By Sharon Sangha, Lawyer
Determinations made under the Privacy Act 1988 demonstrate that the Privacy Commissioner will likely award compensation for non-economic loss where an individual suffers emotional harm, humiliation or inconvenience as a result of a privacy breach. However, responding to privacy incidents in an efficient and conciliatory way may reduce the extent of the harm and the risk of aggravated damages being awarded.
Privacy regulatory action since the reforms
According to its website, the Office of the Australian Information Commissioner (OAIC) has seen a significant increase in the number of privacy complaints (up 43%) and privacy enquiries since the privacy reforms commenced on 12 March 2014. From that time to date, there has also been an increase in privacy regulatory action by the OAIC with:
- 5 published own motion investigation reports;
- 13 published privacy assessment and audit reports; and
- 7 privacy determinations.
The Privacy Commissioner also recently accepted an enforceable undertaking from Optus following three significant privacy incidents, being the first enforceable undertaking made under the privacy reforms.
Trends in compensation awards
Under the Privacy Act, if the Privacy Commissioner finds that a privacy breach has occurred, he may determine that an individual is entitled to loss or damage suffered as a result of the breach, including economic and non-economic loss.
The Privacy Commissioner has awarded compensation for non-economic loss (distress, humiliation and other emotional harm) in 6 of the 7 privacy determinations published since March 2014, ranging from $5,000 (‘CP’ and Department of Defence  AICmr 88) to $18,000 (‘DK’ and Telstra Corporation Limited  AICmr 118). In doing so, the Privacy Commissioner has applied the principles in Rummery and Federal Privacy Commissioner and Anor  AATA 1221 (where $8,000 was awarded), which include the following:
- principles of damages applied in tort law will assist in measuring compensation;
- compensation should be assessed having regard to the complainant’s reaction (not a ‘reasonable person’ test);
- there must be a good reason not to award compensation once loss is established; and
- aggravated damages may be awarded in appropriate cases.
In the most recent privacy determinations:
- $6,500 was awarded to the complainant for injury to his feelings and distress in ‘EZ’ and ‘EY’  AICmr 23. The complainant was a patient of the respondent, and had contacted his local police station to report harassment and damage to his property as part of an ongoing neighbourhood dispute. The police contacted the respondent and asked whether in her opinion the complainant was ‘psychotic’. The respondent was found by the Privacy Commissioner to have breached NPP 2.1 (disclosure principle) and NPP 4.1 (data security principle) by disclosing the complainant’s personal information to the police. In deciding the appropriate amount of compensation, weight was given to the sensitive nature of the disclosed information, and the doctor’s responsibility to have a sound understanding of privacy obligations.
- $5,000 was awarded to the complainant for non-economic loss (humiliation) in EQ and Great Barrier Reef Marine Park Authority  AICmr 11. The complainant was employed as a marine conservation research assistant, and committed an offence by fishing in a prohibited ‘Green Zone’. GBRMPA received a request for information from News Corp Australia in relation to the incident, and provided a response which included information about the complainant’s name, employment, the incident and status of the investigation. A story about the incident was subsequently published in the Sunday Mail. The Privacy Commissioner found that GBRMPA’s response to News Corp Australia constituted a breach of IPP 11.1 (disclosure). The fact that the complainant would not have suffered economic loss but for his own conduct (ie by fishing unlawfully in a marine conservation zone) was given significant weight in determining the amount of compensation.
While no awards of compensation for aggravated damages appear to have been made since 2010, it would be open to the Privacy Commissioner to do so, particularly if:
- an entity’s conduct is considered to be ‘high-handed, malicious, insulting or oppressive’; or
- the entity has acted in a way that exacerbates the complainant’s injury or hurt feelings.
This highlights the importance of implementing systems and procedures to not only reduce the risk of privacy breaches in the first instance, but also an entity’s response to privacy incidents.
Get the latest news insights and articles straight to your inbox, simply enter your details.