Written by Michael Swinson, Luke Hawthorne and Ben Nicols.
On 11 January 2021 the Australian Information Commissioner and Privacy Commissioner (the Commissioner) made a determination 'WP' and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2, ordering the Department of Home Affairs to compensate over 1,297 asylum seekers for inadvertently publishing their personal information online in 2014.
The decision includes the first award for non-economic loss by the OAIC in a representative action, expected to range between $500 and more than $20,000 for each class member who provides a submission or evidence that substantiates non-economic loss. Critically, the Commissioner has set out a procedure to assess each class member's loss on a "case-by-case" basis, reflecting a view that it is essential to consider individual circumstances when assessing loss of this nature.
Background
The Department accidentally made public a database containing the personal information of asylum seekers held on Christmas Island and in a mainland detention facility. Information, including full names, nationalities, dates of birth, gender and boat arrivals, was accessible for eight days on the Department's website and a further seven days on Archive.com before it was removed. The Commissioner commenced an own motion investigation and concluded in November 2014 that the Department had contravened the Privacy Act 1988 (Cth). The breaches, which related to the improper disclosure of personal information, and the failure to put in place reasonable security safeguards were acknowledged by the Department. The Commissioner's recent determination was made in response to a representative claim brought by individuals affected by the Department's breaches, and as the first instance in which non-economic loss has been awarded in such a claim will serve as an important reference for future claims brought under the Act.
Determination of compensation for non-economic loss
The Commissioner determined that those asylum seekers that made submissions (1,297 out of a total of 9,250 affected) should be paid compensation for non-economic loss or damage arising from the data breach. The determination provides for a range of compensation for non-economic loss from $500 to more than $20,000 based on the level of harm suffered by each relevant individual, suggesting total compensation payable of between $650,000 and $25.94 million for the Department (and potentially more if the claimants are also able to establish they suffered economic loss). Consistent with previous determinations made in response to individual complaints, the Commissioner expressly adopted the AAT decision of Rummery and Federal Privacy Commissioner and Department of Justice and Community Safety [2004] AATA 1221 as authority for the following positions:
- where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course;
- awards should be restrained but not minimal;
- in measuring compensation the principles of damages applied in tort law will assist although the ultimate guide is the words of the statute;
- in an appropriate case, aggravated damages may be awarded; and
- compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.
The process for determining that compensation was lengthy, partially because the Commissioner sought to enable each class member to make individual submissions in relation to the harm alleged to have been suffered:
- In January 2018, the Commissioner gave notice that if class members believed they had suffered loss or damage as a result of the data breach and wanted the opportunity to seek compensation for that loss or damage, they needed to provide information about their loss or damage to the OAIC. Class members were initially given until 14 April 2018 to respond to the Notice.
- The deadline was subsequently extended on two occasions to 19 October 2018. The OAIC continued to accept responses after the deadline from persons who had outstanding information requests to the respondent as at 19 October 2018, or had not received a response to their request for information from the respondent by 10 September 2018. Class members who fell within these categories were permitted to provide a response within 40 days of receipt of the decision on their information request and the material the subject of that decision.
- The OAIC also granted some class members a further 40 days to respond for each file released by the respondent to them after 26 November 2018, and up to and including 31 January 2019. The final date for providing submissions was 22 April 2019
After considering the submissions and evidence, the Commissioner determined that there were five categories of loss or damage in total:
Significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation, resulting from the data breach, which may cause psychological or other harm, and may result in a prescribed course of treatment from a teneral practitioner
Non-economic loss category |
|
0 |
The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from data breach |
1 |
General anxiousness, trepidation, concern or embarrassment, resulting from the data breach |
2 |
Moderate anxiousness, fear, pain and suffering, distress or humiliation, resulting from the data breach, which may cause minor physiological symptoms, such as loss of sleep or headaches, and may result in a consultation with a health practitioner |
3 |
Significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation, resulting from the data breach, which may cause psychological or other harm, and may result in a prescribed course of treatment from a teneral practitioner |
4 |
The development or exacerbation of a mental health condition as a result of the data breach, resulting in a referral to a mental health specialist for treatment |
5 |
Extreme loss or damage resulting from the data breach |
Non-economic loss categories |
||
Category 0: $0 |
||
Category 1: $500 - $4000 |
||
Category 2: $4001 - $8000 |
||
Category 3: $8001 - $12 000 |
||
Category 4: $12 001 - $20 000 |
||
Category 5: > $20 000 |
The Commissioner indicated in the determination at [76] that these categories are specific to the circumstances outlined in this representative complaint and are not intended to be used as a formula for determining compensation for non-economic loss in privacy matters more generally. Having identified the five categories of loss, the Commissioner determined that each claim should be assessed on a "case by case basis" to determine how it should be categorised.
Aggravated damages were refused
At [86], the Commissioner determined that in the circumstances of this case, an award of aggravated damages was not justified for the following reasons:
- the data breach occurred inadvertently;
- the Department promptly took steps to address the underlying cause of the data breach;
- the Department commissioned an independent investigator/auditor to investigate the data breach, and provide recommendations to prevent reoccurrence of a similar data breach;
- the Department also adopted and implemented a number of the independent investigator/auditor's recommendations; and
- the Department apologised to class members, and cooperated with the OAIC throughout the representative complaint process.
These factors again highlight the importance of proactive engagement with the OAIC where data breaches occur, particularly following implementation of the notifiable data breaches scheme.
Next steps to assess the loss and quantify the compensation for each class member
In the determination, the Commissioner observed at [54]:
…an evidentiary basis is required to make a declaration s 52(1)(b)(iii) that a complainant is entitled to compensation. This is particularly the case in respect of non-economic loss, which is of an inherently personal nature and is not sufficiently common in this case to lend itself to a declaration that all class members are entitled to the same kind or amounts of compensation without some evidence from those class members as to their loss.
This indicates that each class member's claim is, in effect, to be treated as a unique case. From here the process to determine the quantum of compensation for each claimant will run as follows:
- the Department will assess each of the 1,297 claims by taking into account each claimant's submissions and evidence of loss or damage, in accordance with the categories of loss or damage as determined by the Commissioner;
- the Department will then communicate this figure and the evidence for this to each of the claimants to seek agreement on the amount of compensation; and
- if the Department and claimants are unable to agree on an amount, the Commissioner will decide the amount based on further submissions by the Department and each relevant claimant.
This will no doubt be a complex and involved undertaking, and the Commissioner expects it will take a further 12 months to resolve. Given the large number of claims, this represents a significant administrative burden for all involved. It serves as a warning both to organisations responsible for large scale data breaches and also for those individuals that are affected, who will need to substantiate any non-economic loss they claim to have suffered if they hope to receive compensation. The likely need for specific evidence of each individual case will be a challenge that those coordinating future representative complaints will need to be mindful of. The determination will be subject to a number of appeal pathways, including merits review by the Administrative Appeals Tribunal.