How much for using the wrong email address?

A recent determination from the OAIC (Office of the Australian Information Commissioner) sheds a little light on the OAIC’s application of APPs 6 and 11 and the damages recoverable for an email sent to an incorrect email address. But how helpful is it really?

Key Take-aways

• An email sent to a valid email address, even without evidence of access, will be a disclosure;
• Keep receipts for costs incurred, including medical treatment, to support claims for economic loss;
• Expert reports as to the claimant’s state of mind provide evidence of non-economic loss but may not be needed where the disclosure is of highly sensitive data;
• Factors relevant to the assessment of damages include sensitivity of the information disclosed, the extent of the disclosure and the impact on the complainant;
• The amount of compensation awarded for non-economic loss is not likely to exceed $20,000 even for the most egregious cases;
• Make sure you provide evidence of the security controls you had in place, to prevent a finding of a breach of APP 11.

Introduction

We have written before about the two main challenges faced by individuals seeking compensation for privacy breaches in Australia:

• There is no established right to sue in breach of privacy in Australia (which means that individuals are limited to their rights under the Privacy Act 1988(Cth)); and
• The difficulties in proving a recoverable loss from a data breach, particularly for non-economic loss such as distress.

What is becoming increasingly clear from the Determinations issued by the OAIC over the last 5 years is that, those claimants with the stamina to proceed to a determination are unlikely to be awarded any significant compensation, even for failure to properly protect or process the most sensitive of data.

Although the number of Determinations made over the years remains disappointingly low, in June 2020 the OAIC released three determinations under the Privacy Act 1988 (Cth)[1], all of which found there to be an interference with privacy, but where the total damages awarded from the three cases was AUD$24,000.[2]    One of the determinations, ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21, considered what happens when very sensitive information is sent to an incorrect email address.

The complainants’ sought $250,000 by way of compensation.  They received a total of $16,400.  It is worth considering this case in more detail.

Background

The complainants were patients of the Northside Clinic, and had participated in a medical study facilitated by the clinic related to HIV transmission. Both complainants had given the clinic their respective email addresses as part of the study. The first complainant had given both his personal and work email address which contained the place of his employment.

On 22 December, 2017 the clinic sent two emails, one discussing a further study the clinic was running and the second attaching a consent form.  Both emails used the correct work email address for the first complainant but an incorrect gmail address for the second complainant (omitting the middle initial from the second complainant’s name).

The emails included the complainants’ names and other information from which it could be gathered that they were in a same sex relationship with each other, that they were both HIV positive and were participants in a medical study, and the details of one of the complainant’s upcoming medical appointments.

That same afternoon, the first complainant notified the respondent, via email reply, that the respondent had used an incorrect email address for the second complainant.  The clinic subsequently sent a second email (attaching a consent form), again using the wrong email for the second complainant.

Although the clinic apologised by email about one month later, the respondents were dissatisfied with the response and complained to the OAIC.  The clinic admitted it had made a mistake however disputed disclosure of the second claimant’s personal information and the amount of damages claimed.  The complainants lodged a complaint with the OAIC seeking a formal apology and $250,000 in compensation.    The OAIC was not able to conciliate the dispute and issued a determination in June 2020, some two and a half years after the incident.

Finding and damages awarded

The OAIC found that the clinic had interfered with the privacy rights of the complainants under the Privacy Act 1988 (Cth), identifying the following breaches:

1. Breach of Australian Privacy Principle 6 – disclosure of personal information without the complainants’ knowledge or consent.
2. Breach of Australian Privacy Principle 11.1 – failure to take reasonable steps to protect the complainants’ personal information from unauthorised disclosure.

The OAIC also confirmed that the interferences concerned the complainants’ personal information, including sensitive health information and information about their sexual orientation.

Having found that there had been an interference, it was open to the OAIC to award damages and compensation for loss. OAIC awarded to the first complainant:

• $10,000 compensation for non-economic loss; and
• $3,400 for economic loss (for costs associated with treatment for psychological stress caused by the unauthorised disclosures).

To the second complainant, the OAIC awarded $3,000 damages for non-economic loss only, not having been provided with sufficient evidence of economic loss.

Further Consideration

Aspects of the Determination worth further consideration include:

• The basis for assessment of both the economic and non-economic loss
• The reasons for deciding there was a disclosure;
• Whether the second complainant was ‘reasonably identifiable’; and
• The security controls that might have been expected, given the finding of a failure to take reasonable steps to secure the information.

Assessment of damages

Non-Economic Loss: Pain and Distress

To date, the OAIC has been reluctant to award any significant compensation for damages for non-economic loss, such as pain, distress or anxiety.  Unless the breach has involved sensitive data or egregious behaviour of the organisation involved, awards have been minimal (between $0 and $3,500).

The first complainant produced two psychologist reports as evidence of the psychological damage suffered, which were given weight by the OAIC.  This is consistent with previous decisions which stress the importance of some independent evidence of pain or distress.

However, the OAIC was also prepared to award compensation albeit in a lesser amount, to the second complaint on account of non-economic loss.  The OAIC confirmed that it did not believe that a medical report was always required to support distress and referred to previous decisions (from 2016) where it had arrived at the same view.[3]

Give the highly sensitive nature of the information involved, it might have been expected that higher compensation might be appropriate.  However, in assessing the amount of damages, the OAIC took into account the absence of any evidence that the disclosed information was in fact accessed by the third party, in that there was no evidence that the owner of the email account that wrongly received the information actually opened the email, or even existed.

Additionally, the Commissioner deemed the disclosure accidental and without malicious intent in mind.  Although state of mind od the respondent is not relevant to the decision of whether or not there has been a disclosure, it is important for the assessment of compensation.

Economic Loss

The first complainant paid for a number of sessions with a psychologist for treatment arising out of the disclosures and sought to recover the cost of those sessions by way of economic loss.  This was accepted by the OAIC.  However, when assessing the damages to be awarded to the second complainant, although the Commissioner accepted that the breach had negatively affected him (as claimed in the statutory declaration put forward as evidence), she was not satisfied that the second complainant had established economic loss caused by the privacy breach. The second complainant was not entitled to recover for the cost of counselling etc.[4]

Was the mis-sent email a disclosure?

This Determination might have provided an opportunity for the OAIC to issue detailed guidance on how it treats email addresses, and the basis on which it might determine that the use of an incorrect email address of itself amounts to a disclosure, particularly without any evidence of actual access by a third party.

The clinic had unsuccessfully tried to establish whether incorrect email address existed, if the email had been accessed and if Google could delete the email from its systems.[5]

In the absence of any evidence as to whether the email had been read or even received by a third party, it might have been thought that the argument that there was a disclosure was somewhat tenuous.  However, the OAIC took its own steps, accessing a tool for verifying the validity of email addresses: ‘The tool indicated that the incorrect email address was valid insofar as the mailbox exists for the address.’[6] This confirmation was sufficient to establish a disclosure in that the clinic had ‘made the information contained in the emails accessible to an external party and released control over the information.’[7]

This interpretation seems to sit uncomfortably with the ordinary meaning of the term ‘disclosure’ and the idea of relinquishing of control. It may perhaps cause issues in future decisions.[8]

Was personal information disclosed?

Having established there was a disclosure to an unidentified third-party owner of the email account, consideration was given to whether personal information had been disclosed.

The first claimant’s email address included his name plus his place of work so it was relatively clear that the information disclosed related to an individual who was ‘reasonably identifiable.’

The position of the second claimant, having a common surname, is more interesting. The OAIC noted that the second complainant may not be identifiable just from his name but decided that when, combined with the information disclosed, (the name of his partner, the fact that he was in a same-sex relationship and the clinic at which he had participated in a medical study and was considering participating in another medical study), that was sufficient for him to be reasonably identified.[9]

Unfortunately, there is little detailed analysis of the extent of information that might be required to determine whether an individual is ‘reasonably identifiable’ or how the Commissioner reached the conclusion she did.

What was the failure to secure the data?

There is no discussion of what security controls the OAIC might have expected the clinic to have in place to prevent an email mistake. The finding of the failure to take reasonable steps to secure the data is based on the fact that the disclosures occurred and ‘the absence of information that reasonable steps were taken to prevent such as occurrence.’[10]

The clinic advised that, following the incident, it had updated many of its policies to prevent any future breach of the APPs. It also conducted additional HR training covering phone calls and safely identifying the patient before discussing any personal information on a call and sought out further training relevant to privacy.

The Commissioner made no findings in regard to additional security steps, stating that it was satisfied with the steps taken by the respondent to improve its privacy policies and procedures, including the implementation of a two-step authentication process for the email of sensitive information.[11]

It is not immediately clear how policy updating, additional phone call training or the implementation of two-step authentication might prevent this type of email incident from re-occurring.  Given that disclosure of personal information to the wrong recipient via email is one of the most common forms of data breach,[12] this Determination provided the opportunity for the OAIC to provide useful guidance on the standard it might expect pursuant to APP 11.1 for organisations dealing with this type of highly sensitive data.  Is this another opportunity missed for the OAIC?

Timeliness

Finally, this Determination was issued some two and a half years after the initial incident, even though the clinic acknowledged some responsibility for the incident. One of the other Determinations made in June 2020 related to incidents from 2014, some six years previously.[13]

The OAIC has issued three Determinations in 2019 and six so far in 2020.  Although the reasons for the delays between the incidents complained of and the issuing of the Determinations are not clear, it does seem that in the OAIC’s case the wheels of justice turn slowly.  Not only is this important in terms of how well the system is working (as they say, justice delayed is justice denied) it also points to issues for organisations looking to the OAIC for guidance on its interpretation and application of the Australian Privacy Principles, particularly in the fast paced world of data processing.

Conclusion

Although there has been an increase in the number of Determinations in comparison to previous periods, the decisions are not building a platform of jurisprudence to support privacy regulation or even a better understanding of the operation of privacy laws in Australia.  There is little detailed explanation of the reasons for decisions, judicially reasoned interpretations of the meaning or application of key terms of the Australian Privacy Principles themselves or consideration of the behaviour that might be expected by organisations in the context of those considered in the Determinations.

What’s more, the publishing of the Determinations themselves puts a spotlight on the problems with the existing rights of individuals affected by an interference with their privacy rights in Australia. When weighing up the prospects of a successful determination, the time and effort of bringing an action, the lack of legal precedent and likelihood of recovery of no more than a minimal amount for non-economic loss, you can understand why many individuals may have second thoughts about making a complaint to the OAIC; even though the impacts of a breach for the individual involved can be dire, both economically and emotionally.

With the current review of the recommendations from the ACCC Digital Platform Enquiry, there is pathway to statutory reform providing the individual right to redress and a more accessible avenue for Australians seeking to right a wrong in an ever increasing digital landscape, where their data is one of the most valuable commodities.  Let’s hope we see some action.

Privacy Commissioner Determinations in 2020:

‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45

‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

‘VI’ and CSIRO (Privacy) [2020] AICmr 44

‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020)

‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (June 2020)

‘SD’ & ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020)

Footnotes:

[1] The three Determinations are listed at the end of this article.

[2] https://www.oaic.gov.au/privacy/privacy-decisions/privacy-determinations/

[3] At par 95. ‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AlCmr 44, ‘IV’ and ‘IW’ [2016 AlCmr 41 and ‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AlCmr 37

[4] SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 91.

[5] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 12.

[6] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 23.

[7] Ibid, par 25.

[8] The OAIC defines ‘disclosure’ as an APP entity making personal information accessible or visible to others outside the entity and releasing the subsequent handling of the personal information from its effective control. This focuses on the act done by the disclosing party, and not on the actions or knowledge of the recipient.

[9] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 35.

[10] ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 40.

[11] SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 at par. 110.

[12] Notifiable Data Breaches Report January to June 2020 (OAIC, 2020, p. 16)(OAIC, 2020)

[13] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020)