Services Australia among those found breaching privacy laws
The Office of the Australian Information Commissioner (OAIC) has made available the outcomes of its latest privacy complaint investigations, including a determination made against Services Australia.
In the complaint against the CEO of Services Australia, Australian Information and Privacy Commissioner Angelene Falk found that the federal government department interfered with the complainant’s privacy as defined in the Privacy Act 1988 by breaching one of the guiding privacy principles.
Specifically, the department disclosed the complainant’s personal information in breach of privacy principle 11.
Australian Privacy Principles (APP) 11 requires an APP entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.
The entity must also take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification, or disclosure; and they must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.
However, this requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information.
In her declaration, Falk said she found that Services Australia engaged in conduct constituting an interference with the privacy of the complainant; and must pay the complainant AU$3,000 for non-economic loss caused by the interference with the complainant’s privacy within 60 days of the date of determination. The determination was made on 30 June 2020.
The complainant’s grievance relates to the collection of her personal information by the former Child Support Agency (CSA) and former department administering child support, and subsequent disclosure to the complainant’s ex-partner in 2012. Services Australia now administers child support.
As explained by the OAIC, the complainant applied to CSA for a change of assessment to the amount of child support paid by her ex-partner. On receipt of the ex-partner’s objection review application, CSA collected the complainant’s personal information from her bank, but did not notify her of that action.
The complainant applied to the Social Security Appeals Tribunal for a review of the objection decision, at which time CSA disclosed the complainant’s personal information to the Tribunal and to the ex-partner as part of the Tribunal review process.
The complainant claimed that the bank statement revealed her personal information in the form of places she frequented. The complainant added that she feared harm from the ex-partner and that she had attempted to keep her location unknown to him.
She had previously obtained a Family Violence Order against the ex-partner.
The complainant was originally seeking compensation of AU$30,000.
Other recent determinations made by Falk include the compensation of AU$3,000 to the complainant for non-economic loss and AU$2,000 for aggravated damages regarding a breach of privacy principle 12 by a psychologist; and compensation of AU$10,000 for non-economic loss and AU$3,400 for economic loss to the first complainant and AU$3000 to the second complainant for non-economic loss in a breach of a few privacy principles by a medical clinic.
Minister Stuart Robert talks about respect and transparency, but they require more than just answering the phone. They even require more than a personalised dashboard. They require wholesale culture change.
3,306 privacy complaints were made to the Office of the Australian Information Commissioner in 2018-19 and the commissioner has finally admitted her office needs more assistance.
Employers given a little reminder that their Privacy Act obligations still apply, even in a global pandemic.
85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally.