A notable feature of Timothy Pilgrim’s tenure as Privacy Commissioner has been his willingness to make determinations awarding compensation. At the end of March 2015, the Commissioner published his reasons for making another determination in which compensation was awarded.

Some facts and figures on compensation under the Privacy Act

With Privacy Awareness Week in the Asia Pacific coming upon us (3-9 May), I thought it would be valuable to reflect on the history of determinations by the Australian Privacy Commissioner involving the award of compensation.

For more than 20 years, Commissioner Pilgrim’s predecessors generally declined to make such determinations, with only three determinations awarding compensation being made under section 52 of the Act between 1988 and 2011[1]. In fact one of those three determinations, which has served as the precedent establishing the ‘going rate’ for awards of compensation under the Australian Privacy Act, is a 2004 decision of the Administrative Appeals Tribunal in which the Tribunal decided that the (then) Commissioner had got it wrong by deciding not to award compensation.[2]

Including the March 2015 determination, there have been seven determinations since 2011 in which Commissioner Pilgrim has decided to award compensation[3].   This is not exactly an avalanche of cases (roughly two per year), nor is the quantum of individual awards especially high – the largest has been $18,000, with the average (mean) being a little under $8,000. But it is indicative of a Commissioner who is prepared to use enforcement powers that are available to him under the legislation, even if the vast majority of complaints which come before him are conciliated or otherwise resolved.

There is no doubt in my mind that the making of the determinations and the associated publication of reasons have assisted practitioners to understand the manner in which the Commissioner interprets the Act in a way that is often more valuable than the publication of guidelines of general application. Commissioner Pilgrim remarked at a recent event I attended that his experience has been that the practice of making determinations from time to time has encouraged conciliation in other matters. Given that Commissioner Pilgrim held the position of deputy Commissioner for many of the years in the era in which determinations were rarely made, he has a unique insight into the comparative advantages of the two approaches to administration of the Act.

It is notable that all of Commissioner Pilgrim’s determinations involve conduct which occurred prior to March 2014, when the amendments to the Australian Privacy Act commenced. Those amendments changed the substantive obligations imposed on entities regulated by the Act (albeit in an evolutionary, rather than revolutionary, way), and also conferred new enforcement powers on the Commissioner.

It seems likely that there are still quite a few complaints received by the Commissioner regarding conduct prior to March 2014 which are working their way through the system. The 2013-14 annual report of the Office of the Australian Information Commission (covering the 12 month period ending on 30 June 2014) disclosed that the Privacy Commissioner received substantially more complaints during 2013-14 than were closed in that period (4239 received but only 2617 closed), whereas in previous years the number of complaints received and closed were roughly equal. So it may be that it will take until the end of 2015, or even later, to see determinations being made about conduct that occurred post March 2014.

The EZ and EY determination

Turning to the recent determination, there are a couple of noteworthy features.

First is the (extended) chronology of events. The conduct complained of took place in November/December 2006, The complainant was found to have become aware of the conduct in about November 2009. The Commissioner’s reasons for determination do not reveal when the complainant first lodged a complaint against the respondent (an individual medical practitioner). A formal complaint under section 36 of the Act was made to the Commissioner in December 2011 (approximately two years after the complainant first became aware of the conduct). And it then took over three years for the Commissioner’s office to reach a determination of the matter.

At first blush, it is difficult to understand why the Commissioner’s office did not refuse to investigate the matter under section 41(1)(c) of the Act (which gives the Commissioner the discretion to decline to investigate if a complaint under section 36 is “made more than 12 months after the complainant became aware of the act or practice”). Any process involving the making of factual findings about events which occurred more than eight years prior to making the final decision, as occurred in this instance, will be challenging, no matter how egregious the alleged contraventions appear to be.

Second, the determination serves as a warning for medical practitioners who interact with law enforcement officers. Medical practitioners (and the medical centres they work in) should review their policies so that practitioners understand when it is, and when it is not, appropriate to disclose patient information to law enforcement officers without patient consent. In my view, the Commissioner’s overriding sentiment in this matter is revealed by the following passage of the reasons for determination (at [79]):

“it is my view that insufficient consideration was given to the obligations imposed on health providers to protect an individual’s health information, and the need for rigour in considering when it was permitted to disclose that information as articulated in various policies [and] guidelines”

Here a police officer had visited the complainant’s house to investigate a neighbourhood dispute. The officer was sufficiently concerned about the complainant’s behaviour to call the complainant’s treating doctor to ask whether the complainant was “psychotic”. It was the doctor’s response to this query which led to the Commissioner finding that there had been contraventions of the disclosure principle (NPP 2) and the security principle (NPP 4). The doctor’s initial response was to advise the police officer that it was possible that the complainant was psychotic but that further assessment was needed to reach that conclusion. Some written correspondence followed. The patient’s consent was not sought or obtained. The doctor sought to rely on a number of exceptions to the disclosure principle to justify the disclosure that occurred, each of which was rejected by the Commissioner, as follows:

  • there was insufficient evidence to establish that the doctor reasonably believed that the disclosure was necessary to prevent or lessen a serious and imminent threat to the patient’s life, health or safety. This was essentially because the doctor was unable to prove the existence of any specific threat to health or safety of the patient or the public (there was no filenote held by either the doctor or the police officer indicating why the police officer had asked for the information, for example in connection with the investigation of a specific offence), and the relevant discussion with the police officer occurred several days after the police officer had been a the house, indicating that a threat was not imminent;
  • there was insufficient evidence to establish that the treating doctor had reason to suspect that unlawful activity had occurred, so it was not possible that the disclosure could have been made “as a necessary part of the doctor’s investigation of [unlawful activity] or in reporting her concerns to relevant persons or authorities”;
  • there was no evidence that the disclosure was required or authorised by or under law (there was no warrant, unlike the case of Jones v Privacy Commissioner which is the subject of an earlier blog); and
  • there was insufficient evidence to demonstrate that the doctor reasonably believed that the disclosure was reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law.

As to the security principle (NPP 4, now APP 11), the Commissioner found that there was no evidence to suggest that the doctor questioned the police’s reasons for asking about the patient. He then decided that the security principle, which requires regulated entities to take reasonable steps to secure personal information from unauthorised disclosure, obliges each regulated entity to consider rigorously whether or not that entity is permitted to disclose information in the circumstances at hand. In this case, the doctor’s failure to inquire why the police wanted to know about the patient meant that the doctor was not in a position to consider whether the disclosure was permitted and, thereby, contravened the security principle.

The Commissioner did, however, find that there had been no contravention of the accuracy principle (NPP 3, now APP 10) – when the doctor disclosed information to the police, she made clear that it had been some time since she had seen the patient, and that the patient’s circumstances may have changed.