The Office of the Australian Information Commissioner’s recent determination in ‘WP’ and Secretary to the Department of Home Affairs highlights the traction that can be gained through a representative complaint that stems from a single data breach – even when the breach was well-contained post-incident.
‘WP’ sets out the approach to determining appropriate compensation for a large group of individuals comprising a representative complaint. In particular, the case confirms the approach the OAIC will take when making determinations about the distribution of compensation for representative complaints which feature individuals suffering different levels of harm. The case also offers useful lessons for organisations dealing with a large-scale data breach.
Background
The complaint concerned a breach of the IPPs in the Privacy Act by the (then) Department of Immigration and Border Protection (DIBP), now known as the Department of Home Affairs.
On 19 February 2014, The Guardian Australia notified the OAIC that a ‘database’ containing the personal information of ‘almost 10,000’ asylum seekers was available in a report on the DIBP website.
The breach occurred when an Excel spreadsheet containing statistical data of 9,258 individuals was mistakenly embedded in a Word document published to the website. (DIBP had a practice of publishing its reports in both Word and PDF formats to assist accessibility of its reports.) This spreadsheet was merely one of the documents used to compile statistics for the DIBP’s official publication.
The data contained full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and reasons why the individual was deemed to be ‘unlawful’. Some of this included ‘sensitive information’ as defined under the Privacy Act, but it was inherently also ‘sensitive’ by common standards – in light of these particular individuals’ vulnerability, and the potential risks to their personal safety as asylum seekers.
DIBP removed the report within an hour of notification. However in the eight days during which the report was accessible online, it was accessed a number of times, and republished by an automated archiving service.
OAIC’s Own Motion investigation
The OAIC formally investigated the incident in 2014, finding:
- DIBP was aware of the risks of embedding personal information in publications, but its systems and processes did not adequately address them
- as a result, DIBP staff simply did not detect the embedded information when the document was created, or before it was published
- the breach may have been avoided if DIBP had implemented processes to de-identify data in situations where a full dataset was not needed
- the incident was particularly concerning due to the vulnerability of the people involved, and
- ‘prevention far better than cure’ – the breach also demonstrated the difficulties of effectively containing a breach where information has been published online, and highlighted the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred.
The OAIC made a number of recommendations about how DIBP could improve its processes, including requesting that DIBP engage an independent auditor to certify that it had implemented a planned remediation, and provide a copy of the certification and report to the OAIC.
The representative complaint
Alongside the OAIC’s ‘own motion’ investigation, the OAIC received over 1,600 complaints from affected individuals. One of these was re-framed as a representative complaint some months later.
Under the Privacy Act, a ‘representative complaint’ can be made by an individual on behalf of other individuals who have similar complaints about an act or practice that may be an interference with their privacy. The Commissioner may make a declaration that class members are entitled to compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.
Significantly, a representative complaint must also satisfy certain conditions under the Act. It must be able to describe or identify the class members, but it need not specifically name the individuals represented, give the actual number of class members, or have their consent to be represented as class members. These provisions can support representative complaints arising from large scale data breaches involving the same organisation and the same event – even when the organisation has acted quickly to contain an inadvertent data breach, and may have resolved a portion of complaints directly.
The representative complainant sought a declaration that the 9,258 class members were entitled to an apology from the Department, compensation for economic and non-economic loss, and aggravated damages. Conciliation was unsuccessfully attempted.
The OAIC then gave notice to all affected individuals to give them the opportunity to provide specific information about loss or damage suffered as a result of the breach, to assist its decision on entitlement to compensation under the representative complaint. The notice set out the key information encouraged from complainants, how it should ideally be assembled and submitted, and gave a due date for response, which was subsequently extended.
OAIC’s approach to remedy and determination of entitlement
Amongst other things, the January 2021 decision set out the OAIC’s approach to compensation for the 1,297 class members who made submissions or provided evidence about their loss within the timeframe allowed. It established an overall scale for quantum of damages and sub-categories within the scale, but left the process of how each individual should be assessed in light of their alleged loss to the DIBP to manage, building in additional tiers of review.
Six categories of loss were established for both economic and non-economic loss. These ranged from no payment for non-economic loss where individuals did not make any submission or give evidence about impact, scaled sums for varying degrees of embarrassment, anxiety or distress, to over $20,000 for individuals who provide evidence of ‘extreme loss or damage resulting from the breach’, such as in relation to specific psychiatric harm.
Existing case principles for interpreting causation were also applied to assess loss. These principles emphasise that:
- causation is a question of common sense and experience, determined on the facts of each case
- in law, causation is a question of identifying where legal responsibility should lie, rather than examining the cause of event from a scientific or philosophical viewpoint
- a ‘but for’ analysis is not a sufficient test for causation, although it may be a guide; and
- where there are multiple elements, each one sufficient on its own to have caused the loss, the causation test may be considered satisfied by each one of them.
The case also illustrates the importance of looking at loss from the perspective of the individual impacted – rather than how most people might be ‘expected’ to have been impacted. This is important when looking at the potential fall-out from a mass data breach. A single incident may involve the release of the exact same information about multiple people, but it can have different consequences for different individuals and give rise to a wide range of reactions.
The take-aways
So what can organisations learn from a data breach that morphs into a representative complaint?
For starters, how important it is to know your data. Just recently we highlighted the Flight Centre case, in which a group of competitors in a ‘design jam’ event were inadvertently able to access the credit card and passport numbers of almost 7,000 customers. In both the Flight Centre case and this one, the people responsible for publishing or sharing records had no idea that the records even contained personal information.
Second, the proactive assessment of risks concerning use of large datasets is obviously more efficient than mopping up after the fact. Yet all too often, Privacy Impact Assessments are not undertaken. Privacy risk management needs to be embedded in organisational culture.
Third, for many organisations managing large datasets, these sorts of breaches should be seen as ‘not if, but when’. When a large-scale data leak bursts and complainants come forward, they may come from many different sources – individually and directly, via media, regulators, lawyers, support organisations, or other complainants as members of a class. They may arrive in a trickle or a flood, and build over short or very extended timeframes. You will need to be prepared with a Data Breach Response Plan, and with a complaints-handling procedure.
Fourth, you will also need to be prepared financially: not only did OAIC’s determination deal with damages for loss, but there were additional costs for the Department in this case, including the appointment of auditors and external expert assessors.
Finally, complaints must be handled sensitively to avoid escalation, and you will need to be alive to the possibility that disclosure of the same data will lead to different and wide-ranging impacts for different individuals.
For more guidance on how to handle a privacy complaint, and the quantum of compensation typically ordered, see our Checklist – Handling a Privacy Complaint. The Checklist offers a nine step process to follow when handling a privacy complaint about a breach of the APPs, from initial acknowledgement of the complaint through to finalisation, and includes a table summarising all OAIC determinations up to 31 January 2021 in which compensation was ordered. Along with our template Data Breach Response Plan, the Complaint-Handling Checklist is included in a number of our Privacy Law Compliance Kits.
Photograph © Shutterstock
If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.