AREEA analyses the impact of a recent privacy-related case, ‘LB’ and Comcare (Privacy) [2017] AICmr 28 (24 March 2017), which cost the Department of Defence in excess of $20,000 in compensation.

While cases of this kind are very rare, AREEA members have for some time been bound by the Privacy Act  and the 11 Information Privacy Principles.

Even though the area of privacy, in my view, currently ranks as a lesser risk for employers than dismissal and adverse action, with the 2018 mandatory reporting requirements, privacy has the potential to be the next ‘sleeping tiger’ in regard to employment issues.

Background

Australian Information Commissioner Timothy Pilgrim found that Comcare (the agency responsible for workplace safety, rehabilitation and compensation for the Australian Government) compromised the privacy of an employee of the Department of Defence in the course of investigating allegations that her employment with the department might have contributed to her cancer.

It was alleged a number of her colleagues at Defence had become seriously ill or died from cancer-related illnesses.

When the employee requested a copy of Comcare’s findings under the Freedom of Information Act, the agency supplied her with a redacted report which was also on the agency’s website for some 12 months earlier but contained details about the employee’s health and other personal details.

The report disclosed her name, postal address and date of birth. It also contained details of her personnel management key solution number (a unique code providing access to Defence phone numbers and email addresses)

The employee complained to the senior officer’s chief of staff and asked for the redacted report to be removed and the email recalled. Comcare removed the report from its website three days later and gave the employee a written apology.

She then complained to the Office of the Australian Information Commissioner about Comcare’s mishandling of her information.

Further, she sought $250,000 in damages for future economic loss and $150,000 for non-economic loss, on the basis that her personal information was improperly disclosed, and for failing to take reasonable security safeguards to protect her information.

She claimed that her job was at risk as a consequence of the improper disclosure which was the basis of her significant claim for damages.

Commissioner Pilgrim found that, in breach of the legislation, Comcare “inadvertently overlooked” the sensitive nature of the employee’s health information when it published the report online.

He accepted that Comcare acknowledged its error and that the report should have been “more scrupulously redacted to ensure all personal information was removed or de-identified prior to publication”.

While the privacy commissioner noted that Comcare had since introduced more stringent security safeguards to prevent future disclosures of personal information on its FOI disclosure log, he concluded that Comcare failed to take reasonable security measures to redact the report and protect the employee’s personal information.

He awarded the employee $20,000 in damages and a further $3,000 to reimburse her for expenses incurred in lodging and investigating her privacy complaint.

Despite the relatively small compensation outcome, employers incur significant management cost and critical task diversions in defending these sorts of claims as well as reputational damage.

Implications

The principles in this case relate to the storage and handling of employment information and data.

AREEA members should have a privacy policy included in the suite of employment policies, which is consistent with the privacy principles. This policy should be rolled out at induction training and periodically during the course of employment by way of refresher training.

In addition, following a review of the privacy laws, from 22 February 2018, employers will be required to notify the office of the Australian Information Commissioner of any data breach. This means a review of this aspect of employment is highly recommended to prevent inadvertent breaches.

It is also important that AREEA members put in place a policy so that in the event of any potential breach it can be identified and the new 2018 disclosure requirement can be complied with.

In this case, the Department failed to de-identify an employee who had been pursuing a claim that her employment with the Department contributed to her cancer condition and as such her privacy was breached.

AREEA can assist both with privacy policy development and on-site training. For more information or support, contact your local AREEA office.