BO’ and AeroCare Pty Ltd [2014] AICmr 32

The Privacy Commissioner has recently determined that AeroCare Pty Ltd (Aerocare) breached the privacy of a blind airline passenger when asking a range of questions to the passenger regarding his medical condition, in front of the complainant’s sighted guide and various passengers in the departure lounge at the Sunshine Coast airport.

Facts

Aerocare is a provider of flight support services to airlines, including customer service, cargo handling, aircraft cleaning and relief cabin crew.

The complainant travelled from Melbourne to the Sunshine Coast with his sighted guide and guide dog, and presented a letter to the airline staff that explained that he was required to wear a medical device due to a recent surgery for a medical condition. The letter was from his doctor and explained that the device should only be switched off during take off and landing. The trip to the Sunshine Coast went without incident.

Upon his return to Melbourne, the complainant provided the same letter to the Aerocare staff in the Sunshine Coast departure lounge. The staff member for Aerocare proceeded to ask a range of questions about the complainant’s medical condition, including the location of his disease. The conversation was in the presence of the man’s sighted guide, who was not aware of his condition, and various passengers seated nearby in the departure lounge.

Complaint

The complainant brought a complaint to the Office of the Australian Information Commissioner, alleging that Aerocare breached his privacy by violating three National Privacy Principles (NPP), in:

  • collecting his personal medical information in an unreasonable and intrusive manner (alleged breach of NPP 1.2);
  • disclosing the personal medical information to third parties in the departure lounge of the airport (alleged breach of NPP 4.1); and
  • failing to advise him of the reason for collecting his personal medical information (alleged breach of NPP 1.3).

The relevant National Privacy Principles that were allegedly breached were:

  • NPP 1.2: the obligation upon organisations to only collection information by lawful and fair means and not in an unreasonably intrusive way;
  • NPP 4.1: organisations must take reasonable steps to protect personal information it holds from misuse, loss, unauthorised access, modification or disclosure; and
  • NPP 1.3: requirement to inform persons that you collect personal information from of your identity and the purpose for the collection of information.

He sought an apology, for Aerocare staff to be trained in privacy and sensitivity, and for compensation of $28,000 for non-economic loss.

Privacy Commissioner’s decision

It was held that Aerocare had breached National Privacy Principles 1.2, 4.1 and 1.3. It was noted that there was no definition of what is ‘unreasonably intrusive’ and that this will be determined on a case-by-case basis.  Aerocare was held to have been unreasonably intrusive by questioning the complainant in the middle of the departure lounge and not finding a more private location for their questions.

The Commissioner found that it did not matter that there was no evidence establishing whether the passengers in the departure lounge heard the personal medical information of the complainant. It was reasonable to assume that disclosure to those people occurred due to their close proximity to the complainant and the Aerocare employee.

In regards to compliance with NPP 1.3, it was held that it is not enough to assume that someone understands why you are collecting their personal information, it must be explained to the individual.

The complainant was awarded $8,500 in damaged for non-economic loss. This amount was considered appropriate due to the distress and shock suffered by the complainant and the vulnerability of the complainant as a disabled person. The Privacy Commissioner declined to order aggravated damages, yet required an apology be given and for the staff of Aerocare to receive training in handling sensitive personal information.

Significance

This decision is important for any organisation that discusses or collects the personal information of individuals in public spaces. Pharmacies, medical practices, banks, Medicare, Centrelink and all other government service centres should ensure their staff are appropriately trained to be cautious when discussing individuals’ personal information in the proximity of others.