The Office of the Australian Information Commissioner (OAIC) has ordered Comcare to pay a Defence Force employee $23,000 after it inadvertently published on its website personal information, including sensitive health information, about the employee.

For organisations with obligations under the Privacy Act 1988 (Cth), this case highlights:

  • the importance of having in place appropriate security mechanisms to protect personal information and
  • how a proactive and prompt response to a privacy breach can minimise the damage to an affected individual and the liability faced by the offending organisation.

The breach

Following an FOI request, Comcare produced and published on its website an investigation report containing the complainant’s name, postal address, date of birth and sensitive health information.

The Commissioner found that Comcare had breached the Information Privacy Principles (IPPs), as applicable under the Privacy Act at the time, and therefore interfered with the complainant’s privacy by:

  • improperly disclosing her personal information, including sensitive health information (in breach of IPP 11) and
  • failing to implement security safeguards reasonable in the circumstances (in breach of IPP 4). The Commissioner acknowledged appropriate safeguards could reasonably have been achieved through second and third tier reviews of the report to ensure the inadvertent failure to properly redact the personal information did not eventuate.

The Commissioner’s finding

The complainant sought an order for an apology, compensation for economic and non-economic loss totalling $405,000, and reimbursement of almost $25,000 for legal fees.

The Commissioner considered that upon becoming aware of the breach Comcare had:

  • promptly offered an apology
  • accepted responsibility and provided an explanation for the disclosure
  • acknowledged the distress caused and
  • outlined steps taken to remove the report and prevent similar incidents in the future.

In light of Comcare’s response, the Commissioner considered it unnecessary to make an order for a subsequent apology or for aggravated damages.

It did, however, order Comcare to pay $20,000 for non-economic loss (in recognition of the significant distress caused) and $3,000 for reasonably incurred expenses.

Despite the potential for more significant penalties (of up to $1.8 million) under the current provisions of the Privacy Act (as a result of reforms in 2014), the Commissioner’s assessment of Comcare’s response suggests prompt and appropriate action following a privacy breach is likely to minimise both the damage caused and the liability incurred.