Privacy Law & Policy Reporter --- "Cases and complaints" [2004] PrivLawPRpr 29; (2004) 11(2) Privacy Law and Policy Reporter 40
Cases + complaints
All decisions noted, except those of the Victorian Commissioner, are available on AustLII <http://www.austlii.edu.au> by the citation given, unless otherwise stated.(General Editor)
Commissioners’ reporting practices
Australia’s privacy Commissioners continue to improve their practices of reporting significant complaints. The Victorian Commissioner has now released his first ten Case Notes and they give significant guidance as to his interpretation of the Victorian legislation and the remedies which may result from conciliation (including a $25,000 compensation payment in one case). They contain sufficient detail of the legislative provisions considered, but are still in a readable (almost journalistic) style. In the absence as yet of decisions on the Act by the Victorian Civil and Administrative Tribunal (VCAT) they are the best guide to the Act’s implementation.
The Federal Commissioner has also recently released ten Case Notes. At first glance they are disappointing, comprised mainly of a catalog of the various ways by which the Commissioner may refuse to investigate complaints under s41 of the Privacy Act 1988. By this means by s41 decisions it is important that the Commissioner document representative examples of these complaints, as it is by this means that the majority of complaints received by the Commissioner are dealt with. The Commissioner’s Office should be commended for making a serious effort to make their office practice (and the interpretations of the Act on which it depends) more transparent.
Nevertheless, it is fair comment that of the fifteen complaints reported by the Federal Commissioner so far this year, none resulted in a payment of compensation or a major change of an organisation’s practices. At best the reported complaints have resulted in a reduced access charge, an apology and some relatively small changes in respondent’s practices. Nor is it the case that significant remedies are instead resulting from Determinations under s52: the only such determinations this year are reported below (re ACT JACS) and in (2004) 11 PLPR 14 (re TICA). These Case Notes are self-selected by the Commissioner’s Office, so it seems reasonable to assume that if there were complaints that resulted in significant compensation payments or significant changes to respondent practices, they would have been included. The cumulative impression created by the Case Notes is that all of the complaints made to the Federal Commissioner are still resulting in virtually nothing by way of significant organizational change or remedies to complainants. It is not surprising that the Privacy Act 1988 is not taken very seriously if this is all that it produces – or at least all that the Commissioner’s Office shows that it produces.
Graham Greenleaf (General Editor)
Kadian v Richards [2004] NSWSC 382
Campbell J, NSW Supreme Court; 22 June 2004
Application of NPPs (s16A) – onus to prove non-existence of approved privacy code (s16A(2)) - Privacy Act 1988 (Cth)
Health Records and Information Privacy Act 2002 (NSW) – Health Privacy Principles not to be taken into account in civil acton (s71) – concurrent operation with federal privacy law - s3 Privacy Act 1988 (Cth))
This case principally concerned doctor-patient confidentiality under the general law and the circumstances under which it may be waived. Those aspects of the case will be discussed in a subsequent issue of PLPR.
The plaintiffs also relied upon the Privacy Act 1988 (Cth), as providing a statutory basis for a medical practitioner’s obligation of confidentiality. The medical practitioners concerned constituted an ‘organisation’ under s6C. Such private sector organisations are required to comply with the National Privacy Principles (NPPs) by the terms of s16A(2):
“To the extent (if any) that an organisation is not bound by an approved privacy code, the organisation must not do an act, or engage in a practice, that breaches a National Privacy Principle.”
Campbell J held that the evidence did not allow him to find that the medical practitioners were bound by the NPPs because they ‘come into play only to the extent that there is no such approved privacy code binding an organisation.’ ‘If the plaintiffs wanted to establish that the doctors were bound by a National Privacy Principle, they would bear the onus of showing that there was no approved privacy code binding the doctors. Any party that wishes to assert a negative proposition bears the onus of proving that negative’ (applying Gustav Adolph Abrath v The North Eastern Railway Company [1886] UKLawRpAC 15; (1886) 11 App Cas 247). Here, it not been established in evidence that there is no approved privacy code that binds the doctors.
The Court also considered whether the Health Records and Information Privacy Act 2002 (NSW) (“HRIP Act”) provided a statutory basis for an obligation of confidence between doctor and patient. Campbell J held that the Privacy Act 1988 (Cth) s3, allowing concurrent operation of State or Territory laws ‘with respect to the collection, holding, use, correction, disclosure or transfer of personal information’ means that s109 of the Constitution does not prevent the HRIP Act from applying to doctors (even though the Privacy Act 1988 may also apply to them). However, he held that s71(1) of the HRIP Act which provides that ‘Nothing in this Act gives rise to, or can be taken into account in, any civil cause of action’ prevents any part of the HRIP Act from providing a statutory basis for an obligation of confidence in these proceedings.
Comment
This decision is important to any litigation involving allegations of breaches of the Privacy Act 1988 by a private sector organisation. The party alleging such breaches bears the onus of establishing that there is no approved privacy code binding the private sector organisation in question.
The judgment in Seven Network v MEAA [2004] FCA 637 (see (2004) 11 PLPR 12), the only decision to date to find such a breach of the NPPs, does not discuss this issue.
Graham Greenleaf (General Editor)
Jadon Place [2003] QBCCMCmr 25
Queensland Body Corporate and Community Management Commissioner
Effect on State or Territory laws with respect to personal information - s3 – disclosure required or authorised under law - National Privacy Principle (NPP) 2.1(g) - Privacy Act 1988
The applicant sought from the Body Corporate Committee of the body corporate of which she was a member (the owners of ‘Jadon Place’), a copy of the current list of owners appearing on the body corporate roll, and all details about them appearing on the roll. The request was in accordance with s205 of the Body Corporate and Community Management Act 1997 (Qld), which allows ‘interested persons’ to obtain a copy of a record kept by a body corporate.
The Body Corporate Committee argued that Commonwealth privacy legislation may exempt them from providing the roll to the applicant. Adjudicator DJ Reardon considered this a reference to s3 of the Privacy Act 1988 (Cth) which provides that ‘It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure, or transfer of personal information ... and is capable of operating concurrently with this Act.’ In addition, NPP 2.1(g) does not prohibit disclosures ‘required or authorised by or under law’. The Adjudicator held that the Privacy Act did not prevent the disclosure of the personal information in the roll in accordance with the Queensland legislation.
Comment
The disclosure here was clearly authorised in terms of NPP 2.1(g), and so there was no need for interpretation of s3 to determine whether the law is ‘capable of operating concurrently’ with the Privacy Act. Where State or Territory laws affect the handling of personal information by private sector bodies in respect of matters other than disclosure (where NPP 2.1(g) will give them precedence) it may often be more difficult to determine whether they are capable of operating concurrently with the NPPs. State laws which require that less privacy protection be given than the NPPs require will be the main source of problems.
Graham Greenleaf, General Editor
B v Victorian Government organisation [2003] VicPCmr 2
Victorian Privacy Commissioner
Data security (IPP 4) - reasonable steps – disclosure (IPP 2) - disclosure of current address to former husband – Information Privacy Act 2000 (Vic)
Complaint,B, separated from C, and states that during her relationship she was physically and emotionally abused. B, fearful for her safety, changed her name by deed poll, and moved to an address that was unknown to anyone. B visited an office of respondent Victorian government organisation, G, to update her name and address details. She requested that G not disclose to anyone her new contact details, and received assurances from an employee of G.
C later made two requests to G to access B’s contact details. The first request was refused, but on the second request B’s contact details and new name were disclosed to C., contrary to G’s policies. On the same day B contacted the G and discovered that C had accessed her personal details. B returned to her home to find a window had been forced open. B fled her home and went into hiding.
IPP 4 (security principle) requires an organisation to take reasonable steps to protect personal information from unauthorised disclosure. G acknowledged that its employee did not act in accordance with its business rules. G acknowledged that the disclosure to C was not authorised under IPP 2 (use and disclosure principle).
Conciliation by Privacy Victoria resulted in the following outcomes:
• G apologised to B for the action of its employee.
• G gave an undertaking to review its business rules and procedures concerning the protection of the residential addresses of persons who fear violence if they are located by someone who poses a threat to them.
• G agreed to pay B $25,000 compensation, reflecting both financial loss that B incurred as a result of fleeing her new home, and non-financial loss relating to her distress and continuing fear for her own safety.
(Edited by PLPR Editors from the complaint note published by Privacy Victoria – see www.privacy.gov.au for full text)
Comment
This complaint is significant solely as an illustration that improper disclosure of a person’s address can result in very substantial compensation ($25,000) in circumstances where the consequences of such disclosure are very serious, and (in this case) in the face of specific contrary requests by the complainant. It would be extremely difficult (and costly) to achieve a similar result through litigation (probably a breach of confidence action).
Graham Greenleaf, General Editor
Complainant v ACT Department of Justice and Community Safety (Complaint Determination 5 of 2004)
Australian Privacy Commissioner
IPP 11 (disclosure principle) - disclosures where ‘the individual concerned is reasonably likely to have been aware ... that information of that kind is usually passed to that person, body or agency (IPP 11.1(a)) - disclosures ‘required or authorised by law’ ( IPP 11.1(d)) - Privacy Act 1988 (Cth)
Complainant X. while an employee of the ACT Department of Justice and Community Safety (JACS) made a public interest disclosure to the Australian Capital Territory Ombudsman under the Public Interest Disclosure Act 1994 (ACT) (the PID Act), alleging that JACS had failed to enforce provisions of the Liquor Act adequately in relation to offences concerning minors and associated issues of public safety. These were similar to allegations that X had previously raised internally with JACS.
The Ombudsman wrote to JACS concerning X’s public interest disclosure, but without identifying X. In response to this letter, a JACS officer telephoned officer A at the Ombudsman’s office and in the course of the conversation advised A that the JACS officer presumed the public interest disclosure was made by X and proceeded to disclose to A personal information about X. Later, the JACS officer telephoned another officer of the Ombudsman, B, wanting to brief B on the employment related issues which the JACS officer felt contributed to X pursuing the complaint. The personal information disclosed included that X had previously raised similar complaints internally, whether he held a bookmaker’s licence, his working relationships within JACS, internal grievance procedures between him and JACS, and whether he had sought voluntary redundancy.
The Privacy Act 1988 (Cth) applies to ACT agencies. JACS submitted that these disclosures by its officers fell within the exception in IPP 11.1(a) permitting the disclosure of personal information where ‘the individual concerned is reasonably likely to have been aware ... that information of that kind is usually passed to that person, body or agency’. The Commissioner considered that an experienced JACS employee involved in liquour licensing, such as X, would expect that some personal information concerning him (such as that he had raised similar complaints internally) might be disclosed to the Ombudsman. However, he would not expect that the other personal information would be disclosed to the Ombudsman. JACS argued that the disclosures were relevant to the Ombdudsman determining whether the complaint was ‘frivolous or vexatious’, but the Commissioner considered that a reasonably person would not have such a degree of understanding of the Ombudsman’s legislation as to expect this.
JACS also submitted that exception IPP 11.1(d) permitting disclosures ‘required or authorised by law’ applied because s9(4) of the Ombudsman Act authorised the Ombudsman to ‘obtain such information from such persons, or make such inquiries, as he or she thinks fit’. The Commissioner considered that
“Any disclosure of personal information in these circumstances should be limited by a test of relevance. Without a test of relevance IPP 11 would be rendered nugatory as any general provision that provides authority to gather information would, in theory, permit the disclosure of virtually unlimited and unrelated personal information.”
Here, the Commissioner found that that information disclosed ‘was not relevant to the question of whether or not the PID was ‘frivolous, vexatious or not made in good faith’ and therefore was not authorised by law under IPP 11.1(d).’
The Commissioner determined that there was a breach of IPP 11 and that JACS should apologise to X. However, because the disclosures were only to two staff of the Ombudsman, and were not known more widely either within the Ombudsman’s office or the community, the Commissioner found that X could not demonstrate the damage to his reputation or his career prospects that he alleged. He made no determination as to compensation.
Comment
Who would be a whistleblower?
Although the disclosures here were only to two members of the Ombudsman’s staff, it would seem that they could have had the effect of undermining the complainant’s credibility as a whistleblower to that agency, through a breach of the Privacy Act. Since this was a
s52 determination, the complainant was clearly not satisfied with an apology from the respondent. If an apology is the only sanction in complaints of this type, it is hard to see that there is any deterrent effect against agencies breaching the Act. It may be, as the Commissioner says, that the complainant could not prove damage to reputation, but a complete denial of any compensation does not seem to place much weight on the fact that s52(1A) says that compensable damage ‘includes injury to the complainant’s feelings or humiliation suffered by the complainant’. Although it will always require knowledge of the full circumstances of a particular complaint, it would seem that this provision could be used to allow at least modest (sometimes almost nominal) compensation in many circumstances where a breach of the Act has occurred, without need for the complainant to provide evidence of damage to reputation.
Graham Greenleaf, General Editor
O v Credit Provider [2004] PrivCmrA 5
Australian Privacy Commissioner
Commissioner declines to investigate because respondent had not had an adequate opportunity to deal with complaint s41(2)(b) - Privacy Act 1988 (Cth)
A finance institution refused his the complainant’s application to finance a business venture due to an overdue account (default) listed on his consumer credit file. Complainant had no knowledge of the default and immediately notified the credit provider of the listing. The credit provider removed the default listing three weeks later.
Several months later, complainant complained to the Commissioner that the credit provider had improperly listed the default and that he had suffered significant financial loss as a result and was seeking compensation on this basis. According to the complainant, he had paid the debt owed to the credit provider and was at no time sixty days in arrears. He alleged that the credit provider experienced a computer error and consequently listed the default.
Documents accompanying the complaint suggested, and complainant confirmed, that the respondent was not aware that the complainant was seeking compensation. After discussion with the Commissioners’ Office, both parties agreed to attempt to resolve this matter before the Privacy Commissioner became involved. Commissioner declined to investigate., under s41(2)(b), on the basis that the respondent had not yet had an adequate opportunity to deal with the compensation aspect of the complaint. Commissioner informed complainant that if he wished to pursue compensation under the Act he would have to make that request in writing to the respondent and give the respondent thirty days to respond before returning the complaint to the Commissioner. The Commissioner has not been asked to reconsider this complaint.
(Edited by PLPR Editors from the complaint note published by the Office of The Federal Privacy Commissioner – see www.privacy.gov.au for full text)
Comment
Although the complainant had complained directly to the respondent, the Commissioner refused to investigate, under s41(2)(b), because the complainant had not raised the specific issue of compensation with the respondent.
If this meant that a complainant lost his or her ‘place in the queue’ after waiting (say) six months to have their complaint dealt with by the Commissioner, because they had not raised every specific issue with the respondent even though they had raised the substance of the complaint with the respondent, it would be very unfair and would deter justified complainants.
The Commissioner’s Office has informed PLPR that it has a number of procedures to avoid this problem. First, it has what is in effect a triage system where complaints are assesses when first received, and if a complainant has not first complained to the respondent, the complaint is (usually) declined until this occurs. However, wherever investigation is declined but the complainant later returns to the Commissioner’s Office having complained to the respondent (or for other reasons), the complainant’s ‘place in the queue’ is dated from his or her initial approach to the Commissioner.
Second, although the Commissioner’s Office does expect the complainant to make a reasonable effort at raising their key issues with the respondent (and will refuse to investigate if this has not occurred, as here), .if some lesser aspect of the issue had not been raised with the respondent, the Office would give the respondent the opportunity to consider the issue in the course of the investigation (thus satisfying s40(1A)) rather than requiring the complainant to go back to the respondent directly.
Graham Greenleaf, General Editor
N v Internet Service Provider [2004] PrivCmrA 10
Australian Privacy Commissioner
Commissioner declines to investigate on the basis that complainant did not first complain to the respondent - s40(1A)) - Privacy Act 1988 (Cth)
Complainant alleged that while he was out of the country his estranged wife contacted his internet service provider and accessed his internet account. Complainant alleged possible breaches by his internet Service Provider (ISP) of NPP 2 (improper disclosure) and NPP 4.1 (failure to take reasonable steps in relation to security). The complainant alleged that this resulted in his account information being available to his estranged wife and her partner, that he was denied access to personal and business emails, and that the email account was used to send defamatory messages.
Section 40(1A) does not allow the Commissioner to investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.
The complainant did not claim that he had written to the ISP about the issues he had raised or why it would not be appropriate for him to do so.
The Commissioner also has a discretion under section 41(2)(b) of the Act not to investigate a complaint that has been made to the respondent if it has not had an adequate opportunity to deal with the complaint. The Commissioner takes the view that it is reasonable to allow a respondent a period of thirty days within which to deal with the complaint.
Here, the Commissioner declined to investigate, under s40(1A). The complainant was advised to complain directly to the ISP, and that if it did not respond within thirty days the Commissioner would reconsider the complaint. The complainant has not returned this matter to the Commissioner.
(Edited by PLPR Editors from the complaint note published by the Office of The Federal Privacy Commissioner – see www.privacy.gov.au for full text)
Comment
From the above two complaints, it seems that in almost all cases it will be necessary for a complainant, before complaining to the Commissioner, to complain to the respondent, raising all key issues (including remedies claimed), and allowing thirty days for a reply.
Graham Greenleaf, General Editor
S v Various Commonwealth Agencies [2004] PrivCmrA 8
Australian Privacy Commissioner
Access to and correction of personal information held by a Commonwealth government agency - Information Privacy Principles (IPPs) 6 and 7 - Commissioner declines to investigate on the basis that another law provided a more appropriate remedy - s41(1)(f)) - Privacy Act 1988 (Cth)
The complainant sought to access and correct her personal information held by a number of Commonwealth government agencies, and alleged that some of the agencies concerned had refused to amend her records.
IPP 6 in the Privacy Act gives individuals the general right to access their personal information in a record by a Commonwealth government agency and IPP 7 provides individuals with the general right to have this information updated or amended where it is inaccurate. Both IPPs 6 and 7 are subject to the provisions of other Commonwealth laws, including the Freedom of Information Act 1982 (Cth) (FOIA).
Further, under s 41(1)(f) of the Privacy Act, the Commissioner may decline to investigate a complaint where another Commonwealth, State or Territory law provides a more appropriate remedy for the act or practice.
Here, the complaint was declined under section 41(1)(f) of the Privacy Act on the basis that the matter would be more appropriately dealt with under the FOIA. The complainant was advised that issues regarding access to or correction of personal information should be directed in the first instance to the agency holding the personal information, and that subsequent complaints about the handling of FOI requests by agencies, including complaints regarding the refusal of a request for access or correction, should be referred to the Commonwealth Ombudsman or the Administrative Appeals Tribunal.
(Edited by PLPR Editors from the complaint note published by the Office of The Federal Privacy Commissioner – see www.privacy.gov.au for full text)
Comment
This approach may be sound in cases (possibly including this one) where the complainant does not claim compensation or any other remedy beyond access and correction. However, where a complainant does (say) claim compensationthen it is impossible for a referral to the AAT or the Ombudsman to provide a more appropriate remedy, since (unlike the Privacy Commissioner) they have no power to make determinations as to compensation. Because the Commissioner requires that complainants specify the remedied they seek at the outset of a complaint (see O v Credit Provider [2004] PrivCmrA 5 discussed above), it is possible for the Commissioner to deflect access and correction complaints unless a complainant explicitly seeks an apology, compensation or some other remedy. However, this makes it imperative that complainants are aware of this practice when lodging a complaint. In this case the complainant alleged that a number of agencies had already refused to correct her records. Was she asked whether this had caused her any loss or damage (including humiliation) for which she sought an apology or compensation?
Graham Greenleaf, General Editor