How *not* to respond to a privacy breach: ‘SF’ and ‘SG’

Posted by

This case was a dispute between a patient seeking records from a former treating psychologist. The Privacy Commissioner found a breach of the Privacy Act, and ordered compensation.

This case is a great example of what not to do if you breach someone’s privacy. The conduct of the respondent in this case was so egregious that they were required to pay aggravated damages.

Background

the Complainant – “SF” – requested access to her medical records held by the respondent psychologist “SG.” Medical records are personal information under the Privacy Act, and the respondent is obliged to hold medical records for a minimum of 7 years. Therefore, Australian Privacy Principle (‘APP’) 12 applied to this record.

APP 12 grants individuals a right to access personal information held by an agency or organisation subject to the Privacy Act (note that there are limitations to this right). This rule also states that the individual in possession of the personal information must respond to the request for access within a reasonable period of time, and if they are unable to fulfill the request they must provide a written notice setting out the reasons why.

When the SG received SF’s request for access, he refused to fulfil the request. SF then contacted the OAIC, whose officers made attempts on 10 occasions to contact the respondent. At a later stage of the investigation, the respondent asserted that he had lost the files because they had been stolen by the complainant. The Court rejected the assertion that the complainant had stolen the files. SG then sought to rely on other exceptions to APP 12 in order to avoid providing the SF with her personal information, including that:

  • Giving access would have an unreasonable impact on the privacy of others.
  • The request for the documents was frivolous or vexatious.
  • There were present legal proceedings occurring between SF and SG.
  • Giving access to the documents would interfere with appropriate action being taken against unlawful activity.

There was no evidence proving these claims and they were rejected by the Commissioner. Accordingly SG was found to have breached APP 12.

Declarations made by the Commissioner

Having found a breach of APP12.1 this meant that there had been an interference with SFs privacy.

Accordingly, the Commissioner directed SG to:

  • Take specified steps to ensure that the impugned conduct is not repeated or continued.
  • Perform a reasonable action or course of conduct to redress any loss or damage suffered.
  • Provide SF with access to her medical records or, if unable to do so, make a statutory declaration setting out the reasons for this.

Specifically, SG was ordered to pay SF a total of $5000 in damages. The damages amount equated to:

  • $3,000 for non-economic loss
  • $2,000 for aggravated damages

Calculation of damages

Economic loss:

The Court held that the respondent’s breach had not caused any economic loss to the complainant.

Non-economic loss:

The Court accepted that the respondent’s failure to provide the personal information caused psychological injury to the complainant. This psychological injury included distress, agoraphobia and social anxiety. The complainant’s present psychologist also provided evidence supporting her claim for psychological distress. Therefore, the Court awarded $3,000 in non-economic damages.

Aggravated damages:

The Court stated that it may award aggravated damages were the respondent has behaved ‘high-handedly, maliciously, insulting or oppressively’ and where the respondent’s conduct may have exacerbated the hurt and injury suffered by the respondent.

In this case, the Court was satisfied that the respondent had acted insulting towards the complainant. The Court held that the respondent’s attitude was unjustified and demonstrated a disregard for the complainant’s privacy rights.

The Court also took into account the respondent’s failure to engage with the OAIC until a very late stage in the investigation which delayed the resolution of the matter.

The Court weighed this case against another privacy case where the respondent failed to appreciate the implication of their privacy breach and $1500 was awarded in aggravated damages. In this case, the Court found that the actions of the respondent were more serious and awarded $2000 in damages.

Take-outs:

The key take out from this case is the importance of being active and responsive in privacy investigations. The Court has a broad discretionary power to award aggravated damages if the respondent fails to appreciate the severity of the breach or actively participate in the investigation.

In this case, the complainant showed an utter disregard for the investigation, evidenced by him failing to respond to the requests of the OAIC, and consistently changing his statement of defence throughout the investigation. If the respondent had been active and useful throughout the investigation, this would have mitigated all of the aggravated damages, which amounted to almost half of the total damages.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s