The Privacy Act 1988 (Cth) provides for complaints driven investigations as well as granting powers to the Privacy Commissioner to investigate a matter on its own initiative. If a complaint is found to be substantiated by the Commissioner, the Commissioner may order that compensation be paid to the individual (and/or that the organization ceases particular conduct or undertakes a particular act, e.g. issues a public statement, apologizes, etc.). Determinations of the Commissioner are, however, not binding or conclusive between the parties. Where a matter originated from an individual’s complaint, either the individual or Commissioner must apply to the Court to enforce the Commissioner’s determination. If the matter originated from the Commissioner’s own investigation, only the Commissioner can apply to the Court for enforcement of its determination.
As of March 2014, new civil penalty provisions have been included in the Act under which an individual can be fined a maximum of $360,000 and a body corporate a maximum of $1,800,000, if it seriously or repeatedly interferes with the privacy of an individual. Interference with the privacy of an individual in this context will only be found in the limited circumstances set out in section 13 of the Privacy Act. These circumstances include: 1 Breaches of an Australian Privacy Principle (APP) or an approved APP code in relation to personal information about the individual; 2 Breaches of the credit reporting provisions of the Act in relation to personal information or a registered CR Code or requirements in relation to tax file numbers of an individual; 3 Breaches by Commonwealth contracted service providers of contractual obligations in relation to personal information; and 4 Specific breaches of the Data‑matching Program (Assistance and Tax) Act 1990 and the National Health Act 1953.
There are no criminal remedies (with some specific exceptions, e.g. in relation to breaches of the privacy provisions in the Telecommunications Act 1997 (Cth)).
Selected Enforcement Actions/ General Comments
Amendments to the Privacy Act came into effect on 12 March 2014, including expanded enforcement powers for the Privacy Commissioner and civil penalties of up to AU$360,000 for individuals and AU$1.8 million for corporations (as noted above). However, as of 15 July 2015 there have not yet been any fines issued under the amended laws, possibly due to the time lag between alleged breaches and the pace of investigations by the Privacy Commissioner. Therefore the cases outlined below relate to breaches of the Privacy Act and enforcement mechanisms in place prior to March 2014. In its 2013-14 Annual Report, the Office of the Australian Information Commissioner (OAIC) reported that 59 monetary awards were issued, the quantities being: I Awards of less than A$1,000 were made to 14 individuals; I Awards of between A$1,000-$5,000 were made to 18 individuals; I Awards of between A$5,000-$10,000 were made to 9 individuals; and I Awards of over A$10,000 were made to 8 individuals. We have also outlined below some recent findings reported by the OAIC. Department of Immigration and Border Protection (DIBP) The DIBP breached IPPs 4 and 11 of the Privacy Act for failing to put in place reasonable security safeguards to protect the personal information it held, for unlawfully handling personal information and for unlawfully disclosing personal information of approximately 9250 asylum seekers in a report made available on its website for eight and a half days in February 2014. The personal information disclosed in the report included personal details, information relating to their immigration into Australia and why the particular asylum seeker was deemed unlawful. The Privacy Commissioner was satisfied that the DIBP’s responses to the breach would strengthen its privacy framework and ensure compliance with the Privacy Act. It therefore merely recommended that DIBP monitor its internal compliance with its new processes to ensure continued compliance with the Privacy Act. Cupid Media Pty Ltd (Cupid) Cupid, which operates online dating websites, was found in breach of NPP 4 of the Privacy Act for failing to take reasonable steps to secure the personal information of over 250,000 customers which it held online. The investigation, with which Cupid cooperated, found that a data breach resulted in Cupid customer records and personal information being stolen and found on a third party server operated by hackers. Cupid was found to have failed to take reasonable steps to protect its customers’ personal information from misuse, loss and unauthorised access, modification and disclosure, and also to have failed to destroy the relevant information after it was no longer needed. Following the breach, Cupid undertook extensive privacy and data security programs designed to ensure compliance with the Privacy Act. The Privacy Commissioner’s recommendation was limited to the requirement that Cupid regularly review its privacy and data security processes to ensure compliance with the Privacy Act and best practice. Telstra Telstra is Australia’s largest provider of telecommunication services, and is responsible for the publication of the Australian telephone number directory. The Privacy Commissioner determined that Telstra breached NPP 1.3 of the Privacy Act by failing to inform a judge that his name and address would be published in a telephone directory, after he contacted Telstra requesting the installation of a phone line to be connected to his home alarm system. Specifically, Telstra was in breach for failing to take reasonable steps to notify the judge of the reasons for its collection of his personal information and possible disclosure of that information. The Privacy Commissioner declared that Telstra:
- pay $18,000 to the complainant for non-economic loss to the complainant’s privacy; I apologise in writing;
- review its processes to ensure customers are notified of the possible disclosure of their personal information and given the opportunity to opt out of such disclosure; and
- review its Privacy Statement to reference the collection of information for the purpose of publication.
Pound Road Medical Centre (PRMC) The Privacy Commissioner determined that PRMC was in breach of NPP 4 of the Privacy Act in late 2013 for failing to take reasonable steps to secure sensitive medical records of approximately 960 patients from misuse, loss, unauthorised access, modification or disclosure. Further, PRMC was found in breach for failing to destroy or de-identify the personal information it held after such information was no longer needed by PRMC. The records were kept in a locked garden shed at a location no longer used by PRMC, which was deemed to be an insecure temporary structure unsuitable for the storage of sensitive records and personal information. The Privacy Commissioner recommended that PRMC undertake a risk assessment with respect to privacy practices and develop a data breach response plan to ensure it meets its obligations under the Privacy Act. Telstra and Mr Ben Grubb A journalist named Ben Grubb contacted Telstra claiming a right of access under the Privacy Act to ‘all the metadata information Telstra has stored’ about him in relation to his mobile phone service. Telstra refused to provide the information, and Grubb lodged a complaint with the OAIC claiming that Telstra had breached his rights under the Act. The request was narrowed down to “network data” (IP addresses, URL information, and cell tower location information) and incoming call records – specifically, inbound call numbers. The key questions for the Commissioner were:
- whether the complainant’s metadata held by Telstra constitutes “personal information”; and if so,
- whether it was improperly withheld in breach of NPP 6.1.
The Commissioner held that given Telstra’s size and resources available to it, Telstra did and could associate network data with the complainant’s identity and this data was therefore personal information. The inbound call numbers were also personal information “about” the complainant but also contained personal information of the callers. An exception to the obligation to provide personal information applies where providing access would have an unreasonable impact upon the privacy of other individuals. If a person unintentionally called the complainant, revealing that person’s personal information to the complainant as part of the incoming call records would be an interference with that person’s privacy. It was not possible for Telstra to identify whether customers contacted the complainant intentionally or unintentionally, and there was no way for Telstra to edit the information to provide only the numbers of those individuals who intentionally contacted the complainant. Consequently, Telstra could refuse access to all of the inbound call numbers.