In ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 the Privacy Commissioner decided that United Super Pty Ltd as Trustee for Cbus (Cbus) interfered with the privacy as defined in the Privacy Act 1988 (Cth) of a group of its members by disclosing their personal information to an external organisation for a secondary purpose without their consent to that disclosure.
He ordered that by 22 June 2018, Cbus must issue an apology to class members acknowledging its interference with their privacy, and confirm with, and update the Office of the Australian Information Commissioner (OAIC) on, the proposed remedial measures undertaken post- breach. But he did not award damages to the complainants.
The complaint was limited to three emails sent by Cbus to Civil, Mining and Construction Pty Ltd (CMC) on 30 July 2013 in response to CMC’s query about the status of two subcontractors’ super contributions to their workers. It included details of members who were not working on the CMC road construction project as well as personal information of members who were on the project.
The emails included the following personal information: full name, date of birth, superannuation member number, most recent employer superannuation contributions and duration of employment.
No complaint under the Privacy Act was made in relation to any disclosure by Cbus to the CFMEU which was the subject of examination by the Royal Commission into Trade Union Governance and Corruption.
Because the matter related to a complaint made prior to the 2014 reforms to the Privacy Act, the complaint was dealt with under the National Privacy Principles which applied at the time the complaint was made.
Cbus did not dispute it made the disclosures on 30 July 2013. There was also no dispute that the information disclosed by Cbus to CMC was personal information within the meaning of section 6 of the Privacy Act and included the personal information of members.
The Privacy Commissioner concluded that:
“I accept that members might have reasonably expected Cbus to disclose aggregated information to sponsoring organisations to allow them to take action in accordance with an applicable award, industrial agreement or enterprise bargain agreement (if any). The disclosures the subject of this representative complaint occurred in quite different circumstances and included personal information.
Cbus has conceded that it was not necessary for Cbus to disclose whether members had made voluntary contributions towards their superannuation account. It however has offered no specific explanation as to why it considered it necessary to provide names and dates of birth to CMC to allow for identification of relevant employees by CMC. I am not satisfied that the class members would have reasonably expected Cbus to disclose their personal information to CMC. Accordingly, I conclude that the exception at NPP 2.1(a) could not have been relied on by Cbus to make the disclosures to CMC. No other exceptions to the prohibition on disclosure are relevant in the circumstances. I therefore find Cbus has breached NPP 2…..
I consider that as at 30 July 213 Cbus had adequate measures in place to satisfy the requirement in NPP 4 for the organisation to take reasonable steps to protect an individual’s personal information from misuse and loss and from unauthorised access, modification or disclosure.
The conduct of the Cbus employee who was otherwise authorised to deal with the personal information made the disclosures to CMC through, it seems, a lapse of judgement or misjudgement. Notwithstanding this, the employee made the disclosures for a purpose within the scope of their work functions. Pursuant to s 8 of the Privacy Act, an act done or a practice engaged in by of a person employed in the service of, relevantly here, an organisation, shall be treated as having been done or engaged in by the organisation.
Nonetheless, although I have found the disclosures unauthorised and in breach of NPP 2, NPP 4 imposes an obligation only to adopt safeguards as are reasonable in the circumstances. I am satisfied that Cbus has met this obligation under NPP 4. Accordingly, I find there is no breach of NPP 4.”
With respect to his decision not to award damages to the complainants the Privacy Commissioner said
“From the statements provided, I am left unsatisfied that the disclosures have caused actual loss or damage in respect of these class members, though I accept there was a genuine concern amongst these Cbus class members that they had not been made aware of the breach when it occurred. As loss or damage may include ‘hurt feelings’, the concern which I accept class members had when they were made aware of the breach, arguably enlivens my capacity to provide some remedy. Notwithstanding this, in the circumstances of this matter, I think the most appropriate form of redress is to provide an apology. A public apology that explains the circumstances of the breach and what systems Cbus now has in place to minimise the risk of such a breach recurring, should go some way to alleviating the concerns expressed by class members who provided statements. In view of this, I decline to make an award for damages for the class members who have provided statements or any other class members.”