6 and 11 by disclosing the complainant’s personal information to a third party, which was a person with whom the complainant shared one home building insurance policy.
Damages Award:
$3,000 for non-economic loss
The complainant claimed that she suffered distress and anxiety as a result of the disclosure. However, the Privacy Commissioner considered that financial information may be considered ‘more sensitive’ than other information and the disclosure was overtly made to a known party and as such, a modest amount of damages should be awarded.
Authored by Katarina Klaric and Rochina Iannella
© Stephens Lawyers & Consultants. February 2020 – Updated 28 July 2020.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Par 54
[ii] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Pars. 52 – 53
[iii] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Pars. 21 & 22
[iv] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 95
[v] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 105
[vi] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 45
[vii] ‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48 at Par. 107
[viii] ‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 at Par. 59
[ix] ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Par. 69
[x] ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Pars. 91 -93
[xi] ‘LB’ and Comcare (Privacy) [ 2017] AICmr 28 (24 March 2017)