Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the period 2020 – September 2022 and published by the Office of the Australian Information Commissioner (OAIC) in relation to privacy breaches. Although the OAIC has been involved in the determination of many complaints involving privacy breaches, during 2022 there has been only one published determination by the OAIC where compensation has been awarded. The majority of complaints to the OAIC are resolved by the conciliation process conducted by the OAIC. During the period 2016 to 2022 the awards of compensation have ranged from about $1,000.00 to $20,000.
CASE | PRIVACY PRINCIPLES BREACHED | COMPENSATION AWARDED |
‘ZJ’ and Australian Centre for International Agricultural Research (Privacy) [2021] AICmr 92
(17 December, 2021)
|
APP 6 | $5,000 for non-economic loss |
‘WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12 (13 April 2021)
|
APP 6 — APP 10 — APP 11 |
$10,000 for non-economic loss;
$8,000 for reasonably incurred legal expenses; $1,980 for reasonably incurred expenses in preparing a medical report. |
‘XA’ and CEO of Services Australia (Privacy) [2021] AICmr 13 (13 April, 2021)
|
APP 6 — APP 10 — APP 13 |
$1,000 for non-economic loss |
‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2 (11 January, 2021) [NB: This Case is currently under review] |
IPP 4 – IPP 11 |
Compensation awarded — Guidance provided on:- – Manner in which the amount of compensation payable to class members is to be calculated; and – Process for determining any dispute regarding the entitlement of a class member to the payment |
‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 (22 December 2020)
|
APP 3 — APP 6 — APP 11 |
No compensation awarded. |
‘WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64 (16 December 2020) |
APP 5 — APP 6 — APP 10 — APP 11 |
$4,500 for non-economic loss |
‘WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60 (27 November 2020) |
Breach of s85ZW(b)(ii) of the Crimes Act 1914 (Cth) – by taking into account the fact of the complainant’s spent convictions in a decision to terminate his employment as an officer in the ADF. |
$6,000 for non-economic loss and $4,850 for reasonably incurred expenses in connection with the privacy complaint |
Flight Centre Travel Group (Privacy) [2020] AICmr 57 (25 November 2020)
|
APP 1.2 — APP 6.1 — APP 11.1
|
No compensation awarded |
‘VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr 52 (14 September 2020)
|
APP12 |
No compensation awarded |
‘VQ’ and Secretary to the Department of Home Affairs (Corrigendum dated 17 December 2020) (Privacy) [2020] AICmr 49 (11 September, 2020)
|
APP 10 and Crimes Act 1914 (Cth) — Spent convictions scheme |
$2,500 for non-economic loss |
‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45
(2 September, 2020) |
APP12 and APP11
|
To 1st complainant – $3,000 for non-economic loss and $1,500 for aggravated damages.
To 3rd complainant -$2,000 for economic loss and $1,500 for aggravated damages |
‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46 (2 September, 2020) |
APP12 and APP11
|
$3,000 for non-economic loss;
$295 for economic loss; and
$3,000 for aggravated damages |
‘VI’ and CSIRO (Privacy) [2020] AICmr 44 (19 August, 2020) |
APP6 – APP11 |
No compensation was awarded |
‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020) |
IPP 11 |
$3,000 for non-economic loss |
‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (19 June 2020) |
APP 12 |
$3,000 for non-economic loss
$2,000 for aggravated damages
|
‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020) |
APP 6 – APP 11 |
$10,000 to 1st complainant & $3,000 to 2nd complainant for non-economic loss
$3,400 to 1st complainant for economic loss
|
The Determinations
‘ZJ’ and Australian Centre for International Agricultural Research (Privacy) [2021] AICmr 92
Date of Decision: 17 December 2021
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved:
The complainant’s personal information comprised of and contained in the complainant’s email to the Department of Foreign Affairs and Trade in which the complainant made a complaint.
The complainant had sent an email to the Department of Foreign Affairs and Trade (‘the Department’) which contained the complainant’s personal information (‘the Complainant’s Original Email’). The complainant asked that the personal information be kept confidential. The Department responded to the Complainant’s Original Email advising that the Australian Centre for International Agricultural Research (‘the Agency’) was the appropriate agency to deal with the matter while simultaneously copying the Agency in and forwarding to the Agency the Complainant’s Original Email containing the complainant’s personal information.
The complainant made an FOI request to the Agency seeking documents relating to the subject of the Complainant’s Original Email and related information concerning any dissemination of the Complainant’s Original Email within the Agency. The Agency provided the requested documents to the Complainant in full and subsequently published the FOI documents (which included the Complainant’s Original Email) on the Agency’s Disclosure Log which was accessible on the Agency’s website.
The Agency took down pages containing the Complainant’s personal information from the Disclosure Log on the Agency’s website within 24 hours of receiving the complainant’s request. The personal information had been viewed 17 times in the previous 30 days.
The complainant’s claim against the Agency included a claim for non-economic loss as well as a claim for economic loss of $418,481 (which included legal fees of $6,779 incurred in pursuing this privacy breach complaint).
Privacy Breach:
Breach of APP6. – by the respondent disclosing the personal information in the FOI Disclosure Log on its website in circumstances where such disclosure of the personal information was unreasonable.
Damages Award:
$5,000 for non-economic loss “in the form of hurt feelings, humiliation, stress, and feelings of anxiety”[i].
In determining the amount of non-economic loss to be awarded, the Commissioner “considered the nature of the information, being sensitive racial or ethnic origin information, the fact that the disclosure was available on the Agency’s website, the impact of the collection and disclosure on the complainants, and the relevant case law”[ii]
In regard to the complainant’s claim for legal fees, the Commissioner found that the complainant had failed to provide evidence to substantiate the claim.
‘WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12
Date of Decision: 13 April 2021
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved:
The complainant’s personal information in the form of her new residential address and her current relationship status.
The complainant and her partner had online accounts with the respondent agency which were linked (including for the purposes of calculating social security entitlements) as they had previously indicated they were in a domestic relationship. While their accounts remained linked, any change made by either of them to the address on their respective online account would automatically update that information on the online account records of the other. It was the practice of the respondent agency to keep these records linked until it had verified any claim of a separation from either one of the ‘linked’ individuals.
The complainant separated from her partner after a domestic violence incident.
The complainant subsequently moved to a new address. This was updated by the respondent on the complainant’s online account records some 3 months after the complainant had advised the respondent of the changed address – which resulted in the automatic update of the complainant’s former partner’s address on his (still) linked online account.
Privacy Breach:
- Breach of APP6. – by the respondent disclosing the complainant’s personal information, namely, her new address to her former partner, for a purpose other than that for which it was collected;
- Breach of APP10.2 – by the respondent failing to take reasonable steps to ensure that it used accurate and up-to-date personal information of the complainant:-
- in the form of her relationship status having regard to the purposes of its use, being to update her former partner’s address; and
- in the form of her address at which she could be contacted;
- Breach of APP11.1 – by the respondent failing to take reasonable steps to protect the complainant’s personal information, being her updated address, from unauthorised disclosure to her former partner.
Damages Award:
- $10,000 for non-economic loss;
- $9,980.00 for economic loss, comprised of:-
- $8,000 for reasonably incurred legal expenses (being less than the $15,054 claimed by the complainant) ; and
- $1,980 for reasonably incurred expenses in preparing a medical report.
In determining the amount of non-economic loss to be awarded in this case, the Commissioner noted that it was worth acknowledging that the privacy breach in this case was ‘not trivial’[iii] and considered the damages awards made in a number of previous cases.[iv]
‘XA’ and CEO of Services Australia (Privacy) [2021] AICmr 13
Date of Decision: 13 April 2021
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved:
The complainant’s personal information in the form of:-
- the complainant’s address; and
- the complainant’s financial information, namely that the complainant owed two debts to the Commonwealth based on the respondent agency’s view and decisions that the complainant had been overpaid Family Tax Benefits.
Privacy Breach:
- Breach of APP6 – by the respondent disclosing the complainant’s address to an external debt collection agency, in circumstances where the relevant debt had been overturned by the respondent agency; and
- Breach of APP13.2 – by the respondent failing to take reasonable steps to notify an external debt collection agency to correct the complainant’s personal information, namely that he owed a debt, in circumstances where the complainant requested such notification and the respondent agency had itself corrected that information.
Damages Award:
$1,000 for non-economic loss.
‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2
Date of Decision: 11 January 2021
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The respondent published on its website a ‘Detention Report’ which had an Excel spreadsheet embedded within it (the ‘Spreadsheet’) which unknowingly included and disclosed personal information of over 9000 individuals who were in immigration detention at that time. The following personal information of each of these “class members” was disclosed in the breach:-
- full name, gender, citizenship, date of birth; and
- period of immigration detention, location, boat arrival details and reasons why the individual had been considered an unlawful non-citizen.
Privacy Breach:
- Breach of IPP 11– by the respondent disclosing on a publicly available website the personal information of the class members; and
- Breach of IPP 4– by the respondent failing to take reasonable security safeguards:-
- against loss;
- against unauthorised access, use, modification or disclosure; and
- against other misuse.
Damages Award***:
- Damages for non-economic loss or damage arising from the data breach to be determined under five categories of loss or damage, depending on the severity of the impact[v] – to be paid to each of the ‘Participating Class Members’ being those class members who made submissions and/or provided evidence of their loss or damage and who demonstrated that they suffered loss or damage as a result of the data breach.
- Damages for economic loss – to be paid on a case-by-case basis.
Aggravated damages not awarded as the Commissioner considered they were not justified in this case.[vi]
[***To read a summary of the process set out by the Commissioner to be followed by the Department when assessing and finalising claims from Participating Class Members to be paid compensation for loss or damage arising from a data breach, see Stephens Lawyers & Consultants’ Privacy Update – February 2021 HERE ]
‘WL’ and Secretary to the Department of Defence [2020] AICmr 69
Date of Decision: 22 December 2020
Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton
Type of Personal Information Collected and Disclosed:
The complainant’s Username for an online shopping website (Website) combined with the complainant’s name and account information as the account holder of the Username.
The complainant was a former reservist officer of the Australian Defence Force (ADF).
As part of its enquiries into the suspected unlawful sale of Commonwealth property (ADF items) on an online shopping website (Website), the respondent requested its Service Police Central Records Office (SPCRO) to provide to the respondent the name of the account holder of the Username on that Website, where ADF items were being offered for sale. .
The SPCRO, sent a request to the Website, requesting the following personal information – which was provided by the Website:-
“1. Particulars of the Seller (Name, Address, DOB):
- Items recently bought and sold by the above: [the Username]
- Any additional information [the Website] is willing to provide in relation to the member and their account.”[vii]
In response to item 3 in the SPCRO’s request, the Website provided the following ‘additional information’ about the complainant:-
- The Website feedback score;
- Password history (no passwords included)
- Billing history
- User ID history (with usernames)
While the Acting Commissioner found that the information collected/received under the first 2 categories of the SPCRO’s request was reasonably necessary for its function of investigating a service offence, the Acting Commissioner was not satisfied that the collection of the complainant’s personal information under the category: ‘any additional information [the Website] is willing to provide’ was reasonably necessary for or directly related to one or more of its functions.[viii]
Privacy Breach:
Breach of APP3.1 – by the respondent collecting the complainant’s personal information from a third party in the form of ‘any additional information’ the third party ‘is willing to provide in relation to the member and their account’, which was not reasonably necessary for or directly related to the particular function being exercised
Damages Award:
The complainant sought to be compensated for the cost of the ADF items (which had since been destroyed) and for his legal fees – including those arising from the fact that he had been investigated by Victoria Police. The Acting Commissioner noted that:-
- compensation that may be payable is “limited to compensation suffered by reason of the interference with privacy”[ix]; and that
- the respondent had referred the suspected theft of the ADR items to Victoria Police once the respondent became aware it did not have jurisdiction over that suspected theft[x] and “before the respondent had determined that the complainant was a civilian and outside of its jurisdiction”[xi]
In deciding not to award any compensation, the Acting Commissioner noted:-
- that she was not satisfied “that loss stemming from the investigation by Victoria Police [was] causally connected to the privacy breach”[xii]; and that
- “the complainant [had] not provided enough detail for [the Acting Commissioner] to determine whether [the complainant’s] legal fees [were] causally connected to the privacy breach[xiii]
No compensation awarded.
Declaration that a written apology be provided to the complainant.
‘WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64
Date of Decision: 16 December 2020
Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton
Type of Personal Information Disclosed:
The complainant’s superannuation plan with AustralianSuper included income protection insurance cover. The personal information disclosed by the respondent was the complainant’s personal information “relating to the complainant’s insurance claim (such as arrangements for medical appointments and information regarding the payment of the claim in so far as it was about the complainant and identifies them)”.[xiv]
Privacy Breach:
- Breach of APP6 – by the respondent disclosing the complainant’s personal information to the complainant’s previous lawyers after the complainant had advised the respondent in writing that the complainant had withdrawn their consent for the respondent to do so[xv];
- Breach of APP10.2 – by the respondent failing to take reasonable steps to ensure that it used accurate and up-to-date personal information of the complainant, having regard to the purposes of its use; and
- Breach of APP11.1 – by the respondent failing to take reasonable steps to protect the complainant’s personal information from unauthorised use and disclosure.
Damages Award:
$4,500 for non-economic loss
No aggravated damages were awarded as the Commissioner found nothing in the respondent’s conduct to warrant it. The Commissioner declared that a written apology be provided from an appropriately senior officer of the respondent.
‘WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60
Date of Decision: 27 November 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The complainant’s spent conviction(s), which were convictions that the complainant was entitled not to disclose.[xvi]
Privacy Breach:
Breach of s85ZW(b)(ii) of the Crimes Act 1914 (Cth) – by the respondent taking into account the fact of the complainant’s spent convictions in the respondent’s decision to terminate the complainant’s employment as an officer in the ADF.
Damages Award:
The Commissioner, noting the four (4) principles guiding the awarding of compensation including that “compensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances”[xvii], awarded the complainant the following compensation:-
$6,000 for non-economic loss caused by the respondent’s conduct.; and
$4,850 for reasonably incurred expenses in connection with the privacy complaint.
Note: The complainant had sought reinstatement of his position within the ADF or, in the alternative to reinstatement, compensation.
Flight Centre Travel Group (Privacy) [2020] AICmr 57
Date of Decision: 25 November 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
Personal information of approximately 6918 individuals, in the form of their credit card and passport information provided to 90 individuals who had registered for and participated in an event held by the respondent in March 2017 and designed to create technological solutions for travel agents to better support customers during the sales process. In preparing the dataset, the respondent had obfuscated the details known to contain personal information, leaving what the respondent believed to be only the customer’s year of birth, postcode, gender and booking information.
The information had been available for approximately 36 hours by the time an event participant advised the respondent they had identified credit card information in the dataset provided to all event participants .
The respondent took a number of steps upon being alerted to the disclosure including removing access to the data by the event participants within 30 minutes of being notified, notifying the individuals (whose personal information had been mistakenly disclosed) and requesting that event participants delete that material from the dataset provided to them.
On 16 August, 2017 the Commissioner advised the respondent that the Commissioner had commenced an investigation of this data breach under Section 40(2) of the Privacy Act which would consider if the respondent had met the requirements of APP 1, APP 6, and APP 11.
Section 40(2) of the Privacy Act 1988 states:-
“The Commissioner may, on the Commissioner‘s own initiative, investigate an act or practice if:
(a) the act or practice may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1; and
(b) the Commissioner thinks it is desirable that the act or practice be investigated
Privacy Breach:
- Breach of APP1.2. – by the respondent failing by to take such steps as are reasonable steps in the circumstances to implement practices, procedures and systems to ensure compliance with the APPs.;
- Breach of APP6.1 – by the respondent disclosing the individuals’ personal information to third parties participating in a ‘design jam’/product development event without consent, for a purpose other than the primary purpose of collection[xviii]; and
- Breach of APP11.1 1 – by the respondent failing to take such steps as are reasonable in the circumstances to protect the individuals’ personal information from misuse and loss and from unauthorised access, modification or disclosure
Damages Award:
No compensation was awarded in this case as the Commissioner noted she had “no evidence before [her] to support a declaration that the respondent redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation” [xix]
In making her determination, the Commissioner considered only the information and submissions before her – which in this case was the information and submissions from the respondent[xx]. This included the respondent’s submissions about its prompt actions to notify affected individuals and assistance offered to mitigate any harm, to restrict access to the data, to investigate the data breach incident and review and implement changes to the respondent’s practices – as well as the respondent’s submission in relation to the impact of Covid-19 on its business[xxi].
The Commissioner also noted “the candour of the respondent’s submissions provided in response to the OAIC’s inquiries in this investigation”[xxii].
The Commissioner also made a declaration that the respondent must not repeat the conduct constituting an interference with the privacy of the (approximately) 6,918 individuals.
‘VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr52
Date of Decision: 14 September 2020
Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton
Type of Personal Information Disclosed:
The complainant’s personal information, being health information as contained in records of her skin treatments performed by a particular practitioner at the respondents’ clinic – including ‘before photos’ (Records).
Between March and June 2018 the complainant made a number of email requests for her Records to be made available to the complainant and the complainant’s dermatologist. By 5 June 2018 the respondents had not provided the Records to the complainant and on 20 July 2018 the complainant lodged a complaint with the OAIC – seeking access to her personal information.
Privacy Breach:
Breach of APP 12.1 – 12.4 – 12.9 – by the respondent failing to respond to and give access to the complainant’s personal information within a reasonable time after the complainant’s request was made, and in the manner requested by the complainant;
Damages Award:
No compensation awarded – as the complainant did not make any claim of loss suffered, nor did she claim any compensation. Remedial action declared.
‘VQ’ and Secretary to the Department of Home Affairs (Corrigendum dated 17 December 2020) (Privacy) [2020] AICmr 49
Date of Decision: 11 September 2020
Heard by: Acting Australian Information and Privacy Commissioner, Elizabeth Hampton
Type of Personal Information Disclosed:
The complainant, a New Zealand citizen, had entered Australia on a visa and had applied to the respondent for Australian citizenship. The complainant’s complaint concerned the following disclosures by the respondent to Interpol NZ of his ‘personal information’ in connection with the respondent’s decision to consider the complainant for a potential visa cancellation on character grounds under the Migration Act 1956 (Cth) – specifically:-:-
- Disclosure of the complainant’s spent conviction (Claim 1); and
- A misrepresentation to Interpol NZ that he had declared that he had no criminal convictions on his incoming passenger card when entering Australia (Claim 2).
Privacy Breach:
Breach of APP10.2 (in respect of Claim 2) – by the respondent failing to take reasonable steps to ensure the accuracy of the disclosure of the complainant’s personal information, having regard to the purposes of the disclosure.
The disclosure of the spent conviction information (Claim 1) was considered separately under the Crimes. Act 1914 (Cth.). The Commissioner found that in this case, the respondent had not breached s85ZW(b) of the Crimes Act in disclosing the complainant’s spent conviction information.
Damages Award:
$2,500 to the complainant for non-economic loss
‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45
Date of Decision: 2 September, 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Involved:
The complainants’ personal information – comprised of the complainants’ names and their health information.
The three (3) complainants are siblings. The respondent, a registered psychologist, provided psychological services to each of the complainants, which ceased between 2016 and 2017. Between October 2018 and April 2019 the complainants’ representative (their mother) made a number of requests for access to the complainants’ personal information held by the respondent, in the form of a report – which the respondent agreed to do. However, it was not until 25 June 2020, and after the lodgement of the complainants’ complaint with the OAIC, that the respondent sent the complainants their reports by registered post.
Privacy Breach:
- Breach of APP12 ….. – by the respondent failing to provide the complainants with access to their personal information within a reasonable period after the request was made; and
- Breach of APP11 (in relation to storage of the complainants’ clinical records at home)….. – by the respondent failing to take steps as are reasonable in the circumstances[xxiii], given the highly sensitive nature of the personal information involved, to protect and securely store the complainants’ personal information.
Damages Award:
- To the first complainant – a total of $4,500 comprised of:-
– $3,000 for non-economic loss and
– $1,500 for aggravated damages.
- To the third complainant – a total of $3,500 comprised of
- $2,000 for non-economic loss and
- $1,500 for aggravated damages.
Plus
The respondent to provide a written apology to each of the three complainants separately.
The Commissioner made no compensation award for the second complainant. Unlike the first and third complainants (who provided statements), the second complainant did not provide a statement or any other direct information about how the privacy breach affected them. As a result, the Commissioner was “not satisfied that the second complainant has suffered harm as a result of the privacy breach in the absence of direct evidence from them”[xxiv]
‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46
Date of Decision: 2 September, 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Involved:
In this case the ‘personal information’ was in the complainant’s clinical records which included sensitive information in the form of health information.
The respondent was a registered psychologist who had provided psychological services to the complainant for seven (7) years – ending in 2018 The respondent kept the complainant’s (and all her other clients’) clinical records in a locked filing cabinet in her locked garage at her home.
In response to the complainant’s numerous requests for a copy of her personal information in the form of her clinical records (clinical records). the respondent initially refused to provide her with a copy of her clinical records. Subsequently, instead of her clinical records, the respondent offered to provide a report (report) of the respondent’s involvement with the complainant outlining a summary of the main issues discussed during treatment, the respondent’s diagnosis and the respondent’s recommended ongoing support for the complainant. The respondent claimed to have sent the report to the complainant by ordinary mail but the complainant did not receive the report. The respondent ultimately provided a copy of the report to the OAIC by email 17 months after the complainant lodged a complaint with the OAIC, almost two (2) years after the complainant first requested her records from the respondent.
Privacy Breach:
- Breach of APP12 ….. – by the respondent failing to provide the complainant with access to her personal information on request; and
- Breach of APP11 ….. – by the respondent failing to take steps as are reasonable in the circumstances, given the highly sensitive nature of the information involved, to protect and securely store the complainant’s personal information.
Damages Award:
A total amount of $6,295 payable to the complainant, apportioned as follows:-
- $3,000 for non-economic loss;
- $295 for economic loss (being the fee paid to a lawyer for advice about her rights in respect to her personal information held by the respondent – and evidenced by a copy of the invoice); and
- $3,000 for aggravated damages.
‘VI’ and CSIRO (Privacy) [2020] AICmr 44
Date of Decision: 19 August 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The complainant’s personal information was contained ina statement for a compensation claim provided by the complainant to the respondent, which included ‘sensitive information’, in the form of the complainant’s ‘health information’.
Privacy Breach:
- Breach of APP 6 – by the respondent using and disclosing the complainant’s ‘personal information’ for a ‘secondary purpose’ – being a purpose other than the purpose for which it had been provided by the complainant – without the complainant’s consent; and
- Breach of APP 11 – by the respondent failing to take reasonable steps to protect the complainant’s personal information from unauthorised use and disclosure.
Damages Award:
The complainant sought $11,000 for legal fees incurred in pursuing the privacy complaint.
In determining whether to make an award for legal costs, the Commissioner noted that pursuant to Sec 52 (3) of the Privacy Act, a complainant is entitled to a specified amount to reimburse the complainant for expenses ‘reasonably incurred’ in connection with their privacy complaint[xxv], but also noted that most privacy complaints can be resolved without the need for legal representation, particularly as the OAIC provides a free, informal and accessible complaint process.[xxvi]
In this case, the Commissioner:-
- made no order for costs as the complainant failed to provide evidence that the expenses were reasonably incurred;
- ordered the respondent to provide to the complainant a written apology within two weeks of the date of the Commissioner’s determination; and
- ordered a review of the respondent’s current policies, procedures and training relating to its compliance with APP 6 and APP 11 and that within six months’ of receiving the independent reviewer’s report, the respondent report to the Commissioner on the reviewer’s findings and recommendations and on what it has done to implement those findings and recommendations..
ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30
Date of Decision: 30 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
The complainant’s bank statement which disclosed the following ‘personal information’ to the complainant’s ex-partner:-
- the date and types of places where the complainant made purchases (supermarkets, petrol stations, cafes and restaurants and the complainant’s medical and health providers); and
- the name of the suburb or area of the place that those purchases were made by the complainant (‘locational information’).
The complainant had sought to keep her location unknown to her ex-partner as she claimed to fear harm from him.
Privacy Breach:
In 2012 the complainant applied to the Child Support Agency and former Department administering child support (‘CSA’) for a change of assessment to the amount of child support then being paid by her ex-partner. Both the complainant and the ex-partner objected to the decision made by the CSA and sought an internal review of the CSA decision.
The CSA proceeded to collect the complainant’s personal bank information from the complainant’s bank using its statutory collection powers and did not advise the complainant it was doing so. But being unhappy with the internal review decision, the complainant applied to the Social Security Appeals Tribunal (the ‘Tribunal’) for a review of that decision.
As part of the Tribunal review process, the CSA provided the complainant’s bank statement to the Tribunal and the complainant’s ex-partner.
This was the first time that the complainant became aware that her personal information had been collected by CSA.
Whilst the Commissioner found that the CSA had not breached the complainant’s privacy in collecting the complainant’s personal information and that disclosure of the types of places at which the complainant made purchases was relevant to the decision under review by the Tribunal, it was the Commissioner’s view:-
- that the complainant was not reasonably likely to be aware that the respondent would disclose documents obtained from third parties about which the complainant was not aware; and
- that disclosure of the ‘locational information’ contained in the bank statement was not relevant to the decision under review and therefore, the complainant was unlikely to be aware that information of that kind would be disclosed.[xxvii]
The Commissioner noted that the CSA had redacted the complainant’s address from the bank statement before submitting it to the Tribunal and that the CSA was therefore aware that it was entitled to redact irrelevant information.[xxviii]
Breach of Information Privacy Principle (IPP) 11 – by the respondent’s disclosure to the Tribunal and the complainant’s ex-partner, of the complainant’s ‘personal information’ in documents obtained from a third party of which the complainant had no notice, when the complainant was not reasonably likely to have been aware and had not been made aware by the respondent that such information was the kind that is usually disclosed or required or authorised by law to be disclosed to the Tribunal and her ex-partner.
Damages Award:
$3,000 for non-economic loss
‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22
Date of Decision: 19 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Held:
The respondent was a registered psychologist and was the complainant’s psychologist between February and November 2014. The Commissioner considered and found that the respondent was an APP entity (ss 6C and 6FB of the Privacy Act 1988 (Cth)) as he was providing a ‘health service’, which includes a service for psychological health.[xxix]
The complainant’s ‘personal information’ was contained in the respondent’s clinical records for the complainant, which included the complainant’s name and her health information.
Privacy Breach:
The complainant, through her representatives, wrote to the respondent on 30 October 2017 and again on 8 November 2017 requesting a complete copy of the complainant’s clinical records held by the respondent. Two further unsuccessful attempts were made by the complainant’s representatives to contact the respondent by telephone.
With no response from the respondent, the complainant lodged a complaint with the OAIC on 15 February, 2018. The OAIC made a number of attempts to engage with the respondent and to facilitate to complainant’s access of her personal information – but the respondent did not provide access to the complainant.
Breach of Australian Privacy Principle (APP) 12.1 and APP 12.9:-
- Breach of APP 12.1 – by the respondent denying the complainant access to her ‘personal information’; and
- Breach of APP 12.9 – by the respondent failing to provide the complainant a notice setting out why access was refused and the mechanisms available to complain about the refusal.
Damages Award:
$3,000 for non-economic loss
$2,000 for aggravated damages
AND
A declaration that the respondent must send a copy of the complainant’s clinical records to an authorised person nominated by the complainant OR if this is not possible, a statutory declaration to be provided to the complainant setting out a detailed explanation why this is not possible.
In determining the award for damages, the Commissioner noted that the evidence provided by the complainant (including from the complainant’s health and medical professionals and social worker) “[tended] to support a finding that factors other than the privacy breach caused much of the psychological harm claimed by the complainant.” [xxx]
In deciding to award aggravated damages, the Commissioner took into account the respondent’s delay in engaging with the OAIC until late in the investigation, the tone and unsubstantiated comments made by the respondent about the complainant and “the manner of the respondent” which the Commissioner found had been insulting towards the complainant and unjustified [xxxi]
‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21
Date of Decision: 12 June 2020
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed: .
The Commissioner found that the respondent had breached the Privacy Act 1988 (Cth) by the unauthorised disclosure of the following ‘personal information’ of the complainants which included sensitive health information and information about the complainants’ sexual orientation. The ‘personal information’ was disclosed in 2 emails sent to the same incorrect email address of an unknown third party:- :
- In respect of both complainants:-
- The complainants’ names;
- The clinic at which both of the complainants had previously participated in a medical study and that they were considering participating in a further study;
- That the complainants were in a same sex relationship with each other;
- That the complainants were HIV positive.
- In respect of the first complainant:-
- The complainant’s personal and work email addresses;
- The complainant’s place of work;
- That the complainant had an appointment with a particular doctor and the date of that appointment;
- That the complainant’s HIV positive status had been diagnosed recently.
Privacy Breach:
Both of the complainants were patients of the respondent clinic. They had previously been part of a global study into aspects of HIV transmission facilitated by the respondent and were considering participating in a further medical study. The complainants had previously provided the respondent with their respective correct email addresses – the first complainant provided, in the first instance, his work email address which contained the name of his place of employment.
On 22 December, 2017 two emails were sent by the respondent to the complainants. The first email used the correct work email address provided by the first complainant and an incorrect email address for the second complainant, which belonged to an unknown third party. The second email was sent to the correct personal email address of the first complainant but to the same incorrect email address for the second complainant. The emails were sent only 15 minutes apart, containing the same names of the complainants and the same subject matter. The second email had a consent form for the medical study attached.
That same afternoon, the first complainant notified the respondent, by return/reply email, that the respondent had used the incorrect email address for the second complainant. Over one month later, on 29 January, 2018, and after a follow up email from the first complainant on 25 January, 2018, the respondent emailed a letter to the complainants offering an apology for the ‘inconvenience and disappointment’ and advising that it was investigating the incident.
Breach of Australian Privacy Principle (APP) 6 and 11.1
- Breach of APP 6 – by disclosing the complainants’ personal information without the complainants’ knowledge or consent.
- Breach of APP 11.1 – by failing to take reasonable steps to protect the complainants’ personal information from unauthorised disclosure.
Damages Award:
To the first complainant
- $10,000 for non-economic loss; and
- $3,400 for economic loss (for costs associated with seeking treatment from a psychologist for stress and psychological harm caused to the first complainant by the disclosures.)
To the second complainant
- $3,000 for non-economic loss
In making an award for economic loss to the first complainant the Commissioner placed ‘significant weight’ [xxxii] on the two psychologist reports provided as evidence of the damage caused to the first complainant by the unauthorised disclosures.
Authored by Katarina Klaric and Rochina Iannella
© Stephens Lawyers & Consultants. February 2020 – Updated 28 July 2020; 6 July 2021 and September 2022.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] ‘ZJ’ and Australian Centre for International Agricultural Research (Privacy) [2021] AICmr 92 at Par 120
[ii] ‘ZJ’ and Australian Centre for International Agricultural Research (Privacy) [2021] AICmr 92 at Par 135
[iii] WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12 at Par 109
[iv] ‘WZ’ and CEO of Services Australia (Privacy) [2021] AICmr 12 at Par 112
[v] ‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2 – Table at Addendum A and at Par. 76
[vi] ‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2 at Par. 85
[vii] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 62, 63
[viii] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 98, 99
[ix] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 152
[x] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 153
[xi] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 119
[xii] ‘WL’ and Secretary to the Department of Defence [2020] AICmr 69 at Par 154
[xiii] Ibid.
[xiv] ‘WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64 at Par 47
[xv] WG’ and AustralianSuper Pty Ltd (Privacy) AICmr 64 at Par 80
[xvi] WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60 at Par 46
[xvii] WC’ and Chief of Defence Force (Privacy) [2020] AICmr 60 at Par 96
[xviii] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Pars 40 to 43 – Pars 57 & 68
[xix] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 120
[xx] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 14
[xxi] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 121
[xxii] Flight Centre Travel Group (Privacy) [2020] AICmr 57 at Par 122
[xxiii] ‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45 at Par 45 and 46 for discussion of circumstances to be considered in determining if ‘reasonable steps’ have been taken.
[xxiv] ‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45 at Par 66 and 67
[xxv] ‘VI’ and CSIRO (Privacy) [2020] AICmr 44 at Par 61 and 63
[xxvi] VI’ and CSIRO (Privacy) [2020] AICmr 44 at Par 64
[xxvii] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Par 54
[xxviii] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 at Pars. 52 – 53
[xxix] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Pars. 21 & 22
[xxx] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 95
[xxxi] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 at Par. 105
[xxxii] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 45