The Information Commissioner's latest privacy breach determinationsJul 2021 | Cyber Risk
The Privacy Act 1988 (Cth) (Privacy Act) entitles individuals to make a privacy complaint to an entity if they consider that entity has breached the Australian Privacy Principles. There are similar provisions in other pieces of legislation such as the Crimes Act 1914 (Cth) (Crimes Act). Those complaints generally relate to a failure to protect, or a misuse of, an individual’s private information. If a privacy complaint is unable to be resolved between the parties at a conciliation, the Information Commissioner can make a binding determination, resolving the matter.
The cases below arise from a diverse range of circumstances across several industries in which a privacy complaint may be made, and provide some insight into how those complaints are considered by the Commissioner.
‘WT’ and Wurli-Wurlinjang Health Service (Privacy)  AICmr 8 (5 March 2021)
The complainant’s grievance relates to the alleged disclosure of her health information by the respondent to her former partner. The complainant emailed the respondent enquiring about a medical procedure. That same day, a staff member of the respondent forwarded the complainant’s email to her former partner requesting that he confirm the complainant’s eligibility to receive services from the respondent.
The Commissioner found that the respondent had not breached the Privacy Act and dismissed the complaint on the basis that:
- in accordance with expert IT evidence obtained, she was not satisfied the relevant email was sent by the respondent; and
- the respondent had taken reasonable steps to protect the complainant’s personal information from unauthorised disclosure. Those steps included restricting access to information on its system and having mechanisms in place to detect unauthorised handling of the information.
‘WR’ and Telstra Corporation Limited (Privacy)  AICmr 5 (11 February 2021)
The complainant was aggrieved by a default listing in relation to a postpaid Telstra mobile telephone account that was fraudulently opened in her name by a third party. In doing so, the third party provided to the respondent the complainant’s driver's license with a photo of someone other than the complainant superimposed on it and a credit card in the complainant’s name. A further order was placed on that account, at which time the respondent noticed discrepancies in the claimant’s details and contacted them. The complainant informed the respondent they had not opened the account. The complainant defaulted on payment of the fraudulently opened account, and the respondent disclosed the default information to credit reporting bodies.
The Commissioner found that the respondent had not breached the Privacy Act and dismissed the complaint on the basis that the respondent acted in accordance with the requirements of Part IIIA of The Privacy (Credit Reporting) Code 2014 by disclosing the default information to the credit reporting bodies.
‘WP’ and Secretary to the Department of Home Affairs (Privacy)  AICmr 2 (11 January 2021)
The respondent published on its website a Microsoft Word document dated 31 January 2014 entitled ‘The Immigration Detention and Community Statistics Summary’. Unbeknownst to the respondent, the embedded spreadsheet included the personal information of 9,258 individuals who were in immigration detention at that time including full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details and reasons why the individual had been considered an unlawful non-citizen.
The Commissioner found that the respondent interfered with the privacy, as defined in s 13(a) of the Privacy Act, of the class members by:
- disclosing the personal information of class members on a publicly available website, in breach of Information Privacy Principle (IPP) 11, and
- failing to take such security safeguards as it is reasonable in the circumstance to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse, in breach of IPP 4.
The quantum of non-economic loss awarded ranged between $0 - $20,000, depending on the severity of loss suffered by the particular individual. The Commissioner’s decision did not elaborate on the quantum of economic loss to be awarded, stating this was to be determined on a case-by-case basis. The Commissioner refused to award aggravated damages.
'WL' and Secretary to the Department of Defence  AICmr 69 (22 December 2020)
This is a complaint made under s 36(1) of the Privacy Act about the disclosure of the complainant’s personal information by the Secretary to the Department of Defence. The complainant is aggrieved by the respondent’s collection, use and disclosure of his personal information for the purposes of an investigation into the sale of ADF items at a time when he had separated from the ADF. This resulted in the matter being referred to police as a potential theft/obtain property by deception under the Crimes Act, however no charges were laid and the investigation did not progress.
The Commissioner found that the respondent breached APP 3.1 by collecting the complainant’s personal information under the category: ‘any additional information [the Website] is willing to provide’. The Commissioner was not satisfied that the particular collection was reasonably necessary for or directly related to one or more of the respondent’s functions.
The Commissioner accepted that the respondent had suffered 'hurt feelings', but did not consider damages to be appropriate. The Commissioner ordered the respondent apologise to the complainant within 14 days.
‘XH’ and ‘XI’ (Privacy)  AICmr 23 (18 June 2021)
The respondent had provided the complainant with training for a pilot exam. As part of unrelated litigation between the parties in the Federal Court, the respondent disclosed that the complainant had been charged with an offence under the Privacy and Personal Information Protection Act 1988 (NSW) and suspended them from their employment with the NSW Police Force as a result. The complainant had been subsequently convicted, with that conviction quashed around a year later.
The Commissioner found that the respondent had breached the Crimes Act by disclosing the complainant’s quashed conviction without their consent.
The claimant had sought $7,500 in non-economic loss, but was awarded $2,500 for the distress suffered as a result of the breach, with no award for aggravated damages.
‘WZ’ and Chief Executive Officer of Services Australia (Privacy)  AICmr 12 (13 April 2021)
The respondent, Services Australia, had provided the complainant’s new home address to her former partner without her consent. The complainant had previously notified the respondent that she had separated from her former partner, and that the complainant was fearful of the possibility of domestic violence.
The Commissioner found that the respondent had breached the Privacy Act by disclosing the complainant’s address without her consent.
In addition to ordering the respondent to audit and update its systems, the Commissioner had awarded a total of $19,980, made up of:
- $10,000 for non-economic loss;
- $8,000 for legal expenses; and
- $1,980 for expenses in obtaining a medical report,
with no award for aggravated damages.
‘XA’ and CEO of Services Australia (Privacy)  AICmr 13 (13 April 2021)
The respondent, Services Australia, had provided the complainant’s home address to an external debt collection agency without his consent, and where the debt had been overturned. The respondent also failed to notify the debt collection agency of the correction regarding the status of the debt.
The Commissioner found that the respondent had breached the Privacy Act by disclosing the complainant’s address without his consent.
The complainant sought damages for the anxiety he suffered because of the erroneous outstanding debt of over $8,000. The Commissioner considered that he had suffered ‘annoyance’ rather than clinical anxiety, and awarded him $1,000 to compensate.
These determinations demonstrate that the Commissioner’s findings turn on the particular facts of each case. However, it is clear that the best way for entities to protect themselves against an adverse determination is to ensure they take reasonable steps to protect all personal information stored in their systems. Those steps include ensuring employees can only access information necessary to perform their roles, implementing mechanisms to track who has accessed information, and providing training to employees on their obligations under the Privacy Act and the Australian Privacy Principles.
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.