Volume: 4 Issue: 4
In late March 2017 two determinations were handed down by the Australian Privacy Commissioner (LA & Department of Defence (Privacy)  AICmr 25 and LB & ComCare (Privacy)  AICmr 28), both relating to the accidental unauthorised disclosure of health information.
While the LB & CommCare determination was decided under the old Information Privacy Principles (‘IPP’) (i.e. those applicable to Federal Government agencies prior to the introduction of the Australian Privacy Principles (‘APPs’) in March 2014) it nonetheless shows the Commissioner’s thinking around unauthorised disclosure (IPP 11 now reflected in APP 6) and security of information (IPP 4 now reflected in APP 11) especially regarding health information. This thinking will remain relevant to the Commissioner’s future determinations under the APPs. Also of interest, it was a relatively high award of ‘non-economic damages’ at AUD 20,000, which in large part was due to it being health information that was disclosed.
However, the most interesting aspect of these two determinations was in the LA & Department of Defence determination which focused on the unauthorised disclosure of health information under APP 6. Specifically, this determination included a detailed consideration of when and why the Commissioner will award economic and non-economic loss to a successful complainant. The average non-economic loss awarded by the Commissioner over the last 18 to 24 months has been around AUD 6,000 and, for sensitive or health information, around AUD 10,000.
As regards non-economic loss the Commissioner noted that the principles that he has been following in awarding compensation (based on the AAT decision in Rummery & Federation Privacy Commissioner [2004 AATA 1221]) have previously been adopted by the Federal Court in its assessment of damages under the Sex Discrimination Act 1984 (Cth) in Hall v. A & A Shieban Pty Ltd  FCA 72, where Wilcox J noted that:
“Damages for such matters as injury to feelings, distress, humiliation and the effect of the complainant’s relationships with other people are not susceptible to mathematical calculation […]. To ignore such items of damages simply because of the impossibility of demonstrating the correctness of any particular fear would be to visit an injustice upon a complainant by failing to grant relief in a proven item of damage.”
Given that the information disclosed in this case was sensitive information (i.e. health information) and taking the circumstances into account, the Commissioner considered that AUD 12,000 was an appropriate amount for non-economic loss.
In addition, the Commissioner awarded damages for economic loss for the complainant’s legal costs in prosecuting the complaint and the costs of obtaining a psychiatric report. In assessing the legal costs to be reimbursed the Commissioner noted (which we expect will be the formula followed in future determinations):
“There is no firm rule as to what costs would be allowed on assessment and it is generally accepted that party/party costs will be assessed in the range of 40% to 60% of solicitor-client costs, and indemnity costs will be between 60% and 80% of the solicitor-client costs.”
In this case the Commissioner awarded the complainant 40% of their legal costs in prosecuting the complaint (i.e. AUD 3,200). This is the first time this ‘formula’ has been used by the Commissioner and that a complainant had significant enough legal assistance with the complaint to warrant the reimbursement of part of the complainant’s legal costs; a trend (i.e. legal representation in complaints) we expect will only increase given the impact of the notifiable data breaches (i.e. mandatory data breach notification) amendments to the Privacy Act (effective from 22 February 2018) and the increasing likelihood of ‘class complaints’ organised by plaintiff lawyers.
While there is no discussion in the determination of when indemnity costs (i.e. the 60% to 80% of a complainant’s legal costs) might be in play, we believe this may be relevant for the most egregious breaches of the APPs or where the respondent is tardy in its response to or in addressing the unauthorised disclosure, especially where the information in question is health information.
This is timely guidance on when, why and the likely amount of economic and non-economic losses which may be awarded by the Commissioner, especially in the case of health or other sensitive information. The determinations and the damages principles emerging from these determinations should be carefully considered in respect of possible future data breaches (which includes accidental unauthorised disclosure) and the likely significant financial impact on organisations and agencies of such data breaches.
For example, in the case of a class complaint regarding a health information data breach affecting 500 individuals where the Commissioner finds breaches of the APPs, even on a conservative award of non-economic loss of AUD 10,000 and legal costs of AUD 5,000 per individual, this will add up to significant total damages, even before any fine of up to AUD 1.8 million for a serious invasion or repeated invasions of privacy is considered.
Clearly, if you deal with health information, privacy compliance is no longer something that your agency or organisation can ignore.
Alec Christie Partner and Member of the Digital Health Legal Editorial Board
EY Law, Sydney