Source: New Zealand Privacy Commissioner – Blog
The Privacy Act empowers the Privacy Commissioner to receive complaints about breaches of the Privacy Act. The Act compels the Office of the Privacy Commissioner (OPC) to focus on settling complaints and preventing any issues they give rise to from re-occurring.
Section 77 of the Privacy Act 2020 allows OPC to explore settlement without even investigating a complaint. Our Office recently used this power to settle a complaint where the facts of the privacy breach were well known but the parties had been unable to reach a settlement themselves.
The first step however is the responsibility of the parties, in particular the complainant. That responsibility is to raise the matter directly with the agency concerned – typically their Privacy Officer – and give them a reasonable opportunity to resolve the matter.
If that settlement attempt has not succeeded, we will consider whether to investigate a complaint. If we do, we will then attempt to facilitate a settlement.
When deciding whether to investigate a complaint, our Office will be considering a range of factors, such as the availability of other remedies one essential requirement is whether there has potentially been an interference with privacy that warrants an investigation.
What is an interference with privacy?
An interference with privacy means an organisation has breached someone’s privacy and they have suffered harm as a result. These requirements are contained in section 69 of the Privacy Act.
Breach and Harm
A breach will usually relate to a breach of one of the privacy principles, but can include a breach of an information sharing agreement or a failure to notify an affected person about a privacy breach.
Harm means that you suffered something significant due to the breach, for example, identity theft. Harm can be actual or anticipated (meaning the consequence has not yet happened).
Harm may include any of the following:
- Loss, detriment, damage, or injury – for example, losing your job
- Negative impact on your rights, benefits, privileges, and obligations or interests
- Significant humiliation, loss of dignity, or injury to feelings. This is a high threshold and is more than merely being embarrassed or annoyed by a breach.
You can read about cases where:
How does our investigation process work?
Our settlement-orientated process is flexible. This means that we can adapt our processes to different cultural, religious, or other needs. We can also facilitate settlement discussions by email, phone, video conferencing, in-person, or a combination of these methods.
Even when a complaint has merit, the settlement is usually non-financial. In the case of a complaint about access to information, obtaining the information is the primary resolution. In the case of records that are inaccurate, it maybe that the records are corrected, or a statement of correction attached to the records. In other cases, an apology, privacy training, or other remedies are sufficient and appropriate.
A large part of our Office’s role is to help parties to determine what is a fair settlement that works for them. This will depend on factors such as the nature of the breach, the harm experienced, and the willingness to resolve the complaint.
In some cases, a financial settlement may be appropriate. Given the Privacy Act requires that there be an interference with privacy, expect to be able to demonstrate how you’ve been harmed before obtaining a financial settlement. For example, if the harm is emotional, your medical practitioner may provide a statement regarding how you were impacted by the breach.
Financial settlement examples
The details of a settlement are commonly not shared publicly. This is because a confidential process often assists in settling a complaint. While needing to respect the confidentiality of settlements, we know that providing some insight into the quantum of settlements can help assist parties to manage their expectations and reach their own settlements. Note that often the financial settlements were accompanied by other actions including training for staff, changes to policies, increased prominence given to the Privacy Officer’s role in an agency and other actions.
Since the beginning of 2018, our Office has had approximately 70 complaints where a financial payment was part of settling the dispute. For perspective, in the one-year period to the end of June 2020, we closed 769 investigation files. Here are some examples of settlements and the types of breaches.
Address or contact information disclosure:
- A government agency paid $3,500 after disclosing information about foster parents to the birth parents. The foster parents feared the birth parents would show up and harm the foster child
- A DHB paid $14,000 because it had sent a patient’s medical records (concerning a termination of pregnancy) to her parent’s address despite being asked twice by the patient to update its records
- A government agency paid $17,000 because it had disclosed a person’s address to someone who was about to be released from prison and against whom the person had a protection order
- An agency paid $6,000 because it sent a complainant’s information to another patient due to an incorrectly addressed envelope.
Employee browsing complaints:
- A health agency paid compensation of more than $30,000 after multiple employees accessed sensitive health information about another employee without any justification
- A government employee accessed a man’s criminal record despite having had no contact with the man. The man had a reasonable expectation that his record would be securely stored by the agency and it contained inherently sensitive information. The complainant had suffered stress and anxiety and his feelings had been injured. This complaint was settled with a $4,000 payment.
Inaccurate records (credit related):
- A company paid $5,000 after recording incorrect information about the person having outstanding debts on their records, harming the person’s ability to obtain housing, and causing significant financial and emotional stress resulting in the loss of their employment, a relationship breakdown and mental health issues that were documented by a specialist treatment provider.
- A government agency lost a complainant’s identity documents. The government agency paid $350 to cover the cost of replacing the documents
- A shop paid $2,000 because it had posted a picture of an individual online, wrongly accusing the person of theft
- An employer paid $3,000 to an employee because the details of an employment investigation were accessible to all staff in the organisation
- An agency paid $3,500 for the stress caused by over-collecting sensitive health information about an applicant during a job application process
- An employer paid $4,000 for emotional harm and stress suffered as a result of his employer making audio recordings without his knowledge in a delivery vehicle he operated
- A government agency paid $10,000 to the victim of a privacy breach that resulted in identity theft.
It is important to remember that settlements are specific to their facts and all relevant factors need to be considered. These factors include that some parties will put more or less weight on the time and cost of proceeding to the Human Rights Review Tribunal – both plaintiffs and defendants.
What if a settlement can’t be reached?
We cannot compel the parties to reach a settlement. In some cases, we may issue a compliance notice requiring them to do something or stop doing something, or an access direction, requiring them to disclose records.
If no settlement is reached through our process, or the parties don’t agree with it, you may be entitled to take your complaint to the Human Rights Review Tribunal. The Tribunal can award compensatory damages and compel parties to take action to resolve the situation.
It is worth noting:
- There is currently a significant wait time to get a hearing
- Proceedings are generally public
- There can be significant costs associated with the process, and
- You can have costs awarded against you if you are unsuccessful.
For these reasons, complaints generally settle for a ‘discount’ if settled before reaching the Tribunal because there are significant potential costs and risks for both parties in proceeding to the Tribunal.
Damages awards by the Human Rights Review Tribunal
With each case depending on its facts, there is variation in awards made by the Tribunal. In Hammond v Credit Union Baywide  NZHRRT 6, the Tribunal gave some rough guidance. The Tribunal stated that at the less serious end of the scale, awards have ranged up to $10,000. For more serious cases, awards ranged from about $10,000 to $50,000. For the most serious cases, awards could exceed $50,000.
The Tribunal also discussed harm in these cases:
An award of damages seeks to compensate an individual for the harm they suffered. The harm will usually be more serious where the respondent organisation’s conduct has been particularly bad. In the Hammond case, a former employer disclosed an ex-staff member’s personal information to prospective employers. Ms Hammond was able to prove that the respondent maliciously intended to prevent her from gaining future employment and she suffered serious consequences as a result including lost income, humiliation, loss of dignity and injury to feelings. The Tribunal awarded her $168,000 in damages from her previous employer.
Image credit: Legal icon via Pixabay