The Power of Together
2017-18
Privacy Law
Update
Contents
Welcome
3 Mandatory data breach notification
(or, the opening of the floodgates)
In this update we take a look at some of the notable developments
that have captured the attention of privacy law enthusiasts in
Australia over the past 12 months.
5 GDPR (or, the reason for all those
updated privacy policies in your inbox)
2018 marks the 30th anniversary of the federal Privacy Act and, befitting this anniversary, the past year
has seen a number of significant developments in this area of law both in Australia and around the
world. These include the commencement of the EU General Data Protection Regulation and, closer to
home, the long-awaited implementation of a mandatory notifiable data breach scheme in Australia.
7 Changes afoot at the Commissioner’s office
8 Investigations and determinations
12 New fuel for an old flame: a tort of privacy?
More generally, there is increasing recognition that protection of privacy is a key public policy issue, and
continued scrutiny from media and public alike has pushed privacy compliance higher on the agenda
for many organisations in Australia. Data governance, cyber security and privacy are increasingly
accepted as issues deserving of board-level attention for Australian companies.
We hope that this publication helps provide some useful background to the year that was in privacy law.
If you would like to understand how any of the issues discussed below may affect your organisation,
please get in touch with one of KWM’s privacy experts.
Michael Swinson
Partner
T +61 3 9643 4266
M +61 488 040 000
Cheng Lim
Partner
T +61 3 9643 4193
M +61 419 357 172
Patrick Gunning
Partner
T +61 2 9296 2170
M +61 418 297 018
With thanks to Cal Samson and Lachlan Sievert for their contributions.
2
2017-18 Privacy Law Update
Mandatory data breach notification
(or, the opening of the floodgates)
Background
Changes to the Privacy Act to implement a new
mandatory data breach notification scheme came
into effect on 22 February 2018.
individuals affected need to be notified. The
concept of “serious harm” is not defined in
the Privacy Act, but the relevant Explanatory
Memorandum flags that it could include physical,
psychological, emotional, economic and financial
harm. However, while an affected individual might
subjectively be distressed or otherwise upset by
an incident, this may not of itself indicate that a
notification is required, as the relevant assessment
is what a reasonable person in the entity’s position
would consider to be the likely result of a breach.
privacy laws. For example, a notification
may be required where a hacker manages to
access data held by an entity, even though
the entity has discharged its legal duties by
implementing reasonable security protections
for that data; and
provider stores information for a customer,
in which case both the service provider and
the customer may be deemed to be holding
the information on the cloud system. Where
this scenario arises, the parties in question
should ideally agree in a contract how they
will manage their notice obligations, as the
scheme provides that one notice between
the two will be sufficient. In most cases, the
entity that has the closest connection with the
affected individuals should take the lead on
the notification as they will have most at stake.
This development was a long time in the making.
A mandatory breach notification scheme was first
proposed in a lapsed 2013 bill under the Gillard
government, and was revisited a number of times
in the following years before the present scheme
was eventually passed in 2017 through the
Privacy Amendment (Notifiable Data Breaches)
Act 2017 (Cth). Twelve months later, the law
finally came into effect.
an information record may be simultaneously
held by two entities so that each of them
are, technically speaking, separately obliged
to issue a breach notice where there is an
incident affecting that record. A common
example of this is where a cloud service
You can read some more about the history
of the scheme, and the various iterations that
preceded it, on our website: www.kwm.com/en/
au/knowledge/insights/mandatory-data-breach-
The Privacy Act sets out a long list of factors that
should be taken into account when determining
the likelihood of serious harm – including the
kind of information involved, the sensitivity of the
information, who has accessed it, and any security
measures or encryption used – however, ultimately it
will be a matter of judgement in each case whether
notification-bill-enacted-australia-20170215
a particular breach, in all the relevant circumstances,
Key concepts
The scheme applies in relation to “eligible data
breaches” being incidents where either:
triggers the notification requirements. This type of
judgement can be hard to make instantaneously,
particularly before all relevant facts about an
incident are known. However, the scheme does
allow entities a reasonable time to conduct an
assessment as to whether or not a particular
incident qualifies as an eligible data breach before
requiring a notice to be issued.
there is unauthorised access to, or
unauthorised disclosure of, information and a
reasonable person would conclude that the
access or disclosure would be likely to result in
serious harm to any of the individuals to whom
the information relates; or
A few other interesting things to note about the
scheme:
information is lost in circumstances where
such unauthorised access, disclosure and
serious harm is likely to occur.
while notifiable incidents are referred to
as “breaches” this could be considered
somewhat misleading as an entity may
need to issue a notification in relation to an
In non-legalese, that means only incidents
that are likely to result in some serious harm to
incident even if technically it has not breached
© King & Wood Mallesons
3
Early outcomes
According to a report issued by the Office of the
Australian Information Commissioner, in the first
6 weeks that the new scheme was in operation,
the Commissioner received 63 data breach
notifications. This compares with 114 voluntary
notifications received in the entire 2016-17
financial year. So while voluntary notification has
long been encouraged by the Commissioner,
and was certainly not uncommon prior to the
mandatory scheme coming into force, clearly the
scheme is driving more organisations to report
data incidents.
The Commissioner’s most recent quarterly report
– which is the first to cover three full months of
the scheme’s operation, from 1 April to 30 June
– showed a continuing increase in the number of
data breach notices (242 over the three month
period). The report also provides some further
of the reported breaches, which illustrates that
organisational processes and training to guard
against mistakes and slip-ups are just as important
as advanced cyber security defences when it
comes to protecting against data breaches.
Perhaps unsurprisingly to security experts, phishing
and compromised or stolen credentials made up
the largest portions of ‘cyber’ malicious or criminal
attacks, which again emphasises the human and
organisational aspects to data breach protection.
After all, it takes two for many of these attacks to
work – the malicious actor and the individual who
falls into the trap.
Practice tips
Organisations need to be aware that they may
now be obliged by law to issue notifications
to the OAIC and to affected individuals where
they experience a data breach.
The notification obligations are not restricted
interesting insights. For example, a significant
proportion (93 out of 242) of reported breaches
involved the personal information of fewer than
10 individuals, and the vast majority (200 out of
242 breaches) involved the personal information
of fewer than 1000 individuals. These statistics
reflect that the seriousness of a data breach
cannot only be measured by the number of
people affected, and that a breach that has a
potential serious impact on a small number of
people may still need to be notified – indeed 51
breaches notified involved the information of just
a single person.
to mass breaches – a notification may be
required for a breach that only affects a small
number of people, if the breach is likely to
result in some serious harm to those people.
In order to be confident of being able to
discharge these new notification obligations,
organisations should put in place a data breach
response plan that allocates clear lines of
responsibility for identifying and managing data
breach incidents. This plan should identify
how all relevant stakeholders – including
management executives, legal advisers, IT
staff and the communications team – will be
involved in responding to an incident.
Health services and finance are the industry
sectors which have seen the largest numbers
of breach notifications so far – but it’s not clear
whether this is due to a greater number of
breaches in these areas, or only a heightened
awareness of record-keeping and data security
in industries that deal with particularly valuable or
sensitive information.
Interestingly, human error (as opposed to malicious
attacks or system faults) accounted for 36%
4
2017-18 Privacy Law Update
GDPR (or, the reason for all those
updated privacy policies in your inbox)
Background
The biggest news in the privacy world in the past
year has undoubtedly been the commencement
of the Regulation (EU) 2016/679 on the
protection of natural persons with regard to
the processing of personal data and on the
free movement of such data – more commonly
known to us all as the General Data Protection
Regulation or the GDPR.
This has led to a degree of speculation and
concern about how the GDPR will apply to
online businesses that are operated outside
the EU but accept orders from customers
around the world. If a customer happens to be
located in the EU, will the website operator be
caught by the GDPR? This question is yet to
be tested, but most commentators agree that
simply because a website is accessible by an
EU resident will not make the website operator
subject to the GDPR. Rather, the test will be
whether the website operator is actively targeting
EU customers – indicators of this may be if the
website is translated into an EU language, if the
website accepts payment in EU currency, if a
large proportion of the website’s customers are
in fact based in the EU, or if the website operator
conducts targeted marketing to EU customers
(such as through newspaper or other media
advertisements in an EU country). Nonetheless, it
is clear that the scope and reach of the GDPR has
caught the attention of many global businesses.
data (including collection, storage, use,
and disclosure) and personal data includes
any information relating to an identified or
identifiable person (including specifically online
identifiers such as IP addresses – in Australia,
there is an argument that an IP address on its
own is not personal information regulated by
the Privacy Act as it relates to a device rather
than to an individual user);
legitimate interests, it will not be practical
to over-rely on the consent exception, as
the GDPR sets the bar for effective consent
quite high. In particular, a consent must
be “freely given, specific, informed and
unambiguous indication of the individual’s
wishes” that must be given in a statement or
other “affirmative action”. This is likely to be
a difficult standard to satisfy, and passive or
opt-out consents are unlikely to be effective
given the requirement for affirmative action.
Written consents bundled with other contract
terms or information may not be effective, and
data subjects must be able to withdraw their
consent at any time; and
The GDPR replaces the European Directive
95/46/EC and carries on many of the concepts
present in that Directive. However, there
are some notable and crucial differences. In
particular, unlike the Directive, the GDPR is
automatically binding in all member states of the
EU and does not depend on local legislation to
be implemented in those states (though there are
some aspects of the GDPR that are still open to
individual countries to vary the rules, including
where it comes to national security). In addition,
the GDPR has expanded extra-territorial effect
and will apply to any entity that:
has an “establishment” in the EU, which
may potentially be through some relatively
incidental connection with the EU such as the
presence of a few employees or sales agents
in the EU; or
Key concepts
the GDPR applies different compliance
obligations on data “controllers” and
“processors” where a controller is an entity that
determines the purposes and means of the
processing personal data and the processor
is the entity that processes personal data
on behalf of the controller. Generally the
obligations on controllers are more onerous and
prescriptive, though compared to the Directive
there are now more direct obligations on
processors as well. Where the GDPR applies
in the context of a contractual relationship it will
be important to clarify the roles that each party
will fulfil (i.e. which is the controller and which
is the processor, or indeed if they are both
controllers for the data or both processors with
a third party acting as the controller);
The GDPR is a complex and relatively prescriptive
privacy law. As flagged above, it continues many
of the concepts of the previous Directive, which
will be familiar to those with previous experience
of EU data protection law. While it is not practical
data subjects are given a range of new rights
under the GDPR, including most notably the
“right to be forgotten” by requiring controllers
to erase personal data that is no longer
needed for the purposes for which it was
collected and the “right to data portability” by
requiring controllers to provide certain personal
data they hold in a machine readable format
directly to other controllers, which will help
customers transfer between data processing
services. In Australia, data portability has
also been a key focus, with the Government
having undertaken to introduce an open data
sharing regime for the banking sector next
processes personal data about data
subjects in the EU either in connection with
offering goods or services to those data
subjects (effectively targeting products to EU
customers) or monitoring the behaviour of
those data subjects (effectively tracking or
profiling individuals in the EU).
in the space of this update to cover all important
features of the GDPR, a few worthy of note are:
there are a relatively narrow range of bases
on which processing of personal data will be
lawful under the GDPR – including where the
processing takes place with the consent of the
data subject or where it is necessary for the
purposes of “legitimate interests” pursued by
the data controller. While there may be some
uncertainty about the scope of an entity’s
year, with other industries to follow. Increased
sharing of data is expected to lead to fiercer
competition between service providers and
other consumer benefits, though could also
give rise to security and fraud risks if not
properly monitored and controlled.
the GDPR applies to “processing” of “personal
data” where these terms are given very
broad meanings – for example, processing
includes any operation performed on personal
© King & Wood Mallesons
5
GDPR in operation
The GDPR has only been in effect for a few
months, so it is perhaps premature to pass
comment on how well it is working in practice.
penalties, being the greater of €20 million or
4% of total worldwide annual turnover (clearly a
massive figure for entities the size of Google and
Facebook). This makes the GDPR a sizeable
stick for data protection regulators to wield.
However, it is interesting to note the flurry of
activity shortly before and after it came into
effect – even the most passionate privacy lawyer
would have grown sick of seeing updated privacy
statements pop up in our email inboxes towards
the end of May – which suggests that many
companies were leaving their compliance efforts
to the last minute. For a law that was first drafted
in 2012 and formally adopted in 2016, allowing
a lead time allowed for almost 2 years to prepare
for its commencement on 25 May 2018, there
really should have been no excuse for delays in
complying. However, the flurry of activity may
be explained by the fact that many international
Practice tips
If you do business outside Australia, you
should consider whether the GDPR may apply
to your activities. The GDPR will not apply just
because you have a website that is accessible
to EU residents or because some of your
customers in Australia happen to have EU
citizenship. However, if you target customers
based in the EU then you may well be caught.
If you think that you may be caught by the
GDPR then you should seek advice on how
to apply. As mentioned above, the GDPR is
businesses are still uncertain as to the extent to
a highly complex law and understanding how
which they are subject to the GDPR and also the
way in which the GDPR may apply to some of
their data processing activities. This will hopefully
become clearer as data protection authorities in
the EU start to enforce the GDPR in practice.
all of its features, together with their unique
exceptions and quirks, may impact on your
business could be a significant undertaking.
It will also be interesting to keep an eye on
the lawsuits filed by Austrian privacy activist
Max Schrems against Google and Facebook
on the first day the GDPR came into force.
Depending on how these claims play out, they
Many multinational IT service providers and
other businesses may look to adopt the
GDPR as their de facto compliance standard
worldwide, even in jurisdictions where the
GDPR does not apply (as it may be easier for
them to apply a single standard to their global
operations). So do not be surprised if you see
GDPR-style terminology – including concepts
such as data controllers and data processors
– appearing in your service provider contracts.
may provide useful guidance for others caught
by the GDPR. In any case, there is no doubt
that any claim brought under the GDPR against
a global company is likely to gather significant
attention given the size of the potential maximum
6
2017-18 Privacy Law Update
Changes afoot at the
Commissioner’s office
Retirement of Timothy Pilgrim
Australian businesses should consider adopting
a proactive approach to privacy compliance in
order to find favour with Ms Falk.
On 23 March 2018, Timothy Pilgrim retired
as the Australian Information Commissioner
and Australian Privacy Commissioner, having
commenced these positions in 2010 and 2015
respectively. In these roles heading up the joint
Office of the Australian Information Commissioner
(OAIC), Mr Pilgrim spearheaded numerous privacy
law reforms, including major amendments to the
Privacy Act in 2014 as well as the introduction of
the mandatory notifiable data breach regime earlier
this year (as discussed above).
New guidance
From time to time the OAIC publishes detailed
advice and guidance on specific aspects of
privacy law. While not legally binding, this
guidance is nonetheless a very useful layer of
detail on how the regulator interprets the law and
the kinds of practical steps towards compliance
which organisations might take.
Beginning on 24 March 2018, Angelene
Falk has been Acting Australian Information
Commissioner and Acting Australian Privacy
Commissioner. Ms Falk had previously worked
as Deputy Commissioner of the OAIC since
2007 and, before joining the OAIC, worked in
anti-discrimination for various organisations as a
lawyer, policy adviser and educator.
the data itself (e.g. whether certain details
have been removed) but also the scope of
the release and the environment the data is
released into (e.g. whether the data has been
released to the general public at large, or only
to a smaller controlled group). The guide on
de-identification sets out details on when the
OAIC considers information to be de-identified
for the purposes of the Privacy Act, and
explores different de-identification techniques
with views on how to select the most
appropriate technique for different use cases..
The de-identification guide should be read in
tandem with The De-identification DecisionMaking
Framework,
a joint publication of
the
CSIRO’s
Data61 and the OAIC, that
was
prepared
with input from
the Australian
Bureau
of Statistics and the Australian Institute
for
Health and Welfare.
That document
provides
a framework to identify risk factors
and
understand processes
associated with
de-identification,
as well as details on impact
management.
notices to keep individuals informed about data
analytics activities, as the OAIC recognises that
many people don’t read privacy policies. Often
issues will arise where individuals are ‘surprised’
by how their data has been used as part of a
data analytics program, which may reflect that
they were not appropriately informed about
the data management practices of the entity
that has collected their information. This is
potentially an area where it is better to err on
the side of ‘over-communication’ in order to
maintain user trust.
Along with guidance notes on aspects of data
breach notification, the most significant new
information released on this front in the past
year has been two substantial new guides –
“De-identification and the Privacy Act” and
“Guide to Data Analytics and the Australian
Privacy Principles”. These guides cover topics
of increasing relevance to businesses seeking
to extract value from their existing data through
big data analytics, while avoiding any potential
privacy compliance concerns. The two topics are
clearly closely connected – in fact the OAIC’s first
‘best practice’ recommendation for data analytics
is to use de-identified data where possible. Other
important things to note are:
The guides mentioned above, along with other
useful guidance materials produced by the
OAIC can be found on the OAIC’s website. The
website was updated at the start of the year
to make it more accessible, introducing new
publications and a new menu layout. An overview
of how to navigate the new website can be found
at: www.oaic.gov.au/new-website-help.
It is still unclear whether Ms Falk will be
confirmed in the role permanently, or if an
outside replacement will be found. However,
while she is in the role, Ms Falk is expected to
continue a holistic approach to privacy, and
has stated in media interviews that she believes
privacy requires more than mere compliance
with privacy laws, but also acting in accordance
Data analytics guide: This guide is divided
in two parts – first a general discussion of how
to take a privacy by design approach to data
analytics practices, and then second a deeper
dive into how specific APPs may apply to
different data analytics practices. The second
De-identification guide: The key principle
with community expectations. In dealing with
reflected in the de-identification guide is that
part in particular contains direct and practical
the personal information of Australian citizens,
Ms Falk has said she believes organisations
should see themselves as “trusted custodians”,
implementing proactive policies and business
practices that embed privacy. On this basis,
re-identification risk is contextual. That is,
data can only be treated as having been
de-identified when the risk of an individual
being re-identified in the data is very low in
context. This involves not only considering
tips and highlights where the OAIC sees the
key compliance risks arising in this area. One
general point which is raised several times
in the guide is the use of easy to read/view,
and easy to understand, ‘just-in-time’ privacy
© King & Wood Mallesons
7
Investigations and determinations
Investigations
Over the past year, the OAIC has published
3 reports of Commissioner-initiated investigations
– two on the September 2016 data breach
of prospective blood donor information
from donateblood.com.au, and one on the
Department of Health’s August 2016 release
of a large amount of purportedly de-identified
health data. Each of these provides some
useful lessons for other organisations about
the Commissioner’s attitude on a number of
important issues:
that ‘[a]t this time, it is uncertain whether deidentification
of a unit level dataset of this size
and
detail is possible to an extent that would
permit
full public release, while still maintaining
the
utility of the data’.
This suggests that in
the
Commissioner’s
view it may sometimes
simply
not be possible to de-identify a large
dataset.
Accordingly,
organisations should
appreciate
that a more
appropriate
approach
may
be to limit the release
of information (even
if
that would compromise
the utility of the
data),
rather than to rely
solely on encryption
or
other techniques to manage privacy
compliance
concerns.
measures. The message is that even if an
organisation’s security processes are strong,
a failure to enforce them or flow them through
to contractors may constitute a breach by
the organisation itself. However, the most
important lesson may be the Commissioner’s
favourable view of the way in which the Red
Cross in particular managed the incident. The
report concluded that the Red Cross’s quick
and effective response ‘provides a model of
good practice for other organisations’. This
demonstrates the value in taking a prompt
and proactive approach to address any data
breaches that do occur.
Department of Health investigation: In the
high-profile Department of Health investigation,
researchers from the University of Melbourne
discovered weaknesses in the de-identification
of a large data set of Medicare Benefits
Schedule and Pharmaceutical Benefits
Scheme information released to assist
medical and health policy research. The
Commissioner found that despite steps taken
to de-identify the data – such as by encrypting
Medicare number details – these had not
been effective, and there was a risk of the
information being re-identified. This illustrates
the importance of considering context when
determining whether or not information has
been effectively de-identified (as emphasised
in the OAIC’s guidance on de-identification,
as discussed above). The Commissioner
also found that the Department’s decision
to release the information did not involve a
clear and documented approval process,
or rigorous risk management processes.
Perhaps most significantly, the report found
Red Cross investigation: The Commissioner
conducted two related investigations in
relation to breaches affecting information
about blood donors: one into the Australian
Red Cross Blood Service and one into
Precedent Communications Pty Ltd (who
managed the donateblood.com.au website for
the Red Cross). The investigations related to
a back-up file containing a database of about
550,000 prospective blood donors that was
inadvertently saved to a public web server
– a ‘one-off’ human error by an employee
of Precedent Communications. Each
investigation found there had been a breach
of APP 11 on security, and the investigation
Determinations
a. ‘OJ’ and Department of Home Affairs
(Privacy) [2018] AICmr 35 (19 March 2018)
This determination related to a disclose of
information was justified on the basis that it
was required by law.
The first aspect of this complaint related to a
disclosure of information by the Department of
Home Affairs (Department) to the Department
of Human Services (DHS) pursuant to a
subpoena issued by the Federal Circuit Court.
The Commissioner dismissed this complaint
on the basis that the disclosure was required
by law to comply with the subpoena.
The second aspect of this complaint arose
after representatives from A Current Affair
contacted the Department seeking a response
to a number of allegations made by the
complainant (who was a non-Australian citizen
experiencing immigration issues that led to
his incarceration in an immigration detention
centre) to the effect that the Department
and the Minister of Home Affairs were not
conducting their duties satisfactorily. The
Department prepared a response containing
the complainant’s name, visa and immigration
status and criminal history and provided it to
The Privacy Commissioner published four
determinations in response to privacy complaints
made over the past year. While none of these
necessarily represents a major development in
Australian privacy law, they do provide useful
insight into how the Commissioner interprets
the effect of the Australian Privacy Principles
(APPs). A number of determinations below
relate to the National Privacy Principles (NPPs)
and the Information Privacy Principles (IPPs),
which applied for privacy sector and public sector
entities respectively before the APPs came into
effect in 2016. However, these determinations
into Precedent Communications found breach
the Minister to deal with the relevant media
are still useful indications of how equivalent
of APP 6 on disclosure as well. The key
Red Cross breach of APP 11 was due to the
absence of ‘contractual measures or other
reasonable steps’ to ensure that its third party
contractor was following adequate security
requirements under the APPs may be applied.
enquiries.
The Privacy Act treats a government
department and the minister responsible for
that department as separate entities. As
8
2017-18 Privacy Law Update
the complaint was made only in relation to
the Department, the Commissioner could
only examine the Department’s disclosure
of information to the Minister and not the
Minister’s subsequent disclosure of that
information to A Current Affair. In any event,
the complainant alleged that the disclosure
to the Minister was not permitted, while
the Department claimed that the disclosure
was permitted as it was required by law.
The Commissioner ultimately sided with
the Department, concluding that that the
Department had general reporting obligations
owing to the relevant Minister. To fulfil these
responsibilities, the Department had to provide
the information to the Minister in order to
allow the Minister to adequately respond to
damaging media reports. As the information
disclosed to the Minister specifically
responded to the matters that A Current Affair
sought clarification on, and the amount of
detail provided was necessary to respond
meaningfully to the criticism, this disclosure of
information in this case was required by law.
Takeaways:
Personal information can be provided
pursuant to a validly issued subpoena.
It is critical when lodging a privacy complaint
to be clear on the entity against which the
complaint is being made.
b. ‘PB’ and United Super Pty Ltd as Trustee
for Cbus (Privacy) [2018] AICmr 51
(23 March 2018)
This determination related to whether or not a
particular disclosure of information fell within
the reasonable expectations of the affected
individuals, based on a careful and nuanced
reading of an applicable privacy policy.
Lis-Con Service Pty Ltd and Lis-Con
Concrete Constructions Pty Ltd (collectively
Lis-Con) provided services to Civil, Mining
and Construction Pty Ltd (CMC) in relation
to a road construction project. Cbus, the
superannuation provider for many employees
of Lis-Con, received an email from CMC,
requesting information about superannuation
payments made to Lis-Con employees
as there was some dispute as to whether
Lis-Con had been making payments as it
was required to do. Cbus responded to
this request by providing information about
346 Lis-Con employees, including personal
information such as names, dates of birth and
past contribution details.
A representative complaint was made
against Cbus on behalf of the Lis-Con
employees. In response to the complaint, the
Commissioner found that Cbus had breached
NPP 2.1 on the basis that the relevant class
members’ information had been disclosed
to CMC for a purpose other than the primary
purpose for which it was collected. Cbus
submitted that its email was either consistent
with the primary purpose or a secondary
purpose which was reasonably expected and
related to the primary purpose, and so fell
within the scope of NPP 2.1.
The Commissioner looked to Cbus’ privacy
policy and determined that the primary purpose
of collection of individual’s personal information
was for the administration of members’
superannuation accounts. The disclosure
by Cbus was found to be made to assist
CMC, in its capacity as a head contractor,
to take action to ensure Lis-Con paid
outstanding superannuation contributions. The
Commissioner was not satisfied that disclosure
of information to CMC for that purpose was
within the scope of the relevant primary
purpose of collection, because the information
disclosed was irrelevant to any present or future
entitlement to superannuation payments, and
it was unclear how disclosure to CMC could
assist in recovering past payments.
Additionally, the Commissioner found that while
the disclosure may have been for a secondary
purpose that was related to the primary purpose
(as both regarded the administration of the
superannuation fund), the class members would
not have reasonably expected Cbus to disclose
their information to CMC. In reaching this
conclusion, the Commissioner referred to the
Cbus trust deed, and the Cbus member privacy
policy, which provided that it would only “use”
member information for specified purposes –
one of which was “to assist in the collection
of employer contributions for [members’]
accounts”. However, the Commissioner
distinguished between “use” and “disclosure” of
information, and noted that the list of purposes
for disclosure of information in the Cbus privacy
policy did not include the same item. The
Commissioner found the disclosure did not fit
within any of the disclosure purposes listed in
the privacy policy and there was “no evidence
that Cbus had a practice of routinely disclosing
© King & Wood Mallesons
9
members’ personal information to head
contractors” so this practice would be at odds
how members would have expected Cbus to
handle their information.
Cbus was required to issue an apology to all
those affected, acknowledging the interference
with privacy. While damages, including
aggravated damages, were sought, they were
not awarded as no actual loss or damage to
the complainants was established.
Takeaways:
treatment made by the psychiatrist. The
Board dismissed the complaint. However,
in the course of the complaint investigation
process, the psychiatrist provided a letter to
the Board containing medical records and
information about the patient. The patient
requested access to the letter, which the
psychiatrist denied without providing reasons.
The psychiatrist was subject to the Privacy Act
as a medical practitioner. The Commissioner
made a range of findings as to whether the
psychiatrist’s handling of the patient’s access
request:
provided a response, denying access to the
information, within 15 days of the receiving
the patient’s request. This was considered
reasonable by the Commissioner, so there
was no breach of APP 12.4.
choice who would exercise their professional
judgment as to how access should be granted
to the patient. Additionally, $1,000 was
awarded for the patient’s non-economic loss
in respect of the psychological impact that the
respondent’s privacy interference had on the
complainant.
The contents of an entity’s privacy policy
will be critical for establishing “reasonable
expectations” as to how the entity may use
or disclose the information it collects.
- APP 12.5 provides that where an APP entity
refuses to give access to an individual’s
personal information, it must take any
reasonable steps to give access in a way
that meets the needs of the individual
requesting access. In the circumstances
of this case, reasonable steps could have
included redacting certain information,
summarising the information or facilitating
access through an intermediary. As
the psychiatrist simply refused access,
without at least turning her mind to the
possibility of meeting the patient’s needs,
the Commissioner determined this was a
breach of APP 12.5.
Takeaways:
Where an individual requests access to their
personal information, it may be dangerous
for an entity to simply refuse access
outright, even if there are good reasons for
the refusal. A written explanation of refusal
should be provided and the entity should
consider whether access in some alternative
or reduced manner can be provided (i.e. by
redacting certain information, summarising
the information or facilitating access through
an intermediary).
Information in the privacy policy about
proposed “uses” of information will not
necessarily be relevant to expectations as
to proposed “disclosures” of information.
Accordingly, it is critical for entities to make
sure their use of this terminology in their policy
does properly capture their true intentions.
c. ‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60
(26 June 2017)
This determination related to a complaint
- APP 12.1 requires an APP entity who
holds personal information about an
individual to give access to that information
if requested, unless a relevant exception
applies. One exception is where the APP
entity reasonably believes that giving access
would pose a serious threat to the life,
health and safety of the individual. The
psychiatrist, in considering the material
contained in the letter, the patient’s
treatment history and ongoing mental
condition, formed the belief that disclosure
of the letter would pose such a serious
threat. The Commissioner agreed and
found that there was no breach of APP
An entity needs should respond to a request
for access to information within a reasonable
period. In assessing whether the response
was timely, it will consider the scope and
clarity of the request, whether the information
can be readily located and assembled, and
whether consultation with the individual
seeking access is required. As a general
guide, the Commissioner has suggested that
about the provision of access to medical
12.1.
- APP 12.9 requires an APP entity that
refuses an access request to provide
written reasons for the refusal and to inform
the individual requesting access about
complaint mechanisms available. Despite
the complainant having a general idea as
to the reasons for refusal, the psychiatrist
did not provide any explanation nor set out
complaint options available, and so this was
found to be a breach of APP 12.9.
a reasonable period should not exceed 30
records kept by a psychiatrist about their
patient.
The patient in this case made a complaint to
the Medical Board of Australia concerning
- APP 12.4 requires an APP entity to respond
to an individual’s request for access to their
personal information within a reasonable
period. In this case, the psychiatrist
calendar days (under APP 12.4(a)(i) this is a
fixed maximum time limit for public agencies
to respond to an access request).
As to remedies, the Commissioner determined
that the patient had a right to access the
letter. Access would be granted through
an intermediary psychiatrist of the patient’s
10
2017-18 Privacy Law Update
d. ‘LP’ and The Westin Sydney (Privacy)
[2017] AICmr 53 (7 June 2017)
This determination looked at whether
recording a phone call without permission
could constitute an interference with privacy.
The complaint in this case was made by a
guest at the Westin hotel in Sydney. The
guest arrived to check-in however their room
was unavailable and they were asked to wait.
During this time, the Westin telephoned the
guest to discuss alternative room options and
recorded the call without informing the guest.
The guest subsequently learnt about the
recording and requested that the hotel provide
it to him.
APP 3.5 states that an organisation must
collect personal information only by lawful
and fair means. The Commissioner first
considered whether there had been a breach
of relevant legislation dealing with use of
surveillance devices and interception of
telecommunications, and concluded that there
had not. Nevertheless, the Commissioner
determined that the recording had been
collected by unfair means and therefore a
breach. This was because, considering
ordinary community standards, participants
of a call would generally expect to be notified
if a call were to be recorded, and the hotel’s
The Commissioner then considered whether
there had been a breach of APP 12.1 which
requires that an APP entity who holds
personal information about an individual must,
if requested, give access to the information
within a reasonable time. In this particular
case, the complainant only waited 3 days
between requesting the information from
the hotel and making the complaint. While
the Commissioner said that there was no
justification for a substantial delay in complying
with the request, given it was relatively specific
and the recording was readily accessible
to the hotel, 3 days was a short period of
time and not indicative of a delay. It was to
be expected that organising access to the
recording would take at least a few days,
particularly in the context of an ongoing
dispute with the guest. On that basis, there
was no breach of APP 12.1.
As to remedies, the Westin was required
to provide a written apology to the guest
acknowledging the privacy breach, and pay
$1,500 for non-economic loss caused by the
interference. The Commissioner took into
account the substance of the call, the fact
nothing was confidential and merely about
room preference, the Westin’s apologetic
and conciliatory conduct throughout the
Takeaways:
Participants to a telephone call should be notified
in advance about any proposed recording.
Following a potential breach, any remedial
actions proactively taken by the party
at fault are favourably regarded by the
Commissioner and will be taken into
account in determining relevant remedies.
Inquiries
secondary purpose. Guidelines published by the
Commissioner on APP 6.2 state as an example that
an individual may reasonably expect an entity to
release personal information specifically relevant to
“adverse comments” the individual has made in the
media about the way the entity has treated them.
In this case, the Commissioner referred specifically
to this example in finding that Centrelink’s actions
were justified. The Commissioner also had regard
to L v Commonwealth Agency [2010] PrivCmrA 14,
in which the Commissioner had also determined
that an individual who had criticised an Australian
government agency in the media could reasonably
expect that agency to release their personal
information to a journalist who had contacted the
agency for a response.
In 2017, a Centrelink user, Ms Andie Fox, published
an opinion piece in which she criticised Centrelink’s
controversial automated debt recovery system.
Centrelink subsequently released Ms Fox’s
Centrelink claims and debt information to a journalist,
and argued it had done so to correct the public
record. The journalist wrote an article favourable
to Centrelink, claiming that Ms Fox had “unfairly
castigated’” Centrelink in her original opinion piece.
While the Commissioner’s view on this is
relatively clear, some commentators have
expressed surprise that individuals would expect
government agencies and companies to release
personal information in retaliation to client or
customer comments.
Following further media reports, the Privacy
Commissioner commenced an inquiry into the
Department of Human Services, which runs
Centrelink, in relation to the release of Ms Fox’s
information. More than a year later, in May
2018, the Commissioner released a statement
concluding that the release was justified under
APP 6.2, as it should have been within the
reasonable expectations of Ms Fox.
Takeaways:
When assessing whether a particular use
or disclosure of information is within an
individual’s reasonable expectations, it is
legitimate to consider the prior conduct of
that individual along with other context.
privacy policy did not mention telephone
investigation process, and the fact that the
call recordings as a means of information
collection. The Commissioner also took into
account the context of the call and the ease
with which the hotel could have notified the
guest of the recording.
hotel responded to the incident by revising its
practices in telephone recordings.
By making an issue “public” through
comments in an open forum, individuals
could to some extent lose the benefit of
privacy protections that may otherwise apply
to restrict the disclosure of their information.
Under APP 6.2, an entity may disclose personal
information for a secondary purpose related to the
primary purpose for which it was collected, provided
that the relevant individual would have reasonably
expected the disclosure to be disclosed for that
© King & Wood Mallesons
11
New fuel for an old flame:
a tort of privacy?
There were many salacious aspects of the
personal scandals that brought down former
Deputy Prime Minister Barnaby Joyce earlier
this year. However, for privacy enthusiasts, one
of the most interesting aspects to come out of
the whole affair (pun very much intended) was
Mr Joyce’s attempts to reinvigorate the debate
about whether Australia needs a tort of privacy.
gained fresh impetus with the ‘Serious Invasions
of Privacy in the Digital Era’ report of the
Australian Law Reform Commission (ALRC) in
2014. The Victorian and New South Wales Law
Reform Commissions have also recommended
introducing an action, in slightly varying forms.
After an altercation with a photographer in early
June 2018, Joyce tweeted that “this is why we
need a tort of privacy” and repeated his support
for this notion in subsequent interviews.
However, former federal Attorney-General George
Brandis quickly rejected the ALRC proposal in
2014, and was quoted at the time as saying that
the “government has made it clear on numerous
occasions that it does not support a tort of
privacy”. Perhaps not much has changed – other
than a former minister’s personal interactions with
the media – but thanks to Mr Joyce the issue has
returned to the spotlight at a time when privacy
breaches are particularly topical. In all likelihood,
this will not lead to any major change, but the
idea of a privacy tort is once again being debated
This is not a new idea. It has frequently been
proposed that Australia should have a statutory
tort (which would more correctly be called a tort
of invasion of privacy) to provide individuals with
remedies of injunctions and compensation if their
privacy is seriously breached. Several Canadian
in the Australian public arena and it is certainly
provinces and US states have enacted statutory
worth keeping an eye on future developments in
this space.
torts along these lines in recent years, and courts
in the UK and New Zealand have recognised
common law actions with similar effect.
The idea of a legal privacy right has been
debated in Australia for at least as long as
the High Court’s 1937 rejection of a common
law right of privacy in the Victoria Park Racing
case.
1
Recent case law has cast considerable
doubt over whether there is in fact some form of
common law protection of privacy in Australia,
but the best that can be said is it is still an open
question.
2
Proposals for reform in this area
1 Victoria Park Racing & Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479.
2 See the much discussed Australian Broadcasting Commission v Lenah Game Meats Pty Ltd (2001) 208 CLR 199;
Grosse v Purvis [2003] QDC 151 (16 June 2003); Doe v Australian Broadcasting Corporation [2007] VCC 281.
12
2017-18 Privacy Law Update
KING&WCDD
MALLESONS
�t±�Vm¥�Pfi
About King & Wood Mallesons
The Power of Together
The Power of Together
Recognised as one of the world’s most innovative law firms, King & Wood Mallesons offers a different perspective to
commercial thinking and the client experience. With access to a global platform, a team of over 2,000 lawyers in more
than 27 locations around the world works with clients to help them understand local challenges, navigate through
regional complexity, and find commercial solutions that deliver a competitive advantage for our clients.
As a leading international law firm headquartered in Asia, we help clients to open doors and unlock opportunities as
they look to Asian markets to unleash their full potential. Combining an unrivalled depth of expertise and breadth of
relationships in our core markets, we are connecting Asia to the world, and the world to Asia.
We take a partnership approach in working with clients, focusing not just what they want, but how they want it.
Always pushing the boundaries of what can be achieved, we are reshaping the legal market and challenging our
clients to think differently about what a law firm can be.
Media enquiries
Charlotte Geddes
Corporate Affairs Senior Manager
T +61 2 9296 3348
Join the conversation on Facebook, Twitter, LinkedIn, and on our blogs China Law Insight and In Competition.
© 2018 King & Wood Mallesons
King & Wood Mallesons refers to the firms which are members of the King & Wood Mallesons network.
Legal services are provided independently by each of the member firms. See www.kwm.com for more information.
Asia Pacific | Europe | North America | Middle East
00690 - 08/18
