Submission - Right to Sue for Serious Invasion of Personal Privacy - Office of the Information

Submission - Right to Sue for Serious Invasion of Personal Privacy - Office of the Information

Submission by the

Office of the Information Commissioner

STATUTORY CAUSE OF ACTION FOR

SERIOUS INVASION OF PRIVACY

Queensland A/Privacy Commissioner, Lemm Ex

7 November 2011

The Queensland Office of the Information Commissioner is an independent statutory authority. This submission does not represent the views or opinions of the Queensland Government.

The Office of the Information Commissioner (Queensland) (OIC) generally supports measures strengthening protections against abuses of privacy, particularly where inadequacies with the existing regulatory framework are identified. In principle OIC supports the introduction of a statutory cause of action for privacy.

Queensland has a statutory scheme under which an individual can seek compensation or remedies for a breach of their privacy by a public authority (see detail following). OIC recognises that the rapid growth in the commoditisation of ‘personal information’ and the ease that information can be obtained, used and disseminated has exposed individuals to new privacy risks or exacerbated existing risks to the point where the adequacy of protections needs consideration.

Queensland privacy law

On 1 July 2009 Queensland enacted the Information Privacy Act 2009 (IP Act). The IP Act regulates how government agencies collect, store, use and disclose ‘personal information’ through obligations to comply with ‘privacy principles’ consisting of:

  • Information Privacy Principles (IPP) – for all government agencies other than Queensland Health; or
  • National Privacy Principles – for Queensland Health
  • provisions dealing with service providers contracted to government agencies; and
  • provisions dealing the transfer of personal information outside Australia.

Government agencies include Ministers, Queensland State Government Departments, Local Government and Public Authorities. There is some coverage of the Queensland private sector under the Commonwealth’s privacy legislation – organisations with an annual turnover of more than $3 million per annum and private health care providers.

Additionally, there is a measure of privacy protection in Queensland’s criminal code[1], through the common law of nuisance and for recorded conversation[2].

However, in general terms there is no privacy law applying to acts of privacy breach by individuals, small business or the community sector.

If an individual – who need not be a Queensland citizen - considers that a Queensland government agency has failed to comply with its obligations under the privacy principles, they are able to make a formal complaint concerning the alleged privacy breach. While the IP Act strongly provides the opportunity for the individual and the relevant government agency to settle the subject matter of the complaint between themselves, ultimately the privacy complaint can be referred to the Queensland Civil and Administrative Tribunal (QCAT) for its determination and orders.

QCAT orders are remedial in nature; there is no capacity for it to order punitive measures. QCAT can make an order that the complaint, or a part of the complaint, has been substantiated, together with, if considered appropriate, an order in accordance with one or more of the following:

  • that an act or practice of the respondent is an interference with the privacy of the complainant and that the respondent must not repeat or continue the act or practice;
  • that the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant;
  • that the respondent must apologise to the complainant for the interference with the privacy of the complainant;
  • that the respondent must make stated amendments of documents it holds;
  • that the complainant is entitled to a stated amount, of not more than $100,000, to compensate the complainant for loss or damage suffered by the complainant because of the act or practice complained of, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;
  • an order that the complaint, or a part of the complaint, has been substantiated together with an order that no further action is required to be taken;
  • an order that the complaint, or a part of the complaint, has not been substantiated, together with an order that the complaint or part is dismissed;
  • an order that the complainant be reimbursed for expenses reasonably incurred in connection with making the complaint.

In summary, there is the capacity for an individual to receive up to a maximum of $100,000 in compensatory damages which can include non-economic loss.

Recourse to QCAT is rarely utilised. In the 22 months since this capacity became available only two privacy complaints have been brought before QCAT with no decision yet made in either matter.

Nonetheless, the capacity for civil action for breach of privacy in QCAT is recognition by the Queensland Government that a citizen should have the right to obtain an enforceable remedy if their privacy has been breached by government. It is too early to tell what effect the spectre of an action in QCAT will have on the management of personal information within government agencies.

With the Queensland experience in this area as the background, OIC offers the following comments on the issues paper A Commonwealth Statutory Cause of Action for Serious Breach of Privacy.

2. Is there a need for a cause of action for serious invasion of privacy in Australia?

Yes.

OIC’s function in privacy complaints is to ‘take all reasonable steps to cause the complaint to be mediated’. Unlike the Commonwealth privacy regime, OIC does not have a determinative role in privacy complaints; in Queensland original jurisdiction for privacy matters vests with QCAT. However a complainant is unable to progress to QCAT unless mediation has at least been considered at OIC.

The right to privacy recognises human dignity and personal autonomy with respect to control over personal information. It is important that these principles are not compromised for the sake of convenience, in circumstances of information overload or simply to make a good story.

From a government perspective poor privacy protection can cause unnecessary harm and distress to individuals and damage public confidence in government and limiting availability of important information for government. It can also result in significant economic loss.

OIC acknowledges that once privacy has been breached, restoration of the complainant’s original position is usually not possible. OIC has found that complainants are generally realistic about the efficacy of remedial orders and compensatory measures. However, they do see a two-fold value in being able to pursue their issue to a conclusion. Firstly, it validates themselves and their complaint. Privacy complainants commonly report that the way in which their personal information was treated disregarded them as an individual person. They also report that that their feelings about how the information was treated were minimised and only considered in a minor way in the agency’s handling of their complaint by the agency. Complainants consider that an individual remedy brings the focus back to them as a person.

The second benefit of pursuing a privacy complaint is the deterrent effect. This is reflected in commonly made statements by complainants that they don’t want the breach to be repeated or for it to happen to others. To this end, a privacy complaint and consequent remedial orders can be means to avoid a repetition of the breach and reduce privacy risks by highlighting non-compliant, outmoded systems and practices.

An invasion of privacy may not be considered “serious” but it still may have significant consequences, including of an economic nature, for the complainant. It is therefore entirely feasible that a number of people will be deprived of being able to pursue the tort if it is framed as ‘serious’.

As an example, in one recent complaint before OIC a small business owner worked in a small well-connected community relying on favourable referrals for his continuing livelihood. The business owner’s criminal history was inadvertently sent to one of his clients.

The client expressed unhappiness with this action but not because of the content of the history, which was relatively minor and of no consequence to their business relationship. Rather, the client’s dissatisfaction was that the client considered the business owner had purposively used them as a mailing address and this had been done without their permission.

The business owner stated that his ‘perceived abuse’ of his client’s address soured the business relationship and that the client’s dissatisfaction was communicated wider in the community. The business owner asserted that this fallout prompted a number of his clients – including the initial client – to either cancel or not renew contracts with him.

While the erroneous mailout appears to be on the outside, a relatively minor privacy breach, the business owner’s position is the consequent breakdown in trust had resulted in significant financial loss.

4. Is highly offensive an appropriate standard for a cause of action relating to serious invasion of privacy?

No.

The effects of a privacy breach on an individual will vary according to the individual circumstance. An individual may feel very comfortable expressing their sexual preference amongst their close friends while simultaneously they may be reluctant to do so among family or in their workplace. This is an individual’s right of choice and it should remain so.

The test proposed by the ALRC and the VLRC that ‘the invasion of the expected privacy would be highly offensive to a person of ordinary sensibilities’ is predicated on the twin factors that there is an accepted sensibility about expectations of privacy and that any derivation would result in the individual feeling great offence. The bar imposed by the breach being objectively highly offensive is to be too high to offer anything but a token tort. This is the standard currently operating in some overseas jurisdictions, most notably New Zealand (NZ). The New Zealand experience is that there have been few successful actions.

In the seminal NZ case of Hoskins v Runting & Anor [3] the Court of Appeal proposed the following two elements for the privacy tort:

  • The existence of facts in respect of which there is a reasonable expectation of privacy; and
  • publicity given to those private facts that would be considered highly offensive to an objective reasonable person.[4]

Despite the Court of Appeal’s fledging recognition of a statutory cause of action, this was of little assistance to Mr and Mrs Hoskins who were attempting to prevent New Idea magazine from publishing photographs of their young children that were surreptitiously taken while Mrs Hoskins was out shopping.

Privacy law gives the individual a measure of control over what personal information is used and disclosed. It is losing that control due to the actions of others which is the essence of a privacy breach rather than the emotions that may accompany it. Under the proposed standard, it may be difficult to determine that the disclosure of certain information, albeit of a sensitive nature, such as financial details could objectively be considered to be ‘highly offensive’.

It is OIC’s view that the cost of litigation would of its own act as a sufficient brake on minor or trivial matters being litigated. As such, the preferable position would be to provide a statutory tort in circumstances where there is a reasonable expectation of privacy.

A careful consideration of the concept ‘reasonable expectation of privacy’ suggests that this concept is sufficiently flexible to allow normal social discourse. For example, a reasonable person would not expect to escape observation in a public place and they may not expect that they could escape their actions being recorded – people are now very familiar with the concept of CCTV surveillance in public spaces. However they may have an expectation that the observations would not be disseminated to the wider public through for example, by being broadcast over the internet.

Similarly, individuals with a high public profile would have a lesser expectation of privacy than the average citizen and thus they would expect that their public activities would be publicised to a greater degree. However, they would be similarly entitled to expect a degree of privacy in their private lives.

OIC considers that once a reasonable expectation of privacy is established, then a breach of that privacy is a breach. The determination on the seriousness of the breach could be addressed in the question of damages.

If it is considered that some further restriction on access to justice is desirable, the following approach would be preferable to the one proposed. The very high bar of the words ‘highly offensive’, already proven to be too restrictive in overseas jurisdictions, could be made more reasonable and thereby permit a slightly higher level of protection. In a minority judgement in Hoskins, Tipping J proposed the test to be ‘whether publication of the information or material… would in the particular circumstances cause substantial offense to a reasonable person.’[5] OIC recommends that this test would strike an appropriate balance between providing privacy protection and ensuring only significant cases are litigated.

5. Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?

It is a standard privacy principle that an organisation in control or possession of personal information that was obtained for a particular purpose must generally not use it for another purpose unless one of six circumstances applies. In Queensland IPP 10 in the IP Act sets out six circumstances under which this secondary use can occur. Establishing a breach of IPP 10 is thus a two stage test. First, it has to be established that there has been a ‘secondary purpose use’. If that is established, then consideration is given to whether one of the six prescribed exemptions applies.

This is a balanced test in that the complainant has the onus of establishing the first limb while the relevant government agency has the onus of establishing the second limb - the ‘defence’. In this test each party is able to draw upon information that they have better access to. Many of the exemptions are worded to allow the government agency flexibility of use for exigent circumstances – ‘the agency is satisfied on reasonable grounds that use of the information for the other purpose is necessary to…’ The government agency is best placed to submit information on purpose and necessity.

The above analysis can be applied to the statutory cause of action. OIC agrees with VLRC’s position that where a privacy breach has been actioned by an entity because of its reliance on a countervailing public interest, it should not be incumbent on the plaintiff to make the entity’s argument on its behalf. To do otherwise would be to impose an unreasonable expectation of the plaintiff in many circumstances.

7. Is the inclusion of ‘intentional’ or ‘reckless’ as fault elements for any proposed cause of action appropriate, or should it require different elements as to fault.

It is OIC’s experience that many privacy breaches are neither intentional nor reckless. They can occur for reasons such as reliance on an outdated process, thoughtlessness or even misguided benevolence – a medical practitioner may pass on sensitive medical information about a patient to their family with the anticipation this will enable them to assist in the patient’s care.

If it is not intended that the cause of action include a punitive component, then the motivation of the perpetrator is an irrelevant consideration.

Ultimately, it is the individual whose personal information has been abused or misused who suffers the primary damage. OIC considers that the focus should be on the damage and its potential remedy rather than the motivation of perpetrator. The damage suffered by reason of good intent is every bit as real as that suffered by reasons of malice or wilful negligence.

OIC acknowledges the concerns expressed by the ALRC and NSWLRC that including accidental or negligent acts in the ambit of cause of actions is ‘arguably going too far’. While a limited few of the IPPs and National Privacy Principles (NPPs) in the IP Act have a strict liability either in whole or in part [6] most of the IPPs and NPPs have a reasonableness component which provides a buffer for accidental breach. For example IPP 8 states:

Before an agency uses personal information contained in a document under its control, the agency must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up to date.

Rather than consideration being given to the motivation of the perpetrator, OIC suggests that the issue as to whether reasonable actions were taken to avert or minimise the privacy breach would, in some cases, form a complete defence to a claim of privacy breach or in other cases go towards mitigation of damages.

For example if personal information is disseminated publicly, perhaps through a media posting, and the publisher had an honest and reasonable belief that the individual consented or did not object to the publication, the belief should be a consideration in any subsequent privacy action concerning the publication.

8. Should any legislation allow for the consideration of other relevant matters, and if so, is the list of matters proposed by the NSWLRC necessary and sufficient?

In Queensland the cause of action lies against a government agency as opposed to an individual within the agency. The government agency has automatic vicarious liability for the actions of its employees, regardless as to whether the actions occur in the course of their designated responsibilities of their specific position. If a privacy breach occurs through the inappropriate action of an employee – for example, the employee has accessed the personal information in the agency’s database without authorisation for personal gain, the agency is responsible for all remedial actions required in consequence of the employee’s actions.

It is not clear whether the proposed cause of action will lie against an individual or if the individual is an employee, against the employer or both. If both, one of the relevant factors that should be considered is the actions taken by the employer to prevent the breach of privacy – in essence, the defences to vicarious liability. While this is arguably contained within Clause 74(3)(a)(vi) –any other conduct of the claimant and the defendant – OIC submits a specific reference to where liability ultimately lies should be incorporated in any legislative scheme.

Top View