When we think about privacy breaches, we tend to think about large scale and highly public data breaches – like the Ashley Madison security breach last year, which saw the release of personal information from approximately 36 million Ashley Madison user accounts. The breach made world wide news and resulted in a joint Australian-Canadian government investigation into the breach.
While these large scale breaches are the ones which attract headlines, it is important for businesses to remember that most privacy breaches are caused by simple mistakes– by the forgetful employee who leaves a file on the train or who sends an email to the wrong person. Since the start of 2016, the Office of the Australian Information Commissioner (OAIC) has made several determinations concerning cases of basic privacy breaches, some of which we will look at below. Business owners and employees alike need to understand that privacy obligations are a part of every day business (not just an IT issue) and to ensure that they have policies and procedures in place to manage these risks.
War stories – what went wrong in 2016? Below is a brief description of some of the privacy breaches considered by the OAIC in the past year and the steps taken by the OAIC to address those breaches.
Case 1: Inadequate storage of information – “IY” and TeleChoice
What happened? In early 2013, IY signed a telecommunications contract and the contract was made through a TeleChoice dealer store. When entering into the contract, she was required to provide identification information, including her driver’s licence and Medicare card. In April 2015, she was contacted by a journalist from “A Current Affair”, who told her he had copies of her driver’s licence, her Medicare card and of the contract and that the documents had been obtained from an open shipping container located on publicly accessible bush land. IY lodged a complaint against Telechoice, alleging that Telechoice had interfered with her privacy by not taking steps to protect and secure the information and by not destroying or de-identifying the information when it was no longer needed.
What did the OAIC do? The OAIC held that Telechoice had interfered with IY’s privacy by not taking reasonable steps to protect her personal information and by not taking steps to destroy or de-identify her personal information when it was no longer needed. Telechoice was ordered to apologise to IY and to pay IY $3,500.
Case 2: Letting things “slip”– “IV” and “IW”
What happened? IW was a doctor and he had been acquainted with IV for several years through their shared religious faith. In 2011 - 2012, IV sought medical treatment from IW regarding his panic attacks. On 1 July 2014, IV wrote to his relatives and friends informing them that he had renounced his faith and he engaged with IW in a series of theological discussions (in person and by email). On 19 January 2015, IV sent an email to IW and 6 other people requesting a response to his questions about religious verses. The next day, IW sent a response to IV and the 6 other people and in doing so, referred to his treatment of IV’s “delusional depression”.
IV lodged a complaint with the OAIC, alleging that IW had breached his privacy by improperly disclosing the diagnosis to the 6 other people and by exaggerating the nature of his illness. He also claimed that the disclosure had damaged his personal social standing and his reputation in business.
What did the OAIC do? The OAIC held that IW had breached IV’s privacy by disclosing his personal information to 6 individual third parties. IW was ordered to pay IW $10,000 compensation for non-economic loss caused by the interference with his privacy.
Case 3: But that’s our standard practice – “IR” and NRMA Insurance
What happened? IR held a home building insurance policy with NRMA. The policy was jointly held with Ms X. IR also held a number of other policies with NRMA, which were separate to the home building insurance policy held with Ms X. In March 2014, NRMA issued IR with a Certificate of Insurance Home Building Renewal for 2014-2015 which contained details of all IR’s assets insured with NRMA, not just those relating to the policy held with Ms X. The details included full property addresses of other insured properties, policy types and reference numbers.
IR realised that Ms X would obtain a detailed list of all of her other insured assets (not related to the jointly held policy). She complained to NRMA about the disclosure of the other details and later lodged a complaint with the OAIC alleging NRMA had breached her privacy by not taking steps to avoid the unauthorised disclosure of her personal information. NRMA confirmed it had disclosed information about IR’s other policies in the Certificate to Ms X, but said it was part of their normal practice.
What did the OAIC do? The OAIC held that NRMA had breached IY’s privacy by disclosing her personal information to third parties (Ms X). NRMA was ordered to apologise to IR, to pay IR $3,000 and to remove the additional details from the certificates of insurance.
What can I do to keep my business privacy compliant? Day to day privacy compliance does not need to be difficult or overly onerous – businesses can work privacy compliance into their day to day processes and often, in a way that benefits their business. If your business requires any assistance in assessing its current privacy processes or in setting up or developing suitable policies and procedures, please contact Iain Freeman.