Source: Privacy Commissioner
Background
In 2021, a government agency mailed a client’s health information to the wrong address. The agency had the correct street but had misidentified the house number.
The agency had the incorrect address in its systems as the verified address for the client, because a staff member had misheard the street number they said and verified the incorrect address in the agency’s systems. The agency said it had taken steps to verify the address, and so it did not consider it had erred.
The client was not satisfied with this response and complained to the agency. Further enquiries showed that the agency had the client’s correct address details at the time the information was sent to the wrong address but had not updated their file.
The client asked for compensation, but the agency said it did not consider the breach had caused significant emotional harm, because the information that had been sent was “relatively generic.”
However, the client said that their previous experiences meant that the harm of the information being sent to the wrong address was greater for them than it might have been for someone else. The client lodged an application for review of the agency’s decision. The agency was directed by the reviewer to obtain an external opinion on the emotional harm suffered by the client. This independent opinion said the breach had caused significant emotional harm and had exacerbated the client’s pre-existing conditions. Following this, the agency made a compensation offer to the client, however it miscommunicated how long the client had to consider and accept the offer. The client had lost trust in the agency by this point and was not willing to negotiate with the agency directly.
The client asked our Office to assist, advising that they would like to meet with the agency to discuss how the privacy breach had impacted them and to further attempt to resolve the complaint.
The Rules Applying to this case
This complaint raised issues under rules 5 and 8 of the Health Information Privacy Code 2020 (the Code).
Rule 5 requires agencies that hold health information to ensure that the information is protected by reasonable safeguards to protect against loss, misuse or unauthorised
disclosure.
Rule 8 requires agencies to take reasonable steps to ensure that information is accurate, up to date, complete, relevant and not misleading before using or disclosing that information.
OPC’s approach
This was a case where the agency accepted it had breached its client’s privacy, but it didn’t fully understand the harm the breach had caused the client. Further, the relationship between the agency and its client had broken down, such that they weren’t able to resolve the matter between them directly.
We focus on resolving complaints where possible, and instead of investigating we decided to explore a settlement under section 77 of the Privacy Act.
Section 77 provides for the Commissioner to use best endeavours to settle the complaint without an investigation. An investigation may or may not follow if the Commissioner is unable to secure a settlement.
We facilitated a conciliation meeting between the agency, the client and the client’s psychologist, who attended as the client’s support person, and was able to help the client articulate the harm the privacy breach had caused them. It was clear that the breach had exacerbated pre-existing mental health conditions and caused a significant impact on the emotional state and the life of the client.
At the meeting, the agency did a good job of hearing the complainant’s concerns. Its representatives provided the client with a heartfelt apology. The client thanked the
representatives and said it was the first time that they felt the agency had listened and understood how they felt. The conciliation meeting ended with both parties agreeing to settle the matter.
As part of this resolution, the agency agreed to pay financial compensation, that was more than twice the amount offered previously. The agency also agreed to pay for ongoing psychological treatment to help the client to recover from the interference with their privacy.
The matter was settled, and we closed our file.
Commentary
When agencies are considering whether harm has been suffered by a complainant, it is essential that it seeks to understand the actual impact on the client, not what they think the impact should be without having lived that individual’s life experiences. What might not affect one person, can have a significant impact on another.
Additionally, it is critical that agencies take responsibility for errors from the outset and put things right early. In this instance, the complaint could have been resolved far earlier if the agency had accepted what had gone wrong earlier, and if it had considered the information it already had, in the form of the independent opinion about the harm the client had experienced.
Instead, the agency’s management of the breach and the subsequent complaint led to a further breakdown in the relationship between the parties, and this meant the matter wasn’t able to be resolved without our Office’s assistance. However, when the parties came to the conciliation with a genuine desire to hear the other and with an intention to resolve the matter and move forward, we were able to facilitate a conversation that allowed that to happen, and both sides to get closure.
