For the first time, the Privacy Commissioner (Commissioner) has determined that non-economic loss compensation is payable to individuals affected by a data breach in a representative action.

The Commissioner’s determination

Earlier this year, the Commissioner ordered that the Department of Home Affairs (Department) compensate over one thousand asylum seekers, including for non-economic loss, provided they demonstrated loss or damage resulting from the unauthorised disclosure of their personal information.

Background

In February 2014, the Department inadvertently published the personal information of over 9,000 individuals held in immigration detention online. The information included names, gender, citizenship details, birth date, period of immigration detention, location, boat arrival details and reasons for being considered an unlawful non-citizen.

Following the data breach, an impacted individual submitted a representative complaint to the Office of the Australian Information Commissioner (OAIC) under the Privacy Act 1998 (Cth) (Privacy Act) on behalf of the affected asylum seekers, being the class members. The complainant sought a declaration that the class members were entitled to an apology, compensation for economic and non-economic loss and aggravated damages. Over one thousand individuals made submissions or provided evidence of loss or damage.

Under the Privacy Act, the Commissioner found that the Department had interfered with the class members’ privacy by improperly disclosing personal information and failing to have reasonable security measures in place to protect their personal information.

The Commissioner’s determination

The Commissioner referred the matter to dispute resolution for the parties to negotiate on the damages for economic and non-economic loss. The Commissioner noted that compensation should be assessed on a case-by-case basis and provided a framework to assist the parties in assessing non-economic loss. If the parties could not agree, the matter would be referred back to the Commissioner.

The Commissioner did not grant aggravated damages, in part, because the data breach was inadvertent, promptly addressed and the Department apologised and cooperated with OAIC throughout the proceedings. As the Department had already issued an apology, the Commissioner deemed a further apology unnecessary.

What test is used to determine non-economic loss in privacy claims?

The Commissioner confirmed that non-economic loss is of an “inherently personal nature” and should be considered on a case-by-case basis.

The Commissioner referred to the Administrative Appeals Tribunal decision, Rummery and Federal Privacy Commissioner and Department of Justice and Community Safety, to summarise the principles for awarding compensation under the Privacy Act, noting (directly from the decision here):

  • where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course
  • awards should be restrained but not minimal
  • in measuring compensation the principles of damages applied in tort law will assist although the ultimate guide is the words of the statute
  • in an appropriate case, aggravated damages may be awarded
  • compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.

The Commissioner set up a framework with five applicable categories for compensation for non-economic loss in the matter at hand, being:

  • $500 - $4,000: For general anxiousness, trepidation, concern or embarrassment resulting from the data breach
  • $4,001 - $8,000: For moderate anxiousness, fear, pain and suffering, distress or humiliation resulting from the data breach, which could cause minor psychological symptoms (like sleep loss or headaches), and may lead to health practitioner consultation
  • $8,001 - $12,000: For significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation resulting from the data breach, which may cause psychological or other harm, and may result in a prescribed treatment course from a GP
  • $12,001 - $20,000: For the development or exacerbation of a mental health condition as a result of the data breach, resulting in a referral to a mental health specialist for treatment
  • more than $20,000: For extreme loss or damage resulting from the data breach.

The Department is now required to embark on the complex task of assessing and negotiating each individual’s damages.

What does the decision mean for non-economic loss claims in privacy breaches?

The decision serves as a reminder of the weighty and ongoing costs of a data breach, including administrative burdens.

Although the decision is a useful guide, the non-economic loss compensation categories provided by the Commissioner are not intended to be applied to privacy matters in general. The Commissioner clarified that the categories were specific to the complaint at hand, although they were consistent with previous privacy determinations.

The Commissioner’s determination is the first for non-economic loss in a representative action and confirms that damages for non-economic loss depend on the affected individual’s circumstances.