Review of the Privacy Act 1988 (Cth)- Submissions in response to Review published
A review of Australia’s Privacy Act 1988 was announced on 12 December 2019 to better protect and regulate consumer data and personal information within an increasingly global digital economy – while also reviewing individual consumers’ rights to enforce privacy obligations. The Terms of Reference and an Issues Paper for the proposed review of the Privacy Act 1988 were released by the Attorney General in October 2020.[i]
While submissions to the Attorney General’s Issues Paper have now closed[ii], the submissions received by the Attorney General in response to the Review of the Privacy Act 1988 Issues Paper have been published and can be accessed on the Attorney General’s website.[iii]
Submissions are currently being considered and a discussion paper is expected to be released later in 2021, providing a further opportunity for individuals and organisations to provide feedback.
OAIC, Privacy Commissioner Makes Privacy Determination in Relation to Class Members Affected by Privacy Breach
Increasingly privacy breaches or cybersecurity attacks involve the personal data of a large class or group of individuals. The costs of dealing with the breach and associated reputational damage can be significant. Further the affected individuals can make a complaint to the Australian Information and Privacy Commissioner (“Privacy Commissioner”) and seek compensation for non-economic loss and economic loss.
In January 2021, the Privacy Commissioner issued her first determination under the Privacy Act in relation to a class members complaint involving over 9,000 individual refugees whose personal details in relation to their detention was published on the website of the Department of Home Affairs.
The Determination provides insight as to the approach that the Privacy Commissioner may take in determining claims involving a privacy breach involving personal data of a large number of individuals where a representative complaint is lodged.
A summary of the Determination is set out below.
‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 (11 January 2021)
Date of Decision: 11 January 2021
Heard by: Australian Information and Privacy Commissioner, Angelene Falk
Type of Personal Information Disclosed:
On 10 February 2014 the respondent published on its website a ‘Detention Report’ which had an Excel spreadsheet embedded within it (the ‘Spreadsheet’) which unknowingly included and disclosed the following personal information of individuals who were in immigration detention at that time:-
The following personal information of each of the “class members” was disclosed in the breach:-
- full name, gender, citizenship, date of birth; and
- period of immigration detention, location, boat arrival details and reasons why the individual had been considered an unlawful non-citizen.
A journalist notified the respondent of the data breach on 19 February, 2014 at 9.15am and the respondent removed the Detention Report from its website by 10.00am on that same day.
The Detention Report together with the Spreadsheet embedded within it, remained available on the respondent’s website for 8 days (approx.).
The Detention Report (with the Spreadsheet) was also found by the respondent to be available on the respondent’s The Internet Archive – and was removed after being available on The Internet Archive for 16 days (approx.).
On 25 March 2014.an individual (who alleged they were in immigration detention in January 2014) (the ‘original representative complainant’) made a complaint to the OAIC about the respondent’s alleged breach of their personal information.. Over a year later, on 30 August 2015, the original representative complainant submitted a representative complaint to the OAIC, seeking certain declarations on behalf of class members – including an apology and damages for non-economic and economic loss.
An attempt by the OAIC to resolve the dispute by conciliation was unsuccessful.
In January 2018 the OAIC gave notice that class members who felt aggrieved by the alleged data breach and wanted an opportunity to seek compensation for their related loss or damage, should now provide to the OAIC their information/evidence about that loss and damage.
After being subsequently advised by their solicitor, on 8 February, 2018, that the original representative complainant had passed away the OAIC decided on 10 October 2018, to replace the original representative complainant with another class member. [iv]
Section 54 of the Privacy Act 1988 provides that “ A determination under section 52 on a representative complaint must describe or otherwise identify those of the class members who are to be affected by the determination.”.
Pursuant to Section 6 of the Privacy Act a ‘class member”, in relation to a ‘representative complaint’ means “any of the persons on whose behalf the complaint was lodged, but does not include a person who has withdrawn under section 38B”.
In this case, the Commissioner determined that the “class members” were the 9,258 individuals whose personal information was published by the respondent – but not including 7 individuals who ‘opted out’ under Sec 38B(2) of the Privacy Act 1988.
The respondent is an ‘agency’ under section 6 of the Privacy Act. The Secretary, being the principal executive of that agency, is the respondent to this complaint (Sec 36(6)(b)
As the breaches occurred before 12 March, 2014 the former Information Privacy Principles applied here.
Breach of Information Privacy Principle (IPP) 11 and IPP 4:-
1. Breach of IPP 11 – by the respondent disclosing on a publicly available website the personal information of class members; and
2. Breach of IPP 4 – by the respondent failing to take reasonable security safeguards:-
- against loss;
- against unauthorised access, use, modification or disclosure; and
- against other misuse.
The Commissioner, noting the Commissioner’s broad discretion as to how damages may be dealt with, chose, pursuant to subsections 52(4) and/or (52(5) of the Privacy Act, to “refer the matter of damages to a form of dispute resolution for the parties to negotiate quantum, with any unresolved claims to be put before [the Commissioner] for [the Commissioner’s] consideration.”[v]
In the Commissioner’s approach in this case on the matter of damages, the Commissioner distinguishes between:-
- a ‘participating class member’’ – being those who made submissions and/or provided evidence of loss or damage to the OAIC[vi]; and
- a ‘non-responsive participating class member’ – being those who having made original submissions but for whom initial negotiations do not result in an agreement on quantum of damages – and who do not subsequently respond to the respondent’s proposed re-assessment of quantum of damages.[vii]; and
- ‘members of the class’ who have not opted out but have failed to provide a submission and/or any evidence to the OAIC within the OAIC’s specified timeframe[viii]. In respect of these individual members, the Commissioner determined that “it would be inappropriate for any further action to be taken”.[ix]
Non-economic loss – To assist with and provide guidance for the negotiations of damages between the parties, the Commissioner provides a Table with non-economic loss categories (0 to 5) and the quantum of damages for each category – ranging from ‘$0’ for Category ‘0’ up to ‘> $20,000’ for Category 5[x].
The Commissioner points out that the categories included in the Table are specific to the circumstances of the representative complaint in this case and are therefore not to be used as a formula for determining compensation for non-economic loss in privacy matters generally.[xi]
Economic loss – The Commissioner determined that:-
- ‘a causal link can be made out’ between the privacy breaches and any economic loss which any participating class members may have incurred as a result of those breaches[xii];
- The amount of any compensation for economic loss payable to any participating class members should be determined on a case-by-case basis.[xiii]
Aggravated damages – Noting that aggravated damages are given to compensate a person where the harm suffered was aggravated by the manner in which the act was done, rather than to punish a wrongdoer or deliver a measure of deterrence, the Commissioner determined that in this case, aggravated damages was not justified.[xiv] Reasons provided for this included:-
- The data breach was inadvertent;
- The respondent acted promptly to deal with the cause of the data breach and took steps to prevent re-occurrence of a similar data breach;
- The respondent apologized to the class members and cooperated with the OAIC throughout the complaint process,[xv]
Authored by Rochina Iannella, Lawyer, Stephens Lawyers & Consultants
© Stephens Lawyers & Consultants. 22 February 2021.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[ii] Submissions closed on 20 November, 2020
[iv] pursuant to sec 38B(1) of the Privacy Act, 1988
[v] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par 3(2), (3) & (4) and at Par. 75
[vi] ‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par 3(2)
[vii] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par 3(6)
[viii] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par 4
[x] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 – Table at Addendum A
[xi] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par. 76
[xii] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par. 81
[xiii] ‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par. 83
[xiv] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par. 85
[xv] ‘‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr2 at Par. 86