How to put a price on damage suffered as a result of a privacy breach

April 2017

Queensland privacy complaint jurisdiction

The Information Privacy Act 2009 (Qld) (IP Act) creates a right for individuals to make a privacy complaint if they consider that a Queensland Government agency1 has failed to comply with its obligations under this Act.

The privacy complaint process in Queensland consists of three tiers:

  • Tier one - An individual first makes their privacy complaint to the government agency involved and allows them a minimum of 45 business days to respond and/or to resolve the subject matter to their satisfaction
  • Tier two - An individual who, at the end of the time period, is not satisfied with the agency’s response can bring their privacy complaint to the Office of the Information Commissioner (OIC); and
  • Tier three – An individual may seek referral of their privacy complaint to the Queensland Civil and Administrative Tribunal (QCAT) if OIC considers that resolution of the complaint is not reasonably likely to be achieved through mediation.

There is a strong emphasis in the IP Act on parties to a complaint resolving the complaint informally, with two opportunities for informal resolution before a matter is able to be dealt with in QCAT.  A privacy complainant must progress through the first two tiers before they can bring their privacy complaint to QCAT.  There is no alternative civil cause of action for privacy complaints in Queensland.

OIC does not have the power to determine whether an individual’s privacy complaint is substantiated, or to impose a particular settlement.  Rather, OIC’s role is restricted to assessing the issues of jurisdiction and whether the complaint shows an ‘arguable case’ of privacy breach and if so, provide a mediation service.

Where a privacy complaint is referred to QCAT, it may make an order that the complaint (or part) has been substantiated, and if as appropriate, QCAT may also make orders to remedy the damage suffered by the complainant as a consequence of the breach.2

These orders include the capacity for an award up to a maximum of $100,000 to compensate an individual for loss or damage suffered by reason from the privacy breach - including injury to the complainant’s feelings or for humiliation suffered by the complainant.

The advantages of mediation

While QCAT is a less formal jurisdiction than courts, the QCAT process remains adversarial in that the outcome of a QCAT hearing is that there is a ‘winner’ and a ‘loser’.  Mediation, however, is a collaborative process that offers the parties greater control over the outcome.  In addition, mediation is often quicker, less formal and may assist in restoring or maintaining a relationship that could otherwise likely be damaged or worsened through a litigation process.

Furthermore, unlike a QCAT hearing, which is generally open to the public and where information about the eventuating decision and reasons for that decision are published, OIC’s mediation process is strictly confidential.  OIC cannot be compelled to produce a privacy document or disclose privacy information in third-party legal proceedings.3

The confidential nature of mediation encourages frank and candid discussion between the parties.  While QCAT is limited under the IP Act in the orders it can make, mediation allows the parties to propose and consider a wider range of settlement options.

Options for resolution

The Queensland privacy jurisdiction focuses on remedying the damage suffered by the complainant as a consequence of the alleged privacy breach.  A privacy complaint cannot be used as a ground to appeal an agency’s administrative decisions, nor can it be used to penalise an agency or an individual officer for their conduct or actions.

Non-financial options

OIC’s experience is that an apology is an outcome that is commonly sought by complainants.  A sincere apology delivered early in the complaint process can be instrumental in resolving the complaint, particularly when combined with an undertaking that the agency will take steps to prevent a similar incident occurring in the future (for example, through a change in agency processes or the provision of privacy training).

Examples of non-financial settlements achieved in Queensland and other privacy jurisdictions include:

  • providing the individual with access to their personal information
  • placing an alert on the person’s electronic health file which comes up when the file is accessed to indicate that caution is required when releasing information to third parties
  • removal of the personal information posted in a comments thread on a website
  • removal of the individual’s email address from a submission that was published online
  • removal of a fixed CCTV camera; and
  • an agency agreeing to meet with the complainant so that the complainant could communicate how the disclosure of their personal information had affected them.

Financial options

The underlying premise of compensatory measures is to ‘put the complainant back into the position that they would have been in, had the privacy breach not occurred’.  OIC acknowledges that this is not always possible in the context of privacy complaints.  For example, a complainant whose personal information has been published to the world cannot practically remove all traces of that publication.4

Agencies can offer financial compensation as part of a mediated settlement.  Monies as part of a mediated settlement can be provided as a tangible measure of acknowledgement, atonement and regret.

Some damages, such as medical or counselling expenses, or a subscription to an identity monitoring services, have a defined ‘dollar amount’ and can be proven from documents and records.5 Assigning a ‘dollar amount’ to injuries to feelings or humiliation6 is more difficult. Ultimately, this amount comes down to what respondent agencies are willing to pay (in mediation proceedings) or what QCAT awards.

Every privacy complaint is different and the settlement terms and QCAT orders will ultimately be determined by individual factors. To date, there is only one case in the Queensland privacy jurisdiction where QCAT has awarded financial compensation.7 As such, there is very limited guidance on how much pain and suffering, hurt and humiliation is worth – other than that the upper limit of financial compensation through QCAT is $100,000.

However, there is a body of case law in other jurisdictions. The Commonwealth privacy jurisdiction has been guided by principles for awarding compensation that include that the award be ‘restrained but not minimal’.8 Determinations by the Office of the Australian Information Commissioner (OAIC) show that the quantum of awards is not especially high - the largest has been $20,000, with the average being $7,000.

The following table provides an overview of remedies awarded in Queensland and other privacy jurisdictions, and some of the factors that were given weight by the relevant determinative body when deciding on an appropriate award of compensation.

These cases are for general guidance only and should not be relied upon as necessarily being directly applicable to the Queensland jurisdiction.

Determinations on privacy complaints

Case nameFacts material to awardRemedy
RM v Queensland Police Service [2017] QCAT 071 (OCL036-15)9

Whilst employed by the Queensland Police Service (QPS), RM made a WorkCover claim. WorkCover notified QPS of the claim and requested an employer’s response, including statements ‘from those involved as you see fit’.

QPS subsequently sent an email to ten QPS employees, which contained RM’s name, RM’s WorkCover claim number, the name of the claimed injury and the causes or factors of the claimed injury.

QPS contended that contacting RM’s nominated witnesses was for complying with the statutory requirement to obtain and the provide information to WorkCover and so was ‘authorised or required under law’.

QCAT found that it was difficult to reconcile this stated intention with the email as it did not seek any information of the recipient but rather, expressly informed that them that they were not required to ‘do anything at this stage’.

$5,000

$4,400 for expenses reasonably incurred

'LB' and Comcare (Privacy) [2017] AICmr 2810

The complainant requested that Comcare investigate whether or not her employment with Defence had caused or contributed to her cancer. Comcare subsequently produced an investigation report, which contained the complainant’s health information.

The complainant requested a copy of this report under the Commonwealth’s Freedom of Information Act 1982. A redacted version of the report was provided to the complainant, and a copy of the redacted report was later published on Comcare’s website through its disclosure log. The redacted report included the complainant’s name, postal address, date of birth, employee number and health information.

The complainant provided a number of documents in support of her claim for non-economic loss, including reports from her treating psychiatrist and psychologist, which the Privacy Commissioner considered along with the complainant’s own accounts of her distress as a result of the breach.

$20,000

'KA' and Commonwealth Bank of Australia Limited [2016] AICmr 8011

The complainant is a former employee of a Commonwealth Bank Mortgage Innovation Agency (MIA). She is also a customer of the Commonwealth Bank of Australia (CBA).

The complainant had brought proceedings against the MIA before the Fair Work Commission (FWC). She alleged that during the FWC proceedings, the principal of the MIA accessed her customer profile through the CBA’s customer management software ‘CommSee’ for the purpose of assisting the principal to advance his defence in those proceedings.

The OAIC was not satisfied that the CBA demonstrated that on the balance of probabilities, all of the principal’s accesses to the complainant’s CommSee profile were for the primary purpose of managing a customer’s banking business.

OAIC also found that given the size of the organisation, and the sensitivity of the information stored on CommSee, that at a minimum, CBA should have processes in place to restrict a user’s access to a CommSee profile immediately when it becomes aware of a potential conflict of interests between the customer and the user.

$10,000

‘HS’ and AMP Life Ltd [2015] AICmr 8112

AMP Life Ltd (AMP) provided income protection insurance to the complainant’s wife, who had made a complaint to the Financial Ombudsman Service (FOS) regarding AMP’s administration of a claim she had made.

During the course of the FOS investigation, the complainant became aware that AMP had obtained copies of his income tax returns from a third party without notifying him of this collection, and then disclosed this information to FOS without his consent.

In deciding the appropriate amount of compensation to award in this matter, weight was placed on the sensitive nature of the personal information, that AMP had given assurances to the complainant’s wife that it would not pursue the collection of that information without providing that notice, the responsibility of AMP to have a sound understanding of privacy obligations given the nature of personal information it collects and uses on a daily basis and its position as a leading insurance and financial institution.

$10,000
‘EZ’ and ‘EY’ [2015] AICmr 2313

The complainant was a patient of the respondent, and had contacted his local police station to report harassment and damage to his property as part of an ongoing neighbourhood dispute. The police contacted the respondent and asked whether in her opinion the complainant was ‘psychotic’ and was advised that ‘it was possible but further assessment was needed’. The complainant alleged that the information should not have been disclosed, that it was inaccurate and that reasonable steps were not taken to protect his health information.

Weight was given to the sensitive nature of the disclosed information and the doctor’s responsibility to have a sound understanding of privacy obligations.  Weight was also placed on the information being disclosed to a police officer who would have been subject to confidentiality obligations, and that the information disclosed was clarified by the respondent in subsequent correspondence with the police.

$6,500
‘EQ’ and Great Barrier Reef Marine Park Authority [2015] AICmr 1114

The complainant was employed as a marine conservation research assistant, and committed an offence by fishing in a prohibited ‘Green Zone’. The respondent received a request for information from News Corp Australia in relation to the incident, and provided a response which included information about the complainant’s name, employment, the incident and status of the investigation. A story about the incident was subsequently published.

The complainant also sought economic loss for lost income, lost future income and loss of future career opportunities, however the fact that the complainant would not have suffered economic loss but for his own conduct (ie by fishing unlawfully in a marine conservation zone) was given significant weight in determining the amount of compensation.

$5,000
‘DK’ and Telstra Corporation Limited [2014] AICmr 11815

The complainant worked as a judge in the family law jurisdiction.  He contacted Telstra to have a phone line connected to his home, as part of an alarm system that was being installed to address the security implications of his work.  The complainant stated that he advised Telstra that the phone line would not be used for any other purpose.

In the processing of setting up the phone line, Telstra failed to take reasonable steps to provide notice to the complainant that it would publish his name, address and the number of the phone line in both the White Pages online and hard copy directory.

In awarding compensation, the Privacy Commissioner was guided by the impact of the privacy breach on the complainant. ‘Telstra’s breach has had serious consequences for the complainant. The complainant has as a result of the breach suffered significant anxiety and distress including I believe a well-founded fear for his physical safety and that of his partner. The complainant has explained that Telstra’s breach has made it implausible for him to continue to reside at his current home. This is supported by the complainant’s application for an interstate transfer with his job, which I am satisfied, is a direct consequence of the actions of Telstra.’

$18,000
‘CP’ and Department of Defence [2014] AICmr 8816

The complainant was employed by the Department of Defence (Defence) and had lodged a workers’ compensation claim.

A copy of the complainant’s medical report, which had been prepared by an independent medical practitioner, was disclosed to the complainant’s treating general practitioner, after the complainant had been asked for, and expressly refused, permission for his rehabilitation case officer or Defence to contact his treating medical practitioners about his rehabilitation.

The Privacy Commissioner accepted the complainant’s claim that the disclosure of his personal information to his treating GP exacerbated his anxiety and depression, particularly in light of the supporting information provided by his treating psychologist.

However, the Privacy Commissioner stated that from the information provided by both the complainant and his treating psychologist that ‘it is evident that a proportion of the emotional suffering experienced by the complainant was not caused by Defence’s disclosure of his personal information to his treating GP.  A number of workplace incidents impacted on the complainant and contributed to his mood disorder and heightened anxiety and stress.’

It was also noted that the disclosure was limited to providing the complainant’s personal information to his treating doctor, who has obligations to safeguard the privacy and confidentiality of patient medical information and that there was no information to suggest that the complainant’s personal information was disclosed more broadly.

$5,000
‘BO’ and AeroCare Pty Ltd [2014] AICmr 3217

The complainant was travelling on a return flight to Melbourne when an AeroCare Pty Ltd (AeroCare) staff member asked him a series of questions about his medical condition.  The questions were asked in the presence of the complainant’s Sighted Guide, who did not know the details of his medical condition, and a number of other passengers in the departure lounge.

The Privacy Commissioner considered the complainant’s vulnerability as a person with a disability, the highly sensitive nature of the medical information that was collected and disclosed, and the responsibility of AeroCare, as an organisation, to have a sound understanding of its privacy obligations, were factors to consider in deciding the amount of damages to award.

$8,500
'D' and Wentworthville Leagues Club [2011] AICmr 918

Wentworthville Leagues Club received a letter from the complainant’s ex-partner which attached a copy of a subpoena directing the Club to provide certain documents to the Federal Magistrates Court.

Instead of providing the documents to the Court, the Club presented the documents, which contained the complainant’s membership details and gaming information, directly to the complainant’s ex-partner, who further disclosed the information to the complainant’s family, friends, previous neighbours, parents of children's friends and work colleagues.

The complainant provided medical certificates, a report from a social worker; a psychologist’s report; the complainant’s own statement and statutory declarations from family members in support of the claim for injury to feelings and humiliation.  The Privacy Commissioner accepted the medical evidence provided by the complainant, but did not consider the report from the social worker to add evidence beyond the complainant’s statement because it merely describes the complainant’s version of events. Also, the statements from family were not considered to add any weight to the complainant’s claims given the other medical evidence.

$7,500
Deeming v Whangarei District Council [2015] NZHRRT 5519

An incident at the Mid Western Rugby Squash Club, in Mr Deeming’s view, raised issues about the adherence of the club to the provisions of the then Sale of Liquor Act 1989 administered by the Whangarei District Council (Council). Mr Deeming alleges he sought an investigation by Council into the incident and in so doing relied on a policy by which Council protected the identity of complainants.

Mr Deeming’s case is that his complaint was disclosed to Councillor Shelley Deeming (the wife of a cousin of Mr Deeming). She, in turn, disclosed the complaint to the President of the Mid Western Rugby Club.  As a result Mr Deeming was harassed at his home and other places and received a life-time ban from the club. Media reports led to hurt and humiliation not only to Mr Deeming but also to his family.

$2,000
Director of Human Rights Proceedings v Crampton [2015] NZHRRT 3520

Mr Crampton was a member of the Executive Committee of the Massey University Extramural Students’ Society (EXMASS) and also a journalist by occupation. Some of the members of the Executive Committee (including Mr Crampton) sent to the then President of EXMASS (who had held office for only 10 weeks) a “written warning” alleging she was not meeting certain performance standards. The letter included information about the President of a personal and sensitive nature.

A short time later, Mr Crampton provided a copy of the warning letter to a reporter for Massey University’s student magazine. The President had not given consent to the disclosure.  The student magazine published an article in print and online in which reference was made to the warning letter and an excerpt from it was quoted.

The complaint stated that after the letter was published she suffered from stress and anxiety, had trouble sleeping and sought medical advice.

$18,000
Taylor v Orcon Ltd [2015] NZHRRT 1521

Orcon Limited (Orcon) is a telecommunications company which provides broadband and telephone services.  Claiming Mr Taylor owed money, Orcon instructed the debt collection agency, Baycorp, to recover the alleged debt.  This had an immediate effect on Mr Taylor’s credit rating.  Specifically, it became almost impossible to find rental accommodation for his family.

The complaint claims Orcon had earlier advised that all amounts owed by him had been waived and as no debt existed, that Orcon provided Baycorp with inaccurate personal information.

$15,000
Richard Alexander Feather v Accident Compensation Corporation [2003] NZHRRT 29 (4 September 2003)22

Mr Feather was a recipient of an indexed ‘pension’ as a result of a work accident. By an administrative error a friend of the Feather family was provided with details of Mr Feather’s pension including his annual income. The friend provided the information to Mrs Feather who was distressed at the disparity between Mr Feather’s earnings and the money he had allocated to their household during their marriage. This information ‘cast a long shadow over the marriage’ almost bringing it to a close despite its then nearly 50-year length.

The case is notable because the agency that mistakenly released Mr Feather’s information to the family’s friend, acknowledged its error and took active steps to minimise further distress to the Feathers, including issuing a genuine and sincere apology.

The agency’s contrition was favourably noted by the Tribunal and was a significant factor in Mr Feather being awarded a significantly lesser sum than he had sought. The Tribunal stated:

“We wish to make it clear that our award would have been higher but for the way in which the ACC has dealt with the matter and conducted its case in the Tribunal. Had the ACC adopted an uncompromising stance the case would have occupied very much more time, and it would inevitably have been a very great deal more stressful for Mr Feather. The ACC is entitled to appropriate recognition for the responsible way in which it has responded to the situation created by the disclosure of information about Mr Feather’s income.”

$8,000

1 An agency includes its bound contracted service provider.
2 Section 178 of the IP Act.
3 Section 153 of the IP Act.
4 Furthermore, a person can never ‘unknow’ something once they know it.
5 These damages are often referred to as ‘economic damages’.
6 These damages are often referred to as ‘non-economic damages’.
7 As at 31 March 2017.
8 See https://www.oaic.gov.au/privacy-law/determinations/
9 http://www.sclqld.org.au/caselaw/QCAT/2017/071
10 http://www.austlii.edu.au/au/cases/cth/AICmr/2017/28.html
11 http://www.austlii.edu.au/au/cases/cth/AICmr/2016/80.html
12 http://www.austlii.edu.au/au/cases/cth/AICmr/2015/81.html
13 http://www.austlii.edu.au/au/cases/cth/AICmr/2015/23.html
14 http://www.austlii.edu.au/au/cases/cth/AICmr/2015/11.html
15 http://www.austlii.edu.au/au/cases/cth/AICmr/2014/118.html
16 http://www.austlii.edu.au/au/cases/cth/AICmr/2014/88.html
17 http://www.austlii.edu.au/au/cases/cth/AICmr/2014/32.html
18 http://www.austlii.edu.au/au/cases/cth/AICmr/2011/9.html
19 http://www.nzlii.org/nz/cases/NZHRRT/2015/55.html
20 http://www.nzlii.org/nz/cases/NZHRRT/2015/35.html
21 http://www.nzlii.org/nz/cases/NZHRRT/2015/15.html
22 http://www.nzlii.org/nz/cases/NZHRRT/2003/29.html