OAIC Determinations 2020: What can we learn?

The OAIC has been busy, releasing eight Determinations between June and September 2020[1]. Given this flurry of activity, what can we learn?

Key Take-aways: ‘Complainants, and their lawyers, shouldn’t expect big payouts’ is probably the biggest lesson.

Others include:

  • To recover for distress and anxiety, some independent evidence is usually needed e.g. psychologist or medical reports.
  • Even with supporting evidence, compensation for non-economic loss (distress etc) is likely to be low i.e. between $1,500 and $3,000.  For breaches involving  highly sensitive information it might go up to $10,000.
  • Legal expenses are unlikely to be recoverable (especially without an itemised invoice).
  • ·Failure to participate in an OAIC investigation can result in aggravated damages. But the amount is likely to be less than $2,000 (even for ignoring a Section 44 notice).
  • It takes at least 2 years from time of complaint to making a Determination raising questions as to the timeliness of redress.

General background

Never have so many determinations been issued in one calendar year.  Either, the number of complaints must be increasing or it’s becoming harder for the Office of the Australian Information Commissioner (OAIC) to conciliate an outcome.  Whatever the cause, an unprecedented number of decisions were published between June and September 2020.

In all eight determinations, the OAIC found some interference with privacy:

  • Four of the determinations concerned failure to provide timely access to records, with three cases relating to psychologists failing to provide access to their reports.
  • Another determination concerned the accuracy of information disclosed from the completion of a travel declaration by the Department of Home Affairs to Interpol NZ. The outcome pointed to a shortfall in the wording of the declaration card;
  • The internal distribution of details relating to a worker’s compensation claim, subsequently used by another employee as the basis of a grievance claim, was considered in another case;
  • The disclosure of un-redacted bank statements including details of different services and service providers paid for by the claimant to her ex partner as part of disputed child maintenance proceedings was the subject of another Determination.[2]

Perhaps the most egregious case related to the disclosure of very sensitive health information (i.e. HIV status and other medical details) by the Northside Clinic.[3]  We have published a separate note on this case.

In total, the OAIC awarded $41,195 across all eight decisions, made up of the following amounts:

  • For economic loss – $3,695 ($3,400 in one case for medical expenses);
  • For non-economic loss – $29,500; and
  • For aggravated damages – $8,000.

It’s worth noting that in one instance, no compensation was sought (only access to records requested).[4]

There are some important take-aways from these Determinations.

What is recoverable?

The categories of compensation that can be awarded include:

  • Compensation for economic loss, or payments which have been incurred, for example, for medical expenses or legal costs;
  • Compensation for non-economic loss, such as distress or anxiety; and
  • Aggravated damages, where the OAIC decides that additional damages should be awarded because of some particularly egregious behaviour of the respondent.

All categories of damages were considered in the different Determinations.

Economic Loss

Compensation can be awarded for medical expenses or counselling fees if it can be established that those expenses relate specifically to the interference with privacy (rather than a pre-existing condition).  Expenses for counselling were recoverable on this basis in the Northide clinic case.

Recovery of legal fees is more problematic.

Recovery of legal fees

There is bad news for litigation funders and lawyers looking to capitalise on the rise of privacy claims.  Legal fees, other than in an extremely modest amount are unlikely to be recoverable, other than in very small amounts. In ST and CEO Services Australia, the OAIC rejected an itemised invoice for $5,000 for solicitor’s fees in relation to the privacy complaint, stating that she was not satisfied that the expenses were reasonably incurred.[5]

‘VI’ and CSIRO turned almost solely on the claimant seeking to recover  $11,000 for legal expenses.[6]  Whilst acknowledging that the OAIC can award reimbursement for expenses reasonably incurred,[7] the Commissioner said she would ‘not exercise that discretion on every occasion’ adding that ‘Most privacy complaints can be resolved without the need for legal representation.’[8]  The Commissioner did not award costs, based on the lack of information establishing that the costs were reasonably incurred or other supporting evidence (such as itemised invoices and receipts).

In VN and VM, a case where the OAIC thought the respondent’s behaviour sufficiently egregious to award aggravated damages, the claimant recovered $295 for legal fees, having substantiated the cost of professional legal services to that amount.[9]

Non-economic loss

In most cases the complainants seek compensation for the distress, anxiety and stress caused by the interference with privacy. The Determinations suggest there is a range of compensation awards, depending on the type of interference and the level of distress caused:

  • No evidence of distress etc. – $0;
  • Evidence of distress and limited disclosure – $1,000 to $3,000; and
  • Evidence of distress and disclosure of sensitive information – $10,000.

In ST and CEO Services Australia, the claimant sought $30,000 in damages. In considering entitlement to compensation, the OAIC decided that the information disclosed in the un-redacted bank statements did not significantly contribute to the complainant’s fear of being located by her ex-partner (who had received the bank statements). Influencing factors included that the complainant had disclosed some of the information previously, continued to maintain a PO Box at the same post office as the ex-partner and provided no evidence of seeking the assistance of police.[10]  The OAIC accepted evidence provided by the complainant’s consultant psychiatrist that the disclosure caused her ‘considerable distress’ while dismissing other claims.  In the OAIC’s opinion, this degree of distress equated to an award in the amount of $3,000.[11]

$3,000 was also awarded in four other cases, with another claimant being awarded $2,500.[12]  In VQ’ and Secretary to the Department of Home Affairs where inaccurate information had been provided to another government agency which affected the complainant’s travel plans and visa status, the Commissioner decided that he was entitled to damages for distress ‘at the lower end of the scale’ awarding $2,000.[13]

The highest award for non-economic loss was $10,000 to the first respondent in the Northside Clinic case[14] which we have covered in a previous post.

Aggravated damages

The OAIC can award aggravated damages.  The recent batch of Determinations included three cases where the Commissioner decided to award aggravated damages of between $1,500 and $2,000.

In one case, where deciding to award aggravated damages,  the Commissioner referred to the respondent’s insulting manner (which included making unsubstantiated comments about the complainant to the OAIC) as well as the respondent’s  failure to engage with the OAIC until a very late stage in the investigation, contributing to delay in resolving the matter.  The Commissioner found that this conduct exacerbated the injury of the complainant by harming her proper feelings of dignity, awarding $2,000 for aggravated damages.[15]

In ‘VN’ and ‘VM’[16] the complainant was awarded $3,000 for aggravated damages. The respondent (who had been the complainants’ psychologist) had agreed to provide the information requested to the complainant on four different occasions, then failed to do so, lied about providing information to the respondent and then lied to the OAIC.  For example, the respondent said she’d emailed it to the OAIC but didn’t attach the record to the email. This added to the complainant’s concerns that the personal records were ‘floating around’ in an unknown location.  The respondent also disregarded the OAIC’s numerous requests to facilitate the complainant’s access to the personal information, including responding to the OAIC issuing a Section 44 notice. In these circumstances, the OAIC decided that the respondent’s approach to the case demonstrated a complete lack of regard for the complainant’s rights and for her own obligations under the Privacy Act and that that behaviour had exacerbated the harm experienced by the complainant arising out of the breach. For these reasons, the OAIC considered this case to be appropriate for the award of aggravated damages.

No aggravated damages were awarded in five of the case, including in

Unauthorised disclosure and breach of APP 11

Perhaps of more concern than the amount of damages awarded in the eight Determinations is the directions made regarding ensuring that reasonable security controls are in place.

Requiring a third party to review the security measures you have in place, make recommendations and then report back to the OAIC on whether those recommendations have been implemented, can be significantly more onerous than paying $3,000 in damages.

There is an almost unbreakable connection between finding a breach of APP 6 (unauthorised disclosure) and APP 11 (failing to take reasonable steps to prevent unauthorised disclosure).  One anomaly was in SF and SG.  Although there was an unauthorised disclosure, breach of APP 11 was not considered. In that case, the respondent had suggested that records may be lost as a reason for not producing them, but this was not established during the hearing of the case. Underlining the connection between APP 6 and APP 11, the OAIC included a ‘general comment’ to the effect that where records are ‘lost’ and, where that loss is established, the respondent could expect to be investigated as to breach of APP 11.[17]

In the CSIRO case, where details of a workers compensation claim were circulated amongst work colleagues,  CSIRO was ordered to engage an independent reviewer with privacy expertise to review its current policies, procedures and training relevant to its compliance with APP 6 and APP 11. Within six months’ of receiving the independent reviewer’s report, the CSIRO must then report to the Commissioner on the reviewer’s findings and recommendations and what it has done to implement those findings and recommendations.

In ‘VN’ and ‘VM’[18]  the OAIC was not satisfied with the respondent’s evidence that she maintained records in a locked filing cabinet in her locked garage at her home, where she was the only person with access to the key to the locks. The OAIC decided that, given the sensitivity of the information involved, they were not satisfied that reasonable steps had been taken to secure the records.  Accordingly, in addition to an award of aggravated damages, the respondent was required to:

  • engage an independent auditor to assess compliance with APP 11 with respect to the physical security of the personal information she holds
  • engage the auditor within two weeks of deemed receipt of the determination;
  • require the auditor to complete the audit, including a written report, within two months of their engagement;
  • provide a copy of the auditor’s report to the OAIC within two weeks of the date of the report; and
  • implement the auditor’s recommendations, if any, within two months of the date of the auditor’s report.
  • Breach of APP 6 does not always lead to some order in regard to APP 11.

Sharing un-redacted bank statements was considered in the context of failure of security controls in ‘ST’ and Chief Executive Officer of Services Australia.  The OAIC found there were ‘comprehensive directions’ for determining the relevance of parts of documents to be provided to external tribunals and redacting irrelevant information, in addition to specialist teams who received consistent training and participated in continuing learning.[19]  Accordingly, there was no failure of security. However, there is no discussion of the basis on which the un-redacted documents were made available in this case.  Being satisfied the agency ‘will not repeat or continue such conduct’[20] suggests that the OAIC regards this is a one-off case not likely to reoccur.

Timeliness

The wheels of justice turn slowly within the OAIC.

In ‘VU’ and ‘VV’, ‘VW the complainant lodged a complaint with OAIC on 20 July 2018.  The OAIC opened an investigation into the matter on 24 June 2019 and issued its determination in September 2020.  Given there was very little argument by the respondent, it is not clear why the process took so long – over 2 years from the time of the complaint to the making of the order that the respondent provide access.

Similarly, the events complained of in VI and CSIRO occurred in 2017, with the Determination issued some three year later in September 2020. In ‘VN’ and ‘VM’, the complaint was made on 16 October 2018. OAIC opened an investigation n 12 June 2019.  Determination issued on 2 September 2020.

It seems unfortunate that people going to the OAIC with genuine grievances have to wait for 2 years or more for a resolution.

Conclusions

Although none of eight Determinations provide any startling new interpretation of the APPs there are some interesting lessons:

  • Damages awarded will be limited;
  • Evidence should be presented for any losses claimed;
  • Legal fees will be hard to recover;
  • The biggest sting in the tail might be from orders relating to security.

Perhaps the most important aspect, particularly for those making complaints, is the time taken from complaint to issuing a Determination.  The process seems unduly long for those denied access to records or already suffering some a significant interference with their privacy rights.

Privacy Commissioner Determinations in 2020:

‘VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr 52 (14 September 2020)

‘VJ’, ‘VK’, ‘VL’ and ‘VM’ (Privacy) [2020] AICmr 45

‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

‘VI’ and CSIRO (Privacy) [2020] AICmr 44

‘VQ’ and Secretary to the Department of Home Affairs (Privacy) [2020] AICmr 49

‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020)

‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (June 2020)

‘SD’ & ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020)

[1] A list of the eight Determinations is included at this end of this note.

[2] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020)

[3] ‘SD’ & ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020)

[4] ‘VU’ and ‘VV’, ‘VW’ (Privacy) [2020] AICmr 52 (14 September 2020)

[5] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020) at para [79].

[6] ‘VI’ and CSIRO (Privacy) [2020] AICmr 44 at [16]

[7] Ibid at [63].

[8] Ibid at [64].

[9] ‘VN’ and ‘VM’ (Privacy) [2020] AICmr.

[10] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020) at para [76].

[11] Ibid [83].

[12] ‘VQ’ and Secretary to the Department of Home Affairs (Privacy) [2020]

[13] ‘VQ’ and Secretary to the Department of Home Affairs (Privacy) [2020]at para [84].

[14] ‘SD’ & ‘SE’ and Northside Clinic (Vic) Pty Ltd (Privacy) [2020] AICmr 21 (12 June 2020)

[15] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22

[16] ‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

[17] ‘SF’ and ‘SG’ (Privacy) [2020] AICmr 22 (June 2020)  at para [110].

[18] ‘VN’ and ‘VM’ (Privacy) [2020] AICmr 46

[19] ‘ST’ and Chief Executive Officer of Services Australia (Privacy) [2020] AICmr 30 (30 June 2020) at para [55].

[20] Ibid.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.