A medical clinic has been ordered to pay $16400 for inadvertently sending an email to the wrong address.
Respondent: Northside medical clinic
Complainants: Patient of the respondent and their partner
The Commissioner ordered that the respondent pay a total of $16,400 in damages to the claimants. This amount was calculated according to:
- $10,000 awarded to the first complainant or non-economic loss
- $3,400 awarded to the first complainant for economic loss
- $3,000 awarded to the second complainant for non-economic loss
The complainants were patients at the respondent’s clinic. The first complainant was HIV positive, and his partner had recently also been diagnosed as HIV positive. The respondent sent an email to both complainants with information regarding a survey being offered for HIV positive patients and their partners. The respondent accidentally sent the email intended for the second complainant to the wrong email address. The email contained information about the complainants’ conditions and their personal details.
The first complainant informed the respondent of the breach however the respondent did not take steps to rectify the breach until a month later.
Australian Privacy Principle (‘APP’) 6 states that when personal information is collected for a particular purpose, it cannot be used or disclosed for an alternative purpose. In this case, the information was ‘personal’ because it could be used to identify the complainant. The information had also been ‘disclosed’ because the incorrect email address was a valid address. Therefore, the respondent breached APP 6 in respect of both complainants.
APP 11.1 requires entities to take reasonable steps to protect personal information from unauthorized disclosures. In this case, following the breach the clinic implemented more vigorous privacy practices and policies. However, the clinic had failed to implement adequate privacy policies prior to the breach, and therefore the respondent breached APP 11.1
Calculation of damages
The first complainant suffered serious psychological distress following the breach, which evidence was provided for by two psychologist reports. This included suffering from anxiety and paranoia. This distress also caused serious damage to the relationship between the complainants. The first complainant began seeing a psychologist following the breach in order to cope with the distress. This psychological harm amounted to a high level of damages being awarded for non-economic loss ($13,000).
The total cost of the psychologist appointments equated to the economic loss awarded ($3,400).
The first complainant submitted that the respondents delay in responding to the breach, and the seriousness of the breach exacerbated his distress and therefore he was entitled to increased damages. However, the Commissioner held that the respondent had not acted maliciously or oppressively when committing the breach, and therefore did not award aggravated damages.
Alongside the compensation, the respondent had to take other steps to remedy the breach. These included a formal apology to the claimants that was unconditional, acknowledged the hurt and distress, recognized that the situation could have been handled better, and outlined the changes made to prevent the breach from reoccurring.
The respondent also had to demonstrate to the court that it had taken reasonable steps to prevent the breach from reoccurring. In this case, the respondent implemented a robust privacy and security strategy, including a two-step authentication requirement before sending emails with personal information. The respondent also provided further privacy training for all its staff.
Breaches of the Privacy Act can occur as a result of human error. Even these accidental breaches of the Privacy Act will be punishable. Therefore, entities dealing with personal information should have adequate privacy practices in place to avoid breaching the Privacy Act. These privacy practices should account for and address the potential for human error and should consider the seriousness of the personal information that the entity is dealing with.
If it is considered that an entity had taken reasonable steps to protect personal information, the entity will not be in breach of APP 11 even if the information is accidentally disclosed. A determination under APP 11 is made according to the privacy practices the entity has in place, and whether these are reasonable in the circumstances, not according to whether personal information was disclosed.
Although aggravated damages were not awarded in this case, the Court accepted that the respondent’s delay in responding to the breach caused further distress to the claimants. Therefore, a party who breaches the Privacy Act should respond immediately to the breach. The party should also recognise the gravity of the breach and try to rectify it in order to mitigate the amount of damages awarded against them.
If a party breaches the Privacy Act, they should also implement further privacy protections as soon as possible to ensure that same breach does not reoccur. The party in breach should also ensure they make a formal and appropriate apology immediately to the damaged party. In this case, the fact that the respondent implemented more vigorous privacy practices and training soon after the breach was a mitigating factor in the calculation of damages.