Legal Update

Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016 – 13 April 2021 by the Office of the Australian Information Privacy Commissioner  in relation to privacy breaches.

CASE PRIVACY PRINCIPLES BREACHED COMPENSATION RECEIVED
‘WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12

(13 April 2021)

APP 6 — APP 10 — APP 11

$10,000 for non-economic loss;

$8,000 for reasonably incurred legal expenses;

$1,980 for reasonably incurred expenses in preparing a medical report.

 

‘XA’ and CEO of Services Australia (Privacy) [2021] AICmr 13

(13 April, 2021)

APP 6 — APP 10 — APP 13

 $1,000 for non-economic loss

 

‘WT’ and Wurli-Wurlinjang Health Service (Privacy) [2021] AICmr 8

(5 March 2021)

 No breach of

APP 6 — APP 11

N/A

Complaint dismissed

‘WR’ and Telstra Corporation Limited (Privacy) [2021] AICmr 5

(11 February, 2021)

 

No breach of:-

APP 10 and

Part IIIA — Credit Reporting Code

 N/A

Complaint dismissed

‘WQ’ and Commissioner of Taxation (Privacy) [2021] AICmr 4

(11 February 2021)

 

No breach

of APP 6 — APP 10 — APP 11

N/A

Complaint dismissed

‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2

(11 January, 2021)

IPP 4 – IPP 11

 Compensation awarded — Guidance provided on:-

– Manner in which the amount of compensation payable to class members is to be calculated; and

– Process for determining any dispute regarding the entitlement of a class member to the payment

 

‘WL’ and Secretary to the Department of Defence [2020] AICmr 69

(22 December 2020)

APP 3 — APP 6 — APP 11

No compensation awarded.

‘WK’ and Hays Specialist Recruitment (Australia) Pty Ltd (Privacy) [2020] AICmr 68

(22 December 2020)

 

No breach (of Crimes Act 1914 (Cth) — Spent convictions scheme)

N/A

Complaint dismissed

‘WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64

(16 December 2020)

APP 5 — APP 6 — APP 10 — APP 11

$4,500 for non-economic loss

‘WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60

(27 November 2020)

 Breach of s85ZW(b)(ii) of the Crimes Act 1914 (Cth) – by taking into account the fact of the complainant’s spent convictions in a decision to terminate his employment as an officer in the ADF.

 $6,000 for non-economic loss

and

$4,850 for reasonably incurred expenses in connection with the privacy complaint

 

Flight Centre Travel Group (Privacy) [2020] AICmr 57

(25 November 2020)

 

APP 1.2 —  APP 6.1 —  APP 11.1

No compensation awarded

 ‘VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr 52

(14 September 2020)

APP12

No compensation awarded

‘VQ’ and Secretary to the Department of Home Affairs (Corrigendum dated 17 December 2020) (Privacy) [2020] AICmr 49

(11 September, 2020)

APP 10 and

Crimes Act 1914 (Cth) — Spent convictions scheme

$2,500 for

non-economic loss

 

 ‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45

(2 September, 2020)

 

 APP12 and APP11

To 1st complainant – $3,000 for non-economic loss and $1,500 for aggravated damages.

To 3rd complainant -$2,000 for economic loss and $1,500 for aggravated damages

‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

(2 September, 2020)

APP12 and APP11

$3,000 for non-economic loss;

$295 for economic loss;

$3,000 for aggravated damages

 ‘VI’ and CSIRO (Privacy) [2020] AICmr 44

(19 August, 2020)

APP6 – APP11  

No compensation was awarded

 

‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30

(30 June 2020)

IPP 11 $3,000 for non-economic loss
 ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22

(19 June 2020)

APP 12  $3,000 for non-economic loss 

$2,000 for aggravated damages 

‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21

(12 June 2020)

APP 6 – APP 11 $10,000  to 1st complainant &

$3,000 to 2nd complainant for non-economic loss

$3,400 to 1st complainant for economic loss

 ‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr 60 (22 August 2019)  NPP 1.5  $1,500 for non-economic loss
‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr 48 (28 June 2019) APP 10.2 $15,000 for non-economic loss
‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AlCmr 20 (28 May 2019) NPP 2 and 4  A total of $60,000 for non-economic loss shared between 14 Complainants 
‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AlCmr 51 (23 March 2018) NPP 2 No compensation was awarded
‘LU’ and Department of Defence (Privacy) [2017] AlCmr 61 (26 June 2017) IPP 4 and 10  

$10,000 for non-economic loss

$3,000 for expenses reasonably incurred

‘LS’ and ‘LT” (Privacy) [2017] AlCmr 60 (26 June 2017) APP 12.5 and 12.9 $1,000 for non-economic loss
 ‘LP’ and The Westin Sydney (Privacy) [2017] AlCmr 53 (7 June 2017) APP 3.5  $1,500 for non-economic loss
‘LB’ and Comcare (Privacy) [2017] AlCmr 28 (24 March 2017) IPP 4 and 11 $20,000 for non-economic loss

$3,000 for expenses reasonably incurred

‘LA’ and Department of Defence (Privacy) [2017] AlCmr 25 (17 March 2017) APP 6

 $12,000 for non-economic loss

$3,420 for expenses reasonably incurred

‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AlCmr 81

(25 November 2016)

Sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) $10,000 for non-economic loss

$5,830 for expenses reasonably incurred

‘JO’ and Comcare [2016] AlCmr 64 (21 September 2016) APP 6 and 11 $3,000 for non-economic loss
‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AlCmr 44 (30 June 2016) APP 11.1 and 11.2 $3,500 for non-economic loss
‘IX’ and Business Service Brokers Pty Lts t/a TeleChoice [2016] AlCmr 42 (30 June 2016) APP 11.1 and 11.2 $3,500 for non-economic loss
‘IV’ and ‘IW’ [2016] AlCmr 41 (27 June 2016) APP 6.1 and 10.2 $10,000 for non-economic loss
‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AlCmr 37 (27 June 2016) APP 6 and 11 $3,000 for non-economic loss

The Determinations… 

WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12

Date of Decision:  13 April 2021

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed/Involved:

The complainant’s personal information in the form of her new residential address and her current relationship status.

The complainant and her partner had online accounts with the respondent agency which were linked (including for the purposes of calculating social security entitlements) as they had previously indicated they were in a domestic relationship.  While their accounts remained linked, any change made by either of them to the address on their respective online account would automatically update that information on the online account records of the other.  It was the practice of the respondent agency to keep these records linked until it had verified any claim of a separation from either one of the ‘linked’ individuals.

The complainant separated from her partner after a domestic violence incident.

The complainant subsequently moved to a new address.  This was updated by the respondent on the complainant’s online account records some 3 months after the complainant had advised the respondent of the changed address – which resulted in the automatic update of the complainant’s former partner’s address on his (still) linked online account.

Privacy Breach:

  1. Breach of APP6. – by the respondent disclosing the complainant’s personal information, namely, her new address to her former partner, for a purpose other than that for which it was collected;
  2. Breach of APP10.2 – by the respondent failing to take reasonable steps to ensure that it used accurate and up-to-date personal information of the complainant:-
  • in the form of her relationship status having regard to the purposes of its use, being to update her former partner’s address; and
  • in the form of her address at which she could be contacted;
  1. Breach of APP11.1 – by the respondent failing to take reasonable steps to protect the complainant’s personal information, being her updated address, from unauthorised disclosure to her former partner.

Damages Award:

  1. $10,000 for non-economic loss;
  2. $9,980.00 for economic loss, comprised of:-
  • $8,000 for reasonably incurred legal expenses (being less than the $15,054 claimed by the complainant) ; and
  • $1,980 for reasonably incurred expenses in preparing a medical report.

In determining the amount of non-economic loss to be awarded in this case, the Commissioner noted that it was worth acknowledging that the privacy breach in this case was ‘not trivial’[i] and considered the damages awards made in a number of previous cases.[ii]

 

‘XA’ and CEO of Services Australia (Privacy) [2021] AICmr 13

Date of Decision:  13 April 2021

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed/Involved:

The complainant’s personal information in the form of:-

  • the complainant’s address; and
  • the complainant’s financial information, namely that the complainant owed two debts to the Commonwealth based on the respondent agency’s view and decisions that the complainant had been overpaid Family Tax Benefits.

Privacy Breach:

  1. Breach of APP6 – by the respondent disclosing the complainant’s address to an external debt collection agency, in circumstances where the relevant debt had been overturned by the respondent agency; and
  2. Breach of APP13.2 – by the respondent failing to take reasonable steps to notify an external debt collection agency to correct the complainant’s personal information, namely that he owed a debt, in circumstances where the complainant requested such notification and the respondent agency had itself corrected that information.

Damages Award:

$1,000 for non-economic loss.

 

‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2

Date of Decision:   11 January 2021

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The respondent published on its website a ‘Detention Report’ which had an Excel spreadsheet embedded within it (the ‘Spreadsheet’) which unknowingly included and disclosed personal information of over 9000 individuals who were in immigration detention at that time.  The following personal information of each of these class members was disclosed in the breach:-

  • full name, gender, citizenship, date of birth; and
  • period of immigration detention, location, boat arrival details and reasons why the individual had been considered an unlawful non-citizen.

Privacy Breach:

  1. Breach of IPP 11– by the respondent disclosing on a publicly available website the personal information of the class members; and
  2. Breach of IPP 4– by the respondent failing to take reasonable security safeguards:-
  • against loss;
  • against unauthorised access, use, modification or disclosure; and
  • against other misuse.

Damages Award***

  • Damages for non-economic loss or damage arising from the data breach to be determined under five categories of loss or damage, depending on the severity of the impact[iii] – to be paid to each of the ‘Participating Class Members’ being those class members who made submissions and/or provided evidence of their loss or damage and who demonstrated that they suffered loss or damage as a result of the data breach.
  • Damages for economic loss – to be paid on a case-by-case basis.

Aggravated damages not awarded as the Commissioner considered they were not justified in this case.[iv]

[***Note: To read a summary of the process set out by the Commissioner to be followed by the Department when assessing and finalising claims from Participating Class Members to be paid compensation for loss or damage arising from a data breach, see Stephens Lawyers & Consultants’ Privacy Update – February 2021

 

‘WL’ and Secretary to the Department of Defence [2020] AICmr 69

Date of Decision: 22 December 2020

Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton

Type of Personal Information Collected and Disclosed:

The complainant’s Username for an online shopping website (Website) combined with the complainant’s name and account information as the account holder of the Username.

The complainant was a former reservist officer of the Australian Defence Force (ADF).

As part of its enquiries into the suspected unlawful sale of Commonwealth property (ADF items) on an online shopping website (Website), the respondent requested its Service Police Central Records Office (SPCRO) to provide to the respondent the name of the account holder of the Username on that Website, where ADF items were being offered for sale.  .

The SPCRO, sent a request to the Website, requesting the following personal information – which was provided by the Website:-

1. Particulars of the Seller (Name, Address, DOB):

  1. Items recently bought and sold by the above: [the Username]
  2. Any additional information [the Website] is willing to provide in relation to the member and their account.”[v]

In response to item 3 in the SPCRO’s request, the Website provided the following ‘additional information’ about the complainant:-

  • The Website feedback score;
  • Password history (no passwords included)
  • Billing history
  • User ID history (with usernames)

While the Acting Commissioner found that the information collected/received under the first 2 categories of the SPCRO’s request was reasonably necessary for its function of investigating a service offence, the Acting Commissioner was not satisfied that the collection of the complainant’s personal information under the category: ‘any additional information [the Website] is willing to provide’ was reasonably necessary for or directly related to one or more of its functions.[vi]

Privacy Breach:

Breach of APP3.1 – by the respondent collecting the complainant’s personal information from a third party in the form of ‘any additional information’ the third party ‘is willing to provide in relation to the member and their account’, which was not reasonably necessary for or directly related to the particular function being exercised

Damages Award:

The complainant sought to be compensated for the cost of the ADF items (which had since been destroyed) and for his legal fees – including those arising from the fact that he had been investigated by Victoria Police.  The Acting Commissioner noted that:-

  • compensation that may be payable is “limited to compensation suffered by reason of the interference with privacy[vii]; and that
  • the respondent had referred the suspected theft of the ADR items to Victoria Police once the respondent became aware it did not have jurisdiction over that suspected theft[viii] and “before the respondent had determined that the complainant was a civilian and outside of its jurisdiction”[ix]

In deciding not to award any compensation, the Acting Commissioner noted:-

  • that she was not satisfied “that loss stemming from the investigation by Victoria Police [was] causally connected to the privacy breach”[x]; and that
  • “the complainant [had] not provided enough detail for [the Acting Commissioner] to determine whether [the complainant’s] legal fees [were] causally connected to the privacy breach[xi]

No compensation awarded.

Declaration that a written apology be provided to the complainant.

  

‘WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64

Date of Decision:  16 December 2020

Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton

Type of Personal Information Disclosed:

The complainant’s superannuation plan with AustralianSuper included income protection insurance cover.  The personal information disclosed by the respondent was the complainant’s personal information “relating to the complainant’s insurance claim (such as arrangements for medical appointments and information regarding the payment of the claim in so far as it was about the complainant and identifies them)”.[xii]

Privacy Breach:

  1. Breach of APP6 – by the respondent disclosing the complainant’s personal information to the complainant’s previous lawyers after the complainant had advised the respondent in writing that the complainant had withdrawn their consent for the respondent to do so[xiii];
  2. Breach of APP10.2 – by the respondent failing to take reasonable steps to ensure that it used accurate and up-to-date personal information of the complainant, having regard to the purposes of its use; and
  3. Breach of APP11.1 – by the respondent failing to take reasonable steps to protect the complainant’s personal information from unauthorised use and disclosure.

Damages Award:

$4,500 for non-economic loss

No aggravated damages were awarded as the Commissioner found nothing in the respondent’s conduct to warrant it.  The Commissioner declared that a written apology be provided from an appropriately senior officer of the respondent.

 

‘WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60

Date of Decision: 27 November 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The complainant’s spent conviction(s), which were convictions that the complainant was entitled not to disclose.[xiv]

Privacy Breach:

Breach of s85ZW(b)(ii) of the Crimes Act 1914 (Cth) – by the respondent taking into account the fact of the complainant’s spent convictions in the respondent’s decision to terminate the complainant’s employment as an officer in the ADF.

Damages Award:

The Commissioner, noting the four (4) principles guiding the awarding of compensation including  thatcompensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances[xv], awarded the complainant the following compensation:-

$6,000 for non-economic loss caused by the respondent’s conduct.; and

$4,850 for reasonably incurred expenses in connection with the privacy complaint.

Note: The complainant had sought reinstatement of his position within the ADF or, in the alternative to reinstatement, compensation.

  

Flight Centre Travel Group (Privacy) [2020] AICmr 57

Date of Decision:  25 November 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

Personal information of approximately 6918 individuals, in the form of their credit card and passport information provided to 90 individuals who had registered for and participated in an event held by the respondent in March 2017 and designed to create technological solutions for travel agents to better support customers during the sales process.  In preparing the dataset, the respondent had obfuscated the details known to contain personal information, leaving what the respondent believed to be only the customer’s year of birth, postcode, gender and booking information.

The information had been available for approximately 36 hours by the time an event participant advised the respondent they had identified credit card information in the dataset provided to all event participants .

The respondent took a number of steps upon being alerted to the disclosure including removing access to the data by the event participants within 30 minutes of being notified, notifying the individuals (whose personal information had been mistakenly disclosed) and requesting that event participants delete that material from the dataset provided to them.

On 16 August, 2017 the Commissioner advised the respondent that the Commissioner had commenced an investigation of this data breach under Section 40(2) of the Privacy Act which would consider if the respondent had met the requirements of APP 1, APP 6, and APP 11.

Section 40(2) of the Privacy Act 1988 states:-

The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice if:

(a)  the act or practice may be an  interference with the privacy of an individual or a breach of Australian Privacy Principle 1; and

(b) the Commissioner thinks it is desirable that the act or practice be investigated.

Privacy Breach:

  1. Breach of APP1.2. – by the respondent failing by to take such steps as are reasonable steps in the circumstances to implement practices, procedures and systems to ensure compliance with the APPs.;
  2. Breach of APP6.1 – by the respondent disclosing the individuals’ personal information to third parties participating in a ‘design jam’/product development event without consent, for a purpose other than the primary purpose of collection[xvi]; and
  3. Breach of APP11.1 1 – by the respondent failing to take such steps as are reasonable in the circumstances to protect the individuals’ personal information from misuse and loss and from unauthorised access, modification or disclosure

Damages Award:

No compensation was awarded in this case as the Commissioner noted she had “no evidence before [her] to support a declaration that the respondent redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation[xvii]

In making her determination, the Commissioner considered only the information and submissions before her – which in this case was the information and submissions from the respondent[xviii].  This included the respondent’s submissions about its prompt actions to notify affected individuals and assistance offered to mitigate any harm, to restrict access to the data, to investigate the data breach incident and review and implement changes to the respondent’s practices – as well as the respondent’s submission in relation to the impact of Covid-19 on its business[xix].

The Commissioner also noted “the candour of the respondent’s submissions provided in response to the OAIC’s inquiries in this investigation[xx].

The Commissioner also made a declaration that the respondent must not repeat the conduct constituting an interference with the privacy of the (approximately) 6,918 individuals.

 

VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr52

Date of Decision:  14 September 2020

Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton

Type of Personal Information Disclosed:

The complainant’s personal information, being health information as contained in records of her skin treatments performed by a particular practitioner at the respondents’ clinic – including ‘before photos’ (Records).

Between March and June 2018 the complainant made a number of email requests for her Records to be made available to the complainant and the complainant’s dermatologist.  By 5 June 2018 the respondents had not provided the Records to the complainant and on 20 July 2018 the complainant lodged a complaint with the OAIC – seeking access to her personal information.

Privacy Breach:

Breach of APP 12.1  – 12.4 12.9    – by the respondent failing to respond to and give access to the complainant’s personal information within a reasonable time after the complainant’s request was made, and in the manner requested by the complainant;

Damages Award:

No compensation awarded – as the complainant did not make any claim of loss suffered, nor did she claim any compensation.  Remedial action declared.

 

VQ’ and Secretary to the Department of Home Affairs (Corrigendum dated 17 December 2020) (Privacy) [2020] AICmr 49

Date of Decision:  11 September 2020

Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton

Type of Personal Information Disclosed:

The complainant, a New Zealand citizen, had entered Australia on a visa and had applied to the respondent for Australian citizenship. The complainant’s complaint concerned the following disclosures by the respondent to Interpol NZ of his ‘personal information’ in connection with the respondent’s decision to consider the complainant for a potential visa cancellation on character grounds under the Migration Act 1956 (Cth)  – specifically:-:-

  1. Disclosure of the complainant’s spent conviction (Claim 1); and
  2. A misrepresentation to Interpol NZ that he had declared that he had no criminal convictions on his incoming passenger card when entering Australia (Claim 2).

Privacy Breach:

Breach of APP10.2 (in respect of Claim 2) – by the respondent failing to take reasonable steps to ensure the accuracy of the disclosure of the complainant’s personal information, having regard to the purposes of the disclosure.

The disclosure of the spent conviction information (Claim 1) was considered separately under the Crimes. Act 1914 (Cth.). The Commissioner found that in this case, the respondent had not breached s85ZW(b) of the Crimes Act in disclosing the complainant’s spent conviction information.

Damages Award:

$2,500 to the complainant for non-economic loss

 

‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45

Date of Decision:  2 September, 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Involved:

The complainants’ personal information – comprised of the complainants’ names and their health information.

The three (3) complainants are siblings. The respondent, a registered psychologist, provided psychological services to each of the complainants, which ceased between 2016 and 2017.  Between October 2018 and April 2019 the complainants’ representative (their mother) made a number of requests for access to the complainants’ personal information held by the respondent, in the form of a report – which the respondent agreed to do.  However, it was not until 25 June 2020, and after the lodgement of the complainants’ complaint with the OAIC,  that the respondent sent the complainants their reports by registered post.

Privacy Breach:

  1. Breach of APP12 ….. – by the respondent failing to provide the complainants with access to their personal information within a reasonable period after the request was made; and
  2. Breach of APP11 (in relation to storage of the complainants’ clinical records at home)….. – by the respondent failing to take steps as are reasonable in the circumstances[xxi], given the highly sensitive nature of the personal information involved, to protect and securely store the complainants’ personal information.

Damages Award:

  1. To the first complainant – a total of $4,500 comprised of:-

– $3,000 for non-economic loss and

– $1,500 for aggravated damages.

  1. To the third complainant – a total of $3,500 comprised of
  • $2,000 for non-economic loss and
  • $1,500 for aggravated damages.

Plus

The respondent to provide a written apology to each of the three complainants separately.

The Commissioner made no compensation award for the second complainant. Unlike the first and third complainants (who provided statements), the second complainant did not provide a statement or any other direct information about how the privacy breach affected them.  As a result, the Commissioner was “not satisfied that the second complainant has suffered harm as a result of the privacy breach in the absence of direct evidence from them”[xxii]

 

‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

Date of Decision:  2 September, 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Involved:

In this case the ‘personal information’ was in the complainant’s clinical records which included sensitive information in the form of health information.

The respondent was a registered psychologist who had provided psychological services to the complainant for seven (7) years – ending in 2018   The respondent kept the complainant’s (and all her other clients’) clinical records in a locked filing cabinet in her locked garage at her home.

In response to the complainant’s numerous requests for a copy of her personal information in the form of her clinical records (clinical records). the respondent initially refused to provide her with a copy of her clinical records.  Subsequently, instead of her clinical records, the respondent offered to provide a report (report) of the respondent’s involvement with the complainant outlining a summary of the main issues discussed during treatment, the respondent’s diagnosis and the respondent’s recommended ongoing support for the complainant. The respondent claimed to have sent the report to the complainant by ordinary mail but the complainant did not receive the report. The respondent ultimately provided a copy of the report to the OAIC by email 17 months after the complainant lodged a complaint with the OAIC, almost two (2) years after the complainant first requested her records from the respondent.  

Privacy Breach:

  1. Breach of APP12 ….. – by the respondent failing to provide the complainant with access to her personal information on request; and
  2. Breach of APP11 ….. – by the respondent failing to take steps as are reasonable in the circumstances, given the highly sensitive nature of the information involved, to protect and securely store the complainant’s personal information.

Damages Award:

A total amount of $6,295 payable to the complainant, apportioned as follows:-

  • $3,000 for non-economic loss;
  • $295 for economic loss (being the fee paid to a lawyer for advice about her rights in respect to her personal information held by the respondent – and evidenced by a copy of the invoice); and
  • $3,000 for aggravated damages.

 

‘VI’ and CSIRO (Privacy) [2020] AICmr 44

Date of Decision: 19 August 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The complainant’s personal information was contained ina statement for a compensation claim provided by the complainant to the respondent, which included ‘sensitive information’, in the form of the complainant’s ‘health information’.

Privacy Breach:

  1. Breach of APP 6 – by the respondent using and disclosing the complainant’s ‘personal information’ for a ‘secondary purpose’ – being a purpose other than the purpose for which it had been provided by the complainant – without the complainant’s consent; and
  2. Breach of APP 11 – by the respondent failing to take reasonable steps to protect the complainant’s personal information from unauthorised use and disclosure.

Damages Award:

The complainant sought $11,000 for legal fees incurred in pursuing the privacy complaint.

In determining whether to make an award for legal costs, the Commissioner noted that pursuant to Sec 52 (3) of the Privacy Act, a complainant is entitled to a specified amount to reimburse the complainant for expenses ‘reasonably incurred’ in connection with their privacy complaint[xxiii], but also noted that most privacy complaints can be resolved without the need for legal representation, particularly as the OAIC provides a free, informal and accessible complaint process.[xxiv]

In this case, the Commissioner:-

  • made no order for costs as the complainant failed to provide evidence that the expenses were reasonably incurred;
  • ordered the respondent to provide to the complainant a written apology within two weeks of the date of the Commissioner’s determination; and
  • ordered a review of the respondent’s current policies, procedures and training relating to its compliance with APP 6 and APP 11 and that within six months’ of receiving the independent reviewer’s report, the respondent report to the Commissioner on the reviewer’s findings and recommendations and on what it has done to implement those findings and recommendations..

 

ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30

Date of Decision: 30 June 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The complainant’s bank statement which disclosed the following ‘personal information’ to the complainant’s ex-partner:-

  • the date and types of places where the complainant made purchases (supermarkets, petrol stations, cafes and restaurants and the complainant’s medical and health providers); and
  • the name of the suburb or area of the place that those purchases were made by the complainant (‘locational information’).

The complainant had sought to keep her location unknown to her ex-partner as she claimed to fear harm from him.

Privacy Breach:

In 2012 the complainant applied to the Child Support Agency and former Department administering child support (‘CSA’) for a change of assessment to the amount of child support then being paid by her ex-partner. Both the complainant and the ex-partner objected to the decision made by the CSA and sought an internal review of the CSA decision.

The CSA proceeded to collect the complainant’s personal bank information from the complainant’s bank using its statutory collection powers and did not advise the complainant it was doing so.  But being unhappy with the internal review decision, the complainant applied to the Social Security Appeals Tribunal (the ‘Tribunal’) for a review of that decision.

As part of the Tribunal review process, the CSA provided the complainant’s bank statement to the Tribunal and the complainant’s ex-partner.

This was the first time that the complainant became aware that her personal information had been collected by CSA.

Whilst the Commissioner found that the CSA had not breached the complainant’s privacy in collecting the complainant’s personal information and that disclosure of the types of places at which the complainant made purchases was relevant to the decision under review by the Tribunal, it was the Commissioner’s view:-

  • that the complainant was not reasonably likely to be aware that the respondent would disclose documents obtained from third parties about which the complainant was not aware; and
  • that disclosure of the ‘locational information’ contained in the bank statement was not relevant to the decision under review and therefore, the complainant was unlikely to be aware that information of that kind would be disclosed.[xxv]  

The Commissioner noted that the CSA had redacted the complainant’s address from the bank statement before submitting it to the Tribunal and that the CSA was therefore aware that it was entitled to redact irrelevant information.[xxvi]

Breach of Information Privacy Principle (IPP) 11by the respondent’s disclosure to the Tribunal and the complainant’s ex-partner, of the complainant’s ‘personal information’ in documents obtained from a third party of which the complainant had no notice, when the complainant was not reasonably likely to have been aware and had not been made aware by the respondent that such information was the kind that is usually disclosed or required or authorised by law to be disclosed to the Tribunal and her ex-partner.

Damages Award:

$3,000 for non-economic loss

 

‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22

Date of Decision: 19 June 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Held:  

The respondent was a registered psychologist and was the complainant’s psychologist between February and November 2014. The Commissioner considered and found that the respondent was an APP entity (ss 6C and 6FB of the Privacy Act 1988 (Cth)) as he was providing a ‘health service’, which includes a service for psychological health.[xxvii]

The complainant’s ‘personal information’ was contained in the respondent’s clinical records for the complainant, which included the complainant’s name and her health information.

Privacy Breach:

The complainant, through her representatives, wrote to the respondent on 30 October 2017 and again on 8 November 2017 requesting a complete copy of the complainant’s clinical records held by the respondent. Two further unsuccessful attempts were made by the complainant’s representatives to contact the respondent by telephone.

With no response from the respondent, the complainant lodged a complaint with the OAIC on 15 February, 2018.  The OAIC made a number of attempts to engage with the respondent and to facilitate to complainant’s access of her personal information – but the respondent did not provide access to the complainant.

Breach of Australian Privacy Principle (APP) 12.1 and APP 12.9:-

  1. Breach of APP 12.1 – by the respondent denying the complainant access to her ‘personal information’; and
  2. Breach of APP 12.9 – by the respondent failing to provide the complainant a notice setting out why access was refused and the mechanisms available to complain about the refusal.

Damages Award:

$3,000 for non-economic loss

$2,000 for aggravated damages

AND

A declaration that the respondent must send a copy of the complainant’s clinical records to an authorised person nominated by the complainant OR if this is not possible, a statutory declaration to be provided to the complainant setting out a detailed explanation why this is not possible.

In determining the award for damages, the Commissioner noted that the evidence provided by the complainant (including from the complainant’s health and medical professionals and social worker) “[tended] to support a finding that factors other than the privacy breach caused much of the psychological harm claimed by the complainant.” [xxviii]

In deciding to award aggravated damages, the Commissioner took into account the respondent’s delay in engaging with the OAIC until late in the investigation, the tone and unsubstantiated comments made by the respondent about the complainant and “the manner of the respondent” which the Commissioner found had been insulting towards the complainant and unjustified [xxix]

 

‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21

Date of Decision: 12 June 2020

Heard by: Australian Information and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:  .

The Commissioner found that the respondent had breached the Privacy Act 1988 (Cth) by the unauthorised disclosure of the following ‘personal information’ of the complainants which included sensitive health information and information about the complainants’ sexual orientation.  The ‘personal information’ was disclosed in 2 emails sent to the same incorrect email address of an unknown third party:- :

  • In respect of both complainants:-
  • The complainants’ names;
  • The clinic at which both of the complainants had previously participated in a medical study and that they were considering participating in a further study;
  • That the complainants were in a same sex relationship with each other;
  • That the complainants were HIV positive.
  • In respect of the first complainant:-
  • The complainant’s personal and work email addresses;
  • The complainant’s place of work;
  • That the complainant had an appointment with a particular doctor and the date of that appointment;
  • That the complainant’s HIV positive status had been diagnosed recently.

Privacy Breach:

Both of the complainants were patients of the respondent clinic. They had previously been part of a global study into aspects of HIV transmission facilitated by the respondent and were considering participating in a further medical study. The complainants had previously provided the respondent with their respective correct email addresses – the first complainant provided, in the first instance, his work email address which contained the name of his place of employment.

On 22 December, 2017 two emails were sent by the respondent to the complainants.  The first email used the correct work email address provided by the first complainant and an incorrect email address for the second complainant, which belonged to an unknown third party.  The second email was sent to the correct personal email address of the first complainant but to the same incorrect email address for the second complainant.  The emails were sent only 15 minutes apart, containing the same names of the complainants and the same subject matter.  The second email had a consent form for the medical study attached.

That same afternoon, the first complainant notified the respondent, by return/reply email, that the respondent had used the incorrect email address for the second complainant.  Over one month later, on 29 January, 2018, and after a follow up email from the first complainant on 25 January, 2018, the respondent emailed a letter to the complainants offering an apology for the ‘inconvenience and disappointment’ and advising that it was investigating the incident.

Breach of Australian Privacy Principle (APP) 6 and 11.1

  1. Breach of APP 6 – by disclosing the complainants’ personal information without the complainants’ knowledge or consent.
  2. Breach of APP 11.1 – by failing to take reasonable steps to protect the complainants’ personal information from unauthorised disclosure.

Damages Award: 

To the first complainant

  • $10,000 for non-economic loss; and
  • $3,400 for economic loss (for costs associated with seeking treatment from a psychologist for stress and psychological harm caused to the first complainant by the disclosures.)

To the second complainant

  • $3,000 for non-economic loss

In making an award for economic loss to the first complainant the Commissioner placed ‘significant weight’ [xxx] on the two psychologist reports provided as evidence of the damage caused to the first complainant by the unauthorised disclosures.

 

‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr60

Date of Decision:  22 August 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The Respondent maintained a public record database (‘PRD’), collated from publicly available sources, such as daily court lists.

The Commissioner found that the following information which was published and disclosed in the Respondent’s PRD, without the Complainant’s knowledge, contained ‘personal information’ about the Complainant within the meaning of Section 6 of the ‘Privacy Act.:-

  1. The names of the parties to a proceeding in the NSW Civil and Administrative Tribunal (‘NCAT’) being the Complainant and the NSW Land and Housing Corporation;
  2. The number of that proceeding;
  3. The hearing date of that proceeding (19 February 2014)
  4. The venue for that proceeding.

The Complainant’s name in that PRD listing was listed as her first initial followed by her surname.

Privacy Breach: 

Breach of National Privacy Principle (NPP) 1.5 by the Respondent collecting personal information about the Complainant from someone else without taking ‘reasonable steps’ to ensure that the Complainant was or had been made aware of the matters listed in National Privacy Principle (NPP) 1.3 – including how the personal information was collected and used.

The Complainant only became aware of the listing in the Respondent’s PRD when she was alerted to it by an employee of a real estate agent in late February, 2014 while she was looking for private rental accommodation.

When asked by that real estate to confirm it, the Complainant confirmed that she was the party referred to in that PRD listing.

The PRD listing was again accessed by another real estate agency on 5 March 2014.

The Complainant applied to NCAT to have the PRD listing removed on 4 April 2014.

The Complainant submitted information:-

  • that had she been made aware of the listing she would have been better prepared to discuss the situation with real estate agents; and
  • that by the time she was made aware of the PRD listing, the damage had already been done and she had to contact the Respondent and commence proceedings in the NCAT at her own expense, causing her and her family significant distress and inconvenience.

Damages Award:

$1,500 for non-economic loss

 

 ‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48

Date of Decision:  28 June 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Requested:

In connection with and for the purposes of verifying information provided by the Complainant in the Complainant’s home loan applications with certain credit providers:-

  1. The Complainant’s credit history with the Respondent;
  2. Repayment status of Complainant’s credit card with the Respondent..

Privacy Breach: 

The Complainant previously held a credit card for his business with the Respondent (‘CBA credit card’).

On 15 November, 2013, the Respondent had assigned to the Credit Corp Group (CCG) ‘all its right, title and interest’ in the Complainant’s remaining CBA credit card debt . The following month the Complainant sold his house as he was unable to refinance his home loan to pay off an unrelated debt.

On 15 January 2015 CCG wrote to the Complainant advising that the CBA credit card debt had been paid off and finalised.

Between 2013 and 2014, the Complainant and his wife applied for home loans with six (6) different credit providers, all of which were declined.

In March 2015, the Complainant and his wife again applied for a joint home loan, this time with Liberty Financial Pty Ltd (Liberty).  This home loan application was conditionally approved by Liberty but subsequently declined, resulting in the Complainant being unable to proceed with the purchase of a property in May 2015.

Upon being phoned by the Complainant’s wife, Liberty advised her that it had declined their loan application because they had failed to disclose an outstanding credit card debt to the Respondent.

Relevant CBA phone call transcripts were provided:-

  • of phone conversations between the CBA and various credit providers (but not Liberty) discussing the Complainant’s credit history with the CBA in connection with the Complainant’s loan applications; and
  • of the CBA’s telephone conversation with the Complainant on 5 June 2015 during which the Complainant was told that his CBA credit card debt was showing as still outstanding.

The Australian Information Commissioner and Privacy Commissioner noted that the Complainant had acknowledged that he consented to the Respondent’s use and disclosure of his personal information and did not dispute the permitted use of information.

Breach of Australian Privacy Principle (APP) 10.2 by:-

  • the Respondent using and disclosing personal information about the Complainant which was inaccurate, out-of date and/or incomplete; and
  • the Respondent not taking reasonable steps to ensure that the personal information it used and disclosed about the complainant was accurate, complete and/or up-to-date.

Damages Award:

The Complainant’s wife submitted statements regarding the effect of the disclosures on the Complainant. She also provided her statutory declaration in support of the claim for non-economic loss in which she described the resulting and ongoing stress and ‘shame’ being suffered by the Complainant and their family.

$15,000 for non-economic loss.

The Commissioner considered that an additional award of aggravated damages was not appropriate because in awarding the Complainant compensatory damages for hurt and humiliation, the Commissioner had “taken into account that this is not a case of a single privacy breach but rather there were three substantiated uses and/or disclosures of the inaccurate, incomplete and/or out-of-date information; that the interference with the complainant’s privacy took place over a prolonged period of time; and that each time the inaccurate, incomplete and/or out-of-date information was used or disclosed it impacted on the complainant’s emotional wellbeing.”[xxxi]

(Note that an amount of $800,000 for non-economic loss was claimed by the Complainant.)

 

‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20

Date of Decision:  28 May 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The names of the Complainants, as part of lists of names of casual employees of Cleanevent (‘List of Names’).

The disclosures were made without the knowledge or authority of the Complainants, as part of an arrangement between Cleanevent and the Australian Workers’ Union (AWU) which included:-

  • lists of names of casual employees of Cleanevent (which included the names of the Complainants) being provided by Cleanevent to the AWU;
  • payments being made by Cleanevent to AWU for AWU membership of those persons named in the List of Names;
  • the payments made by Cleanevent not being dependent on applications being made for membership of the AWU by the Complainants or any other persons named in the List of Names; and
  • in the case of those Complainants who were not already AWU members at the time of the disclosures, not being made aware of their purported membership or receiving any benefits of AWU membership.

Privacy Breach:

The fourteen (14) Complainants were employees of Cleanevent Australia Pty Ltd (Cleanevent), a subsidiary of the Respondent.

The Complainants became aware of the disclosures by Cleanevent to the AWU in May 2015 through the proceedings of the Royal Commission into Trade Union Governance and Corruption (Royal Commission).

At the time of the disclosures, 6 Complainants were not an AWU member, while 8 Complainants were already AWU members.

The Respondent acknowledged that the disclosures had occurred.

The Respondent’s Privacy Policy (dated April 2011) which included that ‘we may disclose your information to a third party in the event it is legal to do so and/or we are compelled to do so by law’ was found by the Commissioner to be “insufficient to ensure that employees were aware of the kind of use and disclosure of employee information that was subsequently undertaken by the Respondent in relation to the arrangement between Cleanevent and the AWU[xxxii].

Breach of National Privacy Principle (NPP) 2 and 4 by:-

  1. Breach of NPP 2 – Respondent improperly disclosing, through its related entity Cleanevent, the Complainants’ personal information to the Australian Workers’ Union (AWU), with Respondent’s approval but without the Complainants’ authority or knowledge;
  2. Breach of NPP 4 – Respondent failing to take reasonable steps to protect the complainants’ personal information from misuse and unauthorised disclosure.

Damages Award:

A total of $60,000 for non-economic loss (including an aggravation component) comprised of:-

  • $39,000 – made up of $4,500 for each of the 6 Complainants who were not an AWU member at the time of the disclosures AND $1,500 for each of the 8 Complainants who were already a substantive AWU member at the time of the disclosures; and
  • $21,000 as aggravated damages – being $1,500 for each Complainant.

In their submissions, the Complainants’ had documented their work ethic, their long years of service and their feelings of anger, outrage, injustice and betrayal on becoming aware of the disclosures. They also expressed that they had been experiencing feelings of ‘stress and/or anxiety’ at the actions of their employer – though no additional evidence was provided on these matters.

The Respondent, on the other hand, contended that the Complainants had acted unreasonably in the circumstances, resulting in a protracted process and ongoing costs.

The Commissioner noted that the Respondent’s conduct took place in the context of an employment relationship – a relationship of confidence and trust – and accepted that the Respondent’s apparent indifference towards its privacy obligations in respect of employee information, was a source of additional hurt for the Complainants.

 

‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51

Date of Decision:  23 March 2018

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

One of the Complainants made the complaint on behalf of him/herself and the other Complainants – acting as the representative complainant for a class of 328 complainant members in total (after opt outs).

The Complainants were employees of two related companies in the concrete/construction industry which were providing services under contract to a third unrelated company (‘Contractor Company ’)‘

The Complainants were members of a superannuation fund operated by the Respondent;

The following personal information was disclosed in three (3) emails forwarded by the Respondent to an employee of the Contractor Company:-

  1. The Complainants’ full name;
    1. The Complainants’ date of birth;
    2. The Complainants’ superannuation member number;
    3. The Complainants’ most recent employer superannuation contributions; and
    4. The Complainants’ duration of employment.
    5. AND In the case of some of the Complainants, the emails also identified any voluntary contributions and employee salary-sacrifice contributions made by those members

Privacy Breach:

The Respondent breached of National Privacy Principle (NPP) 2 by disclosing the Complainants’ personal information to an external organisation for a secondary purpose without the Complainants’ consent to that disclosure.

The Respondent’s Privacy Policy described the purposes for which personal information could be disclosed to third parties and expressly stated that “Your personal information will not be used or disclosed for any other purpose without your consent, except where required by law.[xxxiii]

However, the Respondent’s safeguards in place to protect the security of members’ personal information were found to be reasonable in the circumstances.

Damages Award:

The Commissioner was not satisfied on the information or statements provided by any of the individual members of the class, that they had suffered any actual loss or damage.

The Commissioner also declined to make an award for damages for non-economic loss.  While acknowledging there may have been ‘hurt feelings’ upon becoming aware of the breach, the Commissioner decided that, in the circumstances of the matter, “the most appropriate form of redress is… a public apology that explains the circumstances of breach and what systems [the Respondent] has in place to minimise the risk of the breach recurring[xxxiv]

 

‘LU’ and Department of Defence (Privacy) [2017] AICmr 61

Date of Decision:  26 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

  1. the Complainant’s name, postal address and date of birth;
  2. the Complainant’s Personnel Management Key Solution (PMKeyS) number, a unique employee number allocated to Defence personnel, which provides access to phone number and personal email address information; and
  3. the Complainant’s health information

contained in a redacted investigation report (‘Comcare Report’) produced by Comcare,  the agency responsible for workplace compensation in the Respondent.

Privacy Breach:

At the time of the disclosures the Complainant was employed by the Respondent in one of its Divisions (the ‘Complainant’s Division’).

At the Complainant’s request, Comcare had investigated whether the Complainant’s employment with the Respondent had contributed to her contraction of a form of cancer and produced an investigation report about its findings (Comcare Report).

A redacted version of the Comcare Report, which had not been properly redacted to de-identify the Complainant, was subsequently made publicly available through the freedom of information log on Comcare’s website.

The disclosures by the Respondent occurred:-

  • when, in connection with another Respondent employee’s concerns about an alleged “cancer cluster”, the Respondent sent an email (the ‘Email’) to approximately 1,270 staff in the Complainant’s Division, including the Complainant, which included a link to the redacted Comcare Report; and
  • when the Respondent provided a copy of the redacted Comcare Report to a consulting firm which the Respondent had engaged to investigate allegations concerning workplace practices.

The Complainant subsequently became aware that a copy of the redacted Comcare Report had been saved in a general folder of the Respondent’s defence records management system which could be freely accessed by Respondent employees and staff of the Complainant’s Division

The Complainant was referred by the Respondent for psychological and psychiatric assessment.

The Respondent breached Information Privacy Principle (‘IPP’) 4 and 10 by:

  1. Failing to protect the Complainant’s personal information (including sensitive health information) against loss, unauthorised access, use, modification or disclosure and other misuse, by such security safeguards as was reasonable to take in the circumstances ; and
  2. Improperly using the Complainant’s personal information and sensitive health information for a purpose not directly related to the purpose of collection.

Damages Award:

$10,000 for non-economic loss

$3,000 to reimburse the Complainant’s expenses reasonably incurred in making the complaint and having the complaint investigated.

The Complainant provided:-

  1. a copy of her medical and case assessment reports confirming that she underwent psychological and psychiatric assessments following the privacy breaches;
  2. a copy of the Complainant’s receipts and invoices for legal costs

The Commissioner took into account that the Respondent’s audit log recorded that five (5) individuals had accessed the redacted Comcare Report during the one year period that it had been available in a general folder of the Respondent’s defence records management system and that four of them were in key executive roles within the Complainant’s Division and the fifth was the employee who had raised the concerns about the alleged cancer cluster.

The Commissioner also noted that part of the Complainant’s distress was caused by Comcare’s interference with her privacy, and that the Commissioner had awarded the Complainant $20,000 for non-economic loss in the Complainant’s matter against Comcare. [xxxv]

 

‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60

Date of Decision: 26 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Requested:

  1. Clinical notes for the respondent’s treatment of the complainant
  2. Hospital records for the complainant’s inpatient treatment
  3. Written passages by the complainant
  4. Second opinion reports
  5. Character references

Privacy Breach:

Respondent was a consultant psychiatrist.

Complainant was a patient of respondent between 2003 and 2013.

Respondent administered electroconvulsive therapy (ECT) on the complainant.

In 2014, the complainant made a complaint to the Medical Board of Australia (Board) about the administration of the ECT.

As a part of the Board’s investigation, the respondent provided a response to the Board which included personal information relating to the complainant’s treatment by the respondent.

The complainant requested access to the personal information provided by the respondent to the Board. The respondent refused to provide the complainant with access to the information.

Breach of Australian Privacy Principles (APP) 12.5 and 12.9 by:

  1. Breach of APP 12.5 – Respondent failing to consider what steps, if any, may have addressed any concerns as to the effect of access on the complainant’s health, having regard to the circumstances and meeting the needs of the entity and the complainant
  2. Breach of APP 12.9 – Respondent failing to provide the complainant with a written notice setting out the reasons for refusal and mechanisms to complain about the refusal

Damages Award:

$1,000 for non-economic loss

The complainant provided information to the OAIC that she experienced “pressure” from “this protracted frustrating process”.

 

‘LP’ and The Westin Sydney (Privacy) [2017] AICmr 53

Date of Decision: 7 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Privacy Commissioner found that ‘personal information’ was disclosed, not sensitive information or health information

The phone call disclosed that the complainant was unhappy with the room downgrade and regarded it as ‘obviously unacceptable’.

Privacy Breach:

The Westin Sydney recorded a telephone conversation involving the complainant, without the complainant’s knowledge and in doing so, obtained the complainant’s personal information unfairly, in breach of APP 3.5.

Damages Award:

$1,500 for non-economic loss

 

‘LA’ and Department of Defence (Privacy) [2017] AICmr 25

Date of Decision: 17 March 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the complainant’s hospital admissions for a period from the 1970s to 1980s

Privacy Breach:

Breach of APP 6 by disclosing information that was collected for a particular purpose, for some other purpose, without the consent of the complainant

Complainant was employee of the Royal Australian Air Force

The Department of Defence released the personal information to the complainant’s son, upon receiving a request from the complainant’s son for access to the information

Damages Award:

$12,000 for non-economic loss

$3,420 for expenses reasonably incurred

The disclosure of information included disclosure of the complainant’s entire medical history including a prior gambling addiction, which had an adverse effect on the complainant’s psychological health and family relationships.

 

 ‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81

Date of Decision: 25 November 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information:

Credit information of a person who was not the complainant was included on the complainant’s credit report, because the complainant and the person whose credit information was included on the complainant’s credit report had a similar name and lived in the same apartment building

Privacy Breach:

Veda had breached sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) by:

  1. Failing to take such steps as were reasonable in the circumstances to ensure that credit information it collected about the complainant was accurate, up-to-date, and complete
  2. Failing to take steps as were reasonable in the circumstances to ensure that credit reporting information it disclosed was, having regard to the disclosure, accurate, up-to-date, complete and relevant
  3. Using or disclosing credit reporting information that was false or misleading in a material particular
  4. Failing to give each recipient of the incorrect information written notice of correction within a reasonable period

Veda confused two individuals (the complainant and another person with a similar name who lived in the same apartment building) and included all of the second person’s poor credit information (including details of a judgment debt of $7,000) on the complainant’s credit report

This impacted on the complainant’s ability to conduct business as per usual, because his credit cards were blocked as a result and suppliers would not supply goods to him for his business until they received payment from him

Damages Award:

$10,000 for non-economic loss

$5,830 for expenses reasonably incurred

 

‘JO’ and Comcare [2016] AICmr 64

Date of Decision: 21 September 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the complainant’s workers’ compensation claims to Comcare regarding workplace injuries sustained by the complainant whilst working for the Department of Defence and the Department of Human Services

The information disclosed included:

  • Complainant’s name
  • Complainant’s postal address
  • Complainant’s email address
  • Complainant’s injury dates
  • Registered dates
  • Claims status: accepted/rejected
  • Claims status: open/closed

Privacy Breach:

Comcare breached APP 6 and 11 by:

  1. Disclosing information about workplace injuries at the complainant’s current employer to his former employer and an insurance company
  2. Failing to take reasonable steps to protect the complainant’s personal information from unauthorised disclosure

Damages Award:

$3,000 for non-economic loss

 

 ‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 44

Date of Decision: 30 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

The complainant’s driver’s licence, Medicare card and a copy of a telecommunications contract signed by the complainant

Privacy Breach:

TeleChoice breached APP 11.1 and 11.2 by:

  1. Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
  2. Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed

A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria

The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place

TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident

Damages Award:

$3,500 for non-economic loss

 

 ‘IX’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42

Date of Decision: 30 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

The complainant’s name appeared on the A Current Affair program about the abandonment of TeleChoice customer information on footage of a manila folder spilling out of the shipping container’s entrance onto the ground

Privacy Breach:

TeleChoice breached APP 11.1 and 11.2 by:

  1. Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
  2. Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed

A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria

The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place

TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident

Damages Award:

$3,500 for non-economic loss

 

 ‘IV’ and ‘IW’ [2016] AICmr 41

Date of Decision: 27 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Medical diagnosis of the complainant of ‘delusional depression’

Privacy Breach:

Breach of APP 6.1 and 10.2 by disclosing complainant’s personal information to six (6) individual third parties

Respondent was a medical doctor who disclosed the information by email to six individual third parties. Complainant was also a recipient of the email

Damages Award:

$10,000 for non-economic loss

The Privacy Commissioner had regard to the following factors when determining the amount of non-economic loss to award:

  • The sensitive nature of the personal information that was disclosed
  • The fact that as a patient of the respondent’s, the complainant was in a position of vulnerability
  • The fact that the disclosure was made to six third parties
  • The responsibility of the respondent as a medical professional to have a sound understanding of his privacy obligations

 

 ‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AICmr 37

Date of Decision: 27 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the insurance policies held by the complainant with NRMA Insurance, which included the following information:

  • Policy types
  • Policy numbers
  • Details of the complainant’s car make, model, year and registration number
  • The complainant’s full property address

Privacy Breach:

NRMA had breached APP 6 and 11 by disclosing the complainant’s personal information to a third party, which was a person with whom the complainant shared one home building insurance policy.

Damages Award:

$3,000 for non-economic loss

The complainant claimed that she suffered distress and anxiety as a result of the disclosure. However, the Privacy Commissioner considered that financial information may be considered ‘more sensitive’ than other information and the disclosure was overtly made to a known party and as such, a modest amount of damages should be awarded.


Authored by Katarina Klaric and Rochina Iannella

© Stephens Lawyers & Consultants. February 2020 – Updated 6 July 2021.

This update is not intended to be a substitute for obtaining legal advice. 

For further information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au 

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007


[i] WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12 at Par 109

[ii]WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12 at Par 112

[iii] WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2Table at Addendum A and at Par. 76

[iv] WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2 at Par. 85

[v] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 62, 63

[vi] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 98, 99

[vii] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 152

[viii] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 153

[ix] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 119

[x] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 154

[xi] Ibid.

[xii] WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64 at Par 47

[xiii] WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64 at Par 80

[xiv] WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60 at Par 46

[xv] WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60 at Par 96

[xvi] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Pars 40 to 43 – Pars 57 & 68

[xvii] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 120

[xviii] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 14

[xix] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 121

[xx] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 122

[xxi] ‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45 at Par 45 and 46 for discussion of circumstances to be considered in determining if ‘reasonable steps’ have been taken.

[xxii] ‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45 at Par 66 and 67

[xxiii] ‘VI’ and CSIRO (Privacy) [2020] AICmr 44 at Par 61 and 63

[xxiv] VI’ and CSIRO (Privacy) [2020] AICmr 44 at Par 64

[xxv] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Par 54

[xxvi] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Pars. 52 – 53

[xxvii] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Pars. 21 & 22

[xxviii] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 95

[xxix] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 105

[xxx] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 45

[xxxi] ‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48 at Par. 107

[xxxii] ‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 at Par. 59

[xxxiii] ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Par. 69

[xxxiv] ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Pars. 91 -93

[xxxv]LB’ and Comcare (Privacy) [ 2017] AICmr 28 (24 March 2017)