Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the period October 2022 – July 2024 and published by the Office of the Australian Information Commissioner (OAIC) in relation to privacy breaches.
Although, since 2016, the OAIC has been involved in the determination of many complaints involving privacy breaches, during the period October 2022 to July 2024 there have been only three published determinations by the OAIC where compensation has been awarded. This suggests that the privacy breach complaints are being resolved, without the need to lodge a complaint with the OAIC or, where a complaint has been lodged with the OAIC, it has been resolved by conciliation. The decline in OAIC Determinations for privacy breaches may also be as a result of a number of class actions having been commenced during 2022/2023 against Medicare and Optus alleging breach of contract and the Australian Consumer Law and negligence in respect of cybersecurity and data breaches.
During the period October 2022 to July 2024 the awards for compensation for non-economic loss for privacy breaches ranged from about $1,500.00 to $3,000.00 – whereas for the preceding period of 2016 to September 2022, the awards for compensation ranged from about $1,000 to $20,000.
The OAIC privacy breach Determinations indicate the factors that are taken into account by the Australian Information Commissioner in deciding whether to make any compensation award for a privacy breach and the amount to be awarded. These factors include:-
- The type and sensitivity of the personal information disclosed;
- The number of people to whom the personal information has been disclosed – as well as evidence of the number and type of people who have actually accessed/seen it;
- The complainant’s reaction to the privacy breach – including level and duration of the hurt feelings, distress and anxiety resulting directly from the privacy breach – and the evidence supporting that (such as statutory declarations and, where relevant, medical/psychologist reports);
- Evidence of the actual costs/expenses incurred as a result of the privacy breach and the reasonableness of same;
- Evidence of any financial and other losses incurred as result of the privacy breach; and
- For an aggravated damages claim, the respondent’s conduct/behaviour upon being informed or becoming aware of the privacy breach – including any evidence showing if the respondent’s conduct was high handed, malicious, insulting or oppressive.
Each case is determined on its merits having regard to the documentary evidence submitted to the OAIC which supports the privacy breach and the claim for compensation.
| OAIC DETERMINATIONS
(October 2022 to July 2024) |
PRIVACY PRINCIPLES BREACHED | COMPENSATION RECEIVED |
|
‘ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131 (20 June 2024) |
Privacy Act 1988 (Cth) s 7B(3) – APP 6.1 |
$3,000 for non-economic loss;
$125.10 for reasonably incurred expenses – including for 4 appointments with her psychologist; |
|
Cherrybrook Medical Centre (Privacy) [2024] AICmr 40 (28 February 2024) |
My Health Records Act 2012 (Cth) s73(1)(a) – Privacy Act 1988 (Cth) s13 |
No compensation award. |
|
Rao Medical Centre (Privacy) [2024] AICmr 40 (23 February 2024) |
My Health Records Act 2012 (Cth) s73(1)(a) – Privacy Act 1988 (Cth) s13 |
No compensation award. |
|
‘AHM’ and JFA (Aust) Pty Ltd t/a Court Data Australia (Privacy) [2024] AICmr 29 (12 February 2024)
|
APP 3.5 – APP 5 – APP 10 |
No compensation award.
|
|
‘AHL’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2024] AICmr 26 (9 February 2024) |
APP 6 – APP 11.2 |
No compensation award. |
|
AGX’ and ‘AGY’ (Privacy) [2024] AICmr 16 (29 January 2024)
|
APP 12.1 – APP 12.8 | No compensation award. |
|
Burwood Westfield Medical Centre (Privacy) 2023 AICmr 108 (9 November 2023)
|
My Health Records Act 2012 (Cth) s 73(1)(a) – Privacy Act 1988 (Cth) s 13
|
No compensation award.
|
|
Cardiac Dynamics [2023] AICmr 96 (24 October 2023)
|
My Health Records Act 2012 (Cth) s73(1)(a) – Privacy Act 1988 (Cth) s13
|
No compensation award.
|
|
Pacific Lutheran College (Privacy) [2023] AICmr 98 (24 October 2023)
|
Privacy Act 1988 (Cth) s26WH and s26WK – APP 11.1 |
No compensation award. |
|
Datateks Pty Ltd (Privacy) [2023] AICmr 97 (24 October 2023)
|
Privacy Act 1988 (Cth) s 26WH and s26WK
|
No compensation award. |
|
‘AEZ’ and Serco Group Pty Limited (Privacy) 2023 AICmr 93 (24 October 2023)
|
APP 10 – APP 13 |
$1,500 for non-economic loss |
|
‘ADO’ and Telstra Corporation Limited (Privacy) [2023] AICmr 47 (14 June 2023)
|
Privacy Act 1988 (Cth) s21C and s21D – APP 10.2 |
$2,000 for non-economic loss;
$154.37 for economic loss |
|
‘ADH’ and Secretary to the Department of Defence (Privacy) [2023] AICmr 24 (6 April 2023)
|
APP 13.5 |
No compensation award. |
|
‘ADG’ and ANZ Bank Limited (Privacy) [2023] AICmr 19 (31 March 2023)
|
APP 12 |
No compensation award. |
A Summary of Selected OAIC Determinations made during the period October 2022 – July 2024
‘ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131
Date of Decision: 20 June 2024
Heard by: Australian Privacy Commissioner, Carly Kind
Type of Personal Information Disclosed/Involved: Personal information (which included sensitive information) concerning the complainant’s medical episode and her subsequent health status.
The complainant was an employee of the respondent, which employed approximately 3,000 staff. The complainant’s medical episode happened in the respondent’s carpark during the morning of 8 April 2021, resulting in the complainant’s husband being called and an ambulance taking the complainant to hospital. The medical episode related to a medical condition which the complainant had not previously disclosed to the respondent. A staff member then contacted the complainant’s husband and requested that he send the respondent’s manager an update on the complainant’s status – which he did, by text that same afternoon. The manager informed the respondent’s Managing Director accordingly on 8 April 2021 and the respondent’s Managing Director sent an email (Email) to the approximately 110 staff working at its head office (many of whom did not know the complainant or were not aware of the medical episode before receiving the email), about the complainant which identified the complainant by name and referred to the complainant’s medical episode and her subsequent health status. On 28 April, 2021 the complainant made a complaint to the respondent’s Privacy Officer about the Email and, being dissatisfied with the response she received, formally resigned the following day. The respondent subsequently declined to participate in an OAIC conciliation conference with the complainant.[i]
Privacy Breach:
Breach of APP 6.1: By the respondent’s Managing Director sending the Email to its head office staff which identified the complainant by name and used the complainant’s personal information.
The Commissioner was not satisfied that the act of sending the Email was directly related to the respondent’s employment relationship with the complainant and accordingly, rejected the respondent’s argument that it “was an exempt act because it falls within the employee records exemption under Section 7B(3) of the Privacy Act” 1988 (Cth)[ii].
Damages Award: The Commissioner was not satisfied that the economic loss suffered by the complainant was caused by the respondent’s act of sending the Email.
$3,000 for non-economic loss – due to the Commissioner’s acceptance that “the privacy breach directly contributed to the complainant’s hurt feelings, distress and anxiety”[iii]; and
$125.10 for reasonably incurred expenses – including for 4 appointments with her psychologist.
‘AHM’ and JFA (Aust) Pty Ltd t/a Court Data Australia (Privacy) [2024] AICmr 29
Date of Decision: 12 February, 2024
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved: The respondent operated the Court Data Australia Database (the ‘Database’) on which they held and published information, including personal information, contained in all types of civil or criminal court lists published by each Australian court. The complainant’s complaint to the OAIC arose from the respondent’s collection of their personal information from daily court listings published on the Western Australia eCourts Portal (the ‘Portal’). The information that the respondent collected about the complainant included the complainant’s full name together with:-
- the state of the court in which a matter was listed;
- the date the matter was scheduled to be heard by the relevant court;
- the listing type;
- the court type;
- the court room;
- the court location;
- the case title, which included the complainant’s name; and
- additional information, which was the offence with which the complainant was charged.[iv]
The complainant had asked the respondent how they could remove the complainant’s personal information from the Database, being records of 52 listings in relation to six criminal charges against the complainant, because the charges were dismissed – but the respondent had declined to remove the complainant’s information.
Privacy Breach:
Breach of APP 3.5 – by the respondent collecting the complainant’s personal information in a way that was not fair, including:-
- by collecting the complainant’s personal information in a way that breached the Portal’s published Conditions of Use;
- in circumstances where the complainant was not aware that the respondent was collecting their personal information and the complainant could not reasonably have expected the respondent to collect their personal information.[v]
Breach of APP 5 – by the respondent failing to take steps that were reasonable in the circumstances to make accurate and complete information available on its website about all of the matters set out in APP 5.2 (which lists requirements for notification of an individual about collection and use of an individual’s information) at the time that the complainant had reviewed the respondent’s website – so as to ensure the complainant was aware of the APP 5 matters.
APP 5.1 requires an APP entity to notify the individual of the matters outlined in subclause APP 5.2:
“a. at the time that the APP entity collects the personal information; or
b. before the time that the APP entity collects personal information; or
c. if it is not practical to notify at or before the time of collection, as soon as practicable after collection”.[vi]
Breach of APP 10.2 – by the respondent failing to take reasonable steps to ensure the personal information it disclosed about the complainant was accurate, up-to-date and relevant, having regard to the purpose for which that information was disclosed – “including by failing to clearly articulate on its website the limits of the personal information it holds and discloses, and by inviting users of the Database to draw adverse inferences based on the personal information it discloses”.[vii]
In this case, at the time the complainant’s personal information was disclosed by the respondent, it was not accurate, up-to-date, complete and relevant because the information about the complainant did not reflect that the criminal charges brought against them had been dismissed or that the complainant had not attended court on each of the 52 occasions identified in the daily list entries.
Damages Award: Compensation not considered or awarded.
The Commissioner made declarations including that, within specified periods of time, the respondent was to cease collecting, using or disclosing any personal information contrary to APPs 3.5, 5 and 10.2; that personal information collected in breach of the Portal’s conditions of use and without the complainant’s knowledge be destroyed and the respondent to report to the OAIC on the steps it has taken to ensure that the relevant personal information has been destroyed.
The Commissioner also considered if the respondent’s refusal to remove the complainant’s personal information from the Database, in accordance with the complainant’s request, was a breach of APP 13. The Commissioner found that the respondent had not breached APP 13 as the complainant’s request was not made “in a manner that constitutes a correction request for the purposes of APP 13”.[viii]
‘AGX’ and ‘AGY’ (Privacy) [2024] AICmr 16
Date of Decision: 29 January, 2024
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved: Personal information – being the complainant’s ‘full medical file’ which was held by the respondent, a medical practice comprising a sole practitioner (specialising in obstetrics and reproductive medicine) and the receptionist.
The complainant’s GP had referred the complainant to the respondent. After attending the first appointment with the respondent, the complainant asked the respondent (on 16 February, 2021) for a copy of their ‘full medical file’. The respondent’s receptionist replied to this request by advising that apart from the medical imaging reports supplied by the complainant’s GP and the respondent’s letter to the complainant’s GP (already provided to the complainant by the complainant’s GP), there were no other documents to be provided. Not satisfied with this response, the complainant made a second request on 5 March 2021 for “full copies of all records, medical or other, in relation to me”[ix]. The complainant waited for 5 months for a response to the second request and, when no response came the complainant lodged a complaint with the OAIC on 10 August 2021. On 10 June 2022, in response to the OAIC’s enquiry, the respondent sent the complainant an invoice for $440 (for time spent addressing the OAIC complaint and reviewing the Privacy Act) and advising that upon payment, a copy of the GP referral letter and of the complainant’s signed consent form would be provided.
Privacy Breach:
Breach of APP 12.1 – by the respondent refusing to provide the complainant with access to the complainant’s personal information requested on 16 February and 5 March 2021 – with the exceptions under APP12.3 (eg. for a frivolous or vexatious access request) considered and rejected. In particular, the Commissioner noted that “While I acknowledge that the complainant may have already obtained copies of some of their personal information from other sources, this did not discharge the respondent of its obligations under APP 12.1 to provide the complainant with access to the personal information it held about them.”[x]
Breach of APP12.8 – by the respondent seeking to impose an excessive charge on the complainant for giving access to personal information and, in this case, “inappropriately” seeking to charge the complainant for the respondent’s time and resources to address the complainant’s complaint to the OAIC.[xi] The respondent offered an apology to the OAIC.
Damages Award: Compensation considered – but under the circumstances, not awarded.
A request for compensation (for distress by falsely accusing them of being frivolous and vexatious) was not included in the complainant’s original complaint to the OAIC – rather it was made after release of the OAIC’s preliminary view and without quantifying compensation sought.
‘AEZ’ and Serco Group Pty Limited (Privacy) 2023 AICmr 93
Date of Decision: 24 October, 2023
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved: The respondent ran immigration detention facilities. The complainant’s concerns arose in respect of a Security Risk Assessment report (the ‘SRA Report’’ generated by the respondent, which contained the personal information of the complainant in the form of a list and description of incidents involving the complainant as reported by the respondent’s staff. The personal information included a broad range of information and detail about the complainant including their name and date of birth, criminal history, behavioural risk indicators, security risk assessment as well as information and history about incidents which described the complainant’s health, injuries and treatment.
A copy of the SRA Report had been provided to the complainant and to the Australian Human Rights Commission (ARHC) during the processing of a complaint they had lodged with the ARHC. The complainant complained to the respondent through the respondent’s complaint management system, about the accuracy of the SRA Report (asserting it contained ‘total fabrication and lies’) but in a written reply to the complainant, the respondent declined to deal with their complaint while the ARHC proceedings were on foot – and further denied that the information about the complainant contained in the SRA Report was incorrect (as asserted by the complainant). That same day the complainant lodged their complaint with the OAIC.
The complainant’s complaint to the OAIC asserted that the respondent’s acts and practices had breached the complainant’s privacy:-
- by collecting, using and disclosing inaccurate, incomplete and false information in the SRA report; and
- by failing to correct their personal information contained in the SRA report at the complainant’s request.
Privacy Breach: The Commissioner described the type of personal information collected to be “at the higher end of the scale in terms of sensitivity”.[xii] However, the Commissioner also took into account “the complexities of detention centre environments, including challenges with respect to managing detainees, including their security, care and well-being, and that of ensuring the safety of those involved in their management.”[xiii]
Breach of APP 10.1 – by the respondent failing to take reasonable steps to ensure the personal information it collected about the complainant was accurate, up-to-date and complete.
Breach of APP 13.3 – by the respondent failing to provide the complainant with a written notice including the mechanisms available for the complainant to complain about the respondent’s refusal to correct their personal information.
Damages Award: Compensation in the amount of $1,500.00 for non-economic loss – with the Commissioner finding that:-
- there was no evidence that the respondent had disclosed the SRA report to anyone beyond the AHRC, the Department (of Immigration and Home Affairs) and the OAIC – nor any evidence that the SRA Report had been used in the assessment of the complainant’s visa application[xiv]; and that
- based on the evidence before her “the harm arising out of the privacy breach was …a low degree of emotional injury”.[xv]
The Commissioner also made a number of observations on the submitted evidence about the complainant’s assertions of emotional damage and exacerbation of depression caused by the privacy breach, including:-
- the asserted emotional damage “has been evidenced only by statements they made in an email, and it has not been provided in the form of a statutory declaration.”[xvi]
- the complainant’s assertions lacked “the specificity necessary to reach a finding that the harm arising out of the privacy breach was anything other than a low degree of emotional injury.”[xvii]
- The complainant failed to provide “independent evidence by a medical expert who has examined the complainant and is qualified to give diagnosis of depression, or exacerbation of depression.”[xviii]
‘ADO’ and Telstra Corporation Limited (Privacy) [2023] AICmr 47
Date of Decision: 14 June, 2023
Heard by: Deputy Commissioner, Office of the Australian Information Commissioner and Privacy Commissioner, Elizabeth Hampton
Type of Personal Information Disclosed/Involved: The complainant’s complaint concerned the respondent’s use and disclosure to a Credit Reporting Body (CRB), of the complainant’s personal and credit information.
During 2006, the complainant used the respondent’s services to activate pre-paid mobile services (BAN 2) for the partner of a relative (Third Party). In 2015 the complainant requested the respondent, by phone, that the third party be added as an ‘authorised representative’ on the complainant’s account for the purposes of allowing the third party to change particulars of BAN 2. The facts giving rise to the complaint arose when, in September 2018, the partner of a relative (Third Party) without the complainant’s knowledge, attended a retail store of the respondent and contracted a post-paid mobile service under the complainant’s account (BAN 3) – for which the respondent had performed a credit check on the complainant by making a credit enquiry with the CRB. The Third Party also changed the complainant’s address on the account to another (incorrect) address. The respondent did not refer back to or check with the complainant prior to performing the credit check/enquiry with the CRB. An invoice for BAN 3 became overdue in January 2019 but the respondent’s overdue notices (including notice advising that the complainant’s details would be given to a credit reporting agency) did not reach the complainant as they were sent to the incorrect address on the account.
As a result, the complainant only became aware of the situation when they prepared their credit file to obtain finance for purchasing a property. On 20 August 2020 the complainant complained to the respondent and asked that the credit enquiry be removed from the complainant’s credit file and for the complainant’s address to be corrected. Being dissatisfied with the respondent’s response, the complainant made a complaint to the OAIC on 30 September, 2020. An OAIC conciliation conference between the parties in June 2021 failed to resolve the matter.
Privacy Breach:
Breach of APP 10.2: by the respondent failing to take reasonable steps to ensure that the personal information that the respondent used or disclosed was, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant;
Breach of s21C of the Privacy Act 1988 (Cth): by respondent’s failure to notify or otherwise ensure that the complainant was aware of the matters outlined in s21C;
Breach of s21D of the Privacy Act 1988 (Cth): by respondent’s failure to send a notice of disclosure as required by s21D(3)(d) to the complainant’s last known address.
In particular, Deputy Commissioner Hampton found that:-
- the credit enquiry was made on the basis of information that was out-of-date, inaccurate and incomplete; and that
- the credit enquiry and corresponding disclosure of the address to the Credit Reporting Body was unwarranted.[xix]
Damages Award:
Non-economic loss: An amount of $2,000.00 for non-economic loss “in the form of hurt feelings, stress, and feelings of anxiety”[xx]
Economic loss: An amount of $154.37 for economic loss, to reimburse the complainant for the remaining half of a debt charged to the complainant’s account “as a result of a third party defaulting on the overdue payment of BAN 3”[xxi] – in order to restore the complainant “to the same position they would have been in if they had not sustained the wrong” resulting from the respondent’s breach of APP 10.2. The first half of that debt having previously been reimbursed by the respondent.
The complainant also sought $600 for reimbursement for their “time spent in correspondence and preparation” and pursuing their complaint and provided an itemised list to support this claim. However, the Deputy Commissioner was “not satisfied that the items outlined by the complainant evidence any actual expenditure that ought to be reimbursed”.[xxii]
‘ADH’ and Secretary to Department of Defence (Privacy) [2023] AICmr 24
Date of Decision: 6 April, 2023
Heard by: Australian Information Commissioner and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed/Involved: The complainant, a qualified pilot who had previously served as a pilot with the respondent, complained about the creation, use and disclosure of a medical referral and record of conversation containing the complainant’s sensitive information about the complainant’s mental health.
The complainant had been suspended in October 2017 by the Commanding Officer for an alleged ‘workplace incident’ (Allegations) after the complainant made a bullying complaint against their former Commanding Officer. The complainant obtained a medical certificate for stress leave from a Defence medical practitioner and advised the Commanding Officer they would be taking stress leave while the internal process to consider the Allegations was taking place. The Commanding Officer created a record of this conversation in a File Note (‘File Note’) and three weeks later “directed that a referral for a psychological assessment for the complainant be created by the Unit Personnel Capability Officer based on this conversation” (Draft Referral).
The Draft Referral contained detailed information about the complainant including employee ID, full name, rank / title, gender, contact details, reason for referral and brief relevant history.
By January 2018, a new commanding officer had been appointed to the unit, and the complainant had been reinstated to full duties. It was at this time that the complainant first became aware of the existence and content of the Draft Referral and File Note. The complainant made a complaint to the OAIC after multiple complaints to the respondent (March 2018, April 2019 and October 2019) in which the complainant had sought (unsuccessfully) to have the File Note and the Draft Referral destroyed or deleted – or the information about their mental health otherwise de-identified/corrected. The parties failed to settle their differences in an OAIC conciliation conference in May 2020. Prior to the OAIC making this determination, the OAIC was notified that the respondent had, in July 2020, “adequately dealt with the complainant’s correction request”[xxiii]
The Commissioner found that the File Note was “accurate, up-to-date, and complete”[xxiv] and that the Draft Referral “was never used for a referral” and was appropriately and securely stored[xxv].
Privacy Breach:
Breach of APP 13.5: by the respondent failing to respond to the complainant’s correction request within 30 days after the request was made.
The Commissioner also considered but found there had been no breach of APP 3, APP 5, APP 6 and APP 10.
Damages Award: No compensation awarded.
The complainant made no claim for economic loss.
On the complainant’s claim for $25,000 for non-economic loss, the Commissioner found that “in the absence of direct evidence from the complainant, I am not satisfied that there has been non-economic harm caused by the APP 13 breach to the complainant”.[xxvi]
On the complainant’s claim for aggravated damages the Commissioner noted that aggravated damages were not warranted in these circumstances as she had found no breaches of the Privacy Act other than breach of APP 13 – and that, in any event, she was not satisfied “on what is before me that the respondent’s conduct would constitute behaviour that is high-handed, malicious, insulting or oppressive”.[xxvii]
The Commissioner made a declaration that, within 60 days of the respondent’s receipt of the OAIC’s determination, “the respondent must review and make any updates to its policies and procedures to ensure that relevant members are notified of or are aware of the timeframes for responding to a correction request”.[xxviii]
Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.
© Stephens Lawyers & Consultants – 3 September 2024 – Authored by Rochina Iannella, Consultant, Stephens Lawyers & Consultants. The contribution of Katarina Klaric, Principal, in editing this article is acknowledged.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Suite 205, 546 Collins Street, Melbourne VIC 3000
Phone: (03) 8636 9100
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[i] ALI’ and ‘ALJ’ (Privacy) [2024] AICmr 131 at [19]
[ii] Ibid. at [42] [43]
[iii] Ibid. at [84] [85]
[iv] Ibid. at [40]
[v] ‘AHM’ and JFA (Aust) Pty Ltd t/a Court Data Australia (Privacy) [2024] AICmr 29 at [86]
[vi] Ibid. at [88] to [90]
[vii] Ibid. at [141] [149]
[viii] Ibid. at [144] to [146]
[ix] ‘AGX’ and ‘AGY’ (Privacy) [2024] AICmr 16 at [8]
[x] Ibid. at [42]
[xi] Ibid. at [56] [57]
[xii] ‘AEZ’ and Serco Group Pty Limited (Privacy) 2023 AICmr 93 at [40]
[xiii] Ibid. at [44]
[xiv] Ibid. at [143] [146]
[xv] Ibid. at [148]
[xvi] Ibid.
[xvii] Ibid.
[xviii] Ibid. at [147]
[xix] ‘ADO’ and Telstra Corporation Limited (Privacy) [2023] AICmr 47 at [120]
[xx] Ibid. at [127]
[xxi] Ibid. at [136]
[xxii] Ibid. at [141] [142] and [144]
[xxiii] ‘ADH’ and Secretary to Department of Defence (Privacy) [2023] AICmr 24 at [3]
[xxiv] Ibid. at [62]
[xxv] Ibid. at [71]
[xxvi] Ibid. at [194]
[xxvii] Ibid. at [201]
[xxviii] Ibid. at [170]