Two recent decisions by the Privacy Commissioner dealt with claims for non-economic loss and other damages for breaches of the Australian Privacy Principles, the first for sending personal information to a wrong email address and the second for failing to provide access to a person’s information.

Incorrect email address

In ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 the Privacy Commissioner found Northside Clinic (Vic) Pty Ltd, interfered with the complainants’ privacy as defined in the Privacy Act 1988 (Cth) (Privacy Act) by:

• disclosing the complainants’ personal information in breach of Australian Privacy Principle 6;
• failing to take reasonable steps to protect the complainants’ personal information from unauthorised disclosure in breach of Australian Privacy Principle 11.1.

The respondent was ordered to pay the amount of $13,400 to the first complainant and $3,000 to the second complainant. The amounts were apportioned as follows:

First complainant
For non-economic loss associated with the privacy breach, the amount of $10,000
For economic loss associated with seeking treatment to assist the first complainant to deal with the privacy breach, the amount of $3,400.

Second complainant
For non-economic loss associated with the privacy breach, the amount of $3,000.

The complaints related to the respondent’s disclosure of their personal information to an unknown recipient, at an incorrect Gmail email address, on two occasions.

Facts
The first complainant was a patient of the respondent’s clinic who was diagnosed as HIV positive. He and his husband (second complainant) had previously been part of a global study into particular aspects of HIV transmission facilitated by the respondent and were considering participating in a further medical study.

The complainants had previously provided their email addresses to the respondent. The first complainant provided his work email address, which included a reference to his place of employment, and the second complainant provided a personal email address which was comprised of his first and last name, as well as his middle initial.

The respondent’s first email was sent to the first complainant’s work email address, and to an email address containing the second complainant’s first and last name but omitting his middle initial (incorrect email address).

The first complainant sent a reply email to the respondent, requesting that future communications for him be sent to an alternate email address, being his personal email address.

The respondent then sent an email to the first complainant’s personal email address and copied the incorrect email address for the second complainant.

The first complainant claimed that the respondent interfered with his privacy by disclosing his and the second complainant’s personal and sensitive information without their consent by sending the emails to an incorrect email address, belonging to an unknown third party.

The Privacy Commissioner concluded that the disclosures were done without consent and in circumstances where the complainants had understood that their personal information would not be shared with anyone and would be stored securely.

The respondent failed to acknowledge the error or provide any assurance to the first complainant, following the disclosure, that his information was secure, or advise the first complainant of the steps it was taking to rectify the breach, until almost a month later.

Failure to provide access

In ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 the respondent interfered with the complainant’s privacy as defined in the Privacy Act 1988 (Cth) by breaching the Australian Privacy Principles (APPs) as follows:

• Failing to provide the complainant with access to her personal information in breach of APP 12.1.
• Failing to give the complainant a written notice setting out the reasons for refusing access to her personal information in breach of APP 12.9.

The Privacy Commissioner ordered the respondent to pay the complainant $5,000 for loss caused by the interference with the complainant’s privacy:
$3,000 for non-economic loss and $2,000 for aggravated damages.

Facts
The complainant’s complaint related to a request for access to her personal information held by the respondent and the respondent’s refusal to provide access.

The respondent was a psychologist who provided psychological services to the complainant.

The complainant claimed to have suffered psychological injury and distress as a result of the respondent’s treatment of her. She claimed that the respondent’s ‘withholding [of her] personal information and lying about its whereabouts’ affected her mental health.

The Privacy Commissioner concluded the privacy breach has been a contributing factor to some of the claimed harm.

In awarding aggravated damages the Privacy Commissioner said:

“Overall, I am satisfied that the manner of the respondent in this case has been insulting towards the complainant and unjustified, demonstrating a disregard for the complainant’s privacy rights. In arriving at this view, I take into account the respondent’s failure to engage with the OAIC until a very late stage in the investigation, contributing to delay in resolving the matter. I also take into account the tone and unsubstantiated content of the comments … I find that the manner of the respondent’s conduct has exacerbated the injury of the complainant by harming her proper feelings of dignity.”

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.