How do you put a price on your harm after a privacy breach?

This guidance is to support complainants to identify what harm has been suffered directly because of a breach of their privacy, understand when financial compensation may be provided as part of a privacy complaint, and consider how to measure their harm in monetary terms.

What does the PDP Act say about financial compensation?

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) provides a process for individuals to seek redress from organisations¹ when an act or practice has occurred that breaches their privacy (a privacy breach). This process is through:

• OVIC’s conciliation of privacy complaints; or
• where OVIC cannot first resolve the privacy complaint, legal proceedings at the Victorian Civil and Administrative Tribunal (VCAT).

While financial compensation can be achieved through OVIC’s conciliation process, or ordered by VCAT, it is important to be aware that not all privacy breaches warrant financial compensation, even if an organisation has conceded its actions were non-compliant. This is because other remedies may be more appropriate in the circumstances, such as an apology or change in process.

Under the PDP Act, financial compensation may be provided following a privacy complaint where:

• an organisation has conceded during OVIC’s conciliation, or VCAT has determined, that an act or practice is not compliant with one or more Information Privacy Principles causing an interference with a complainant’s privacy; and
• any loss or damage suffered by that complainant can be clearly tied to the act or practice undertaken by the organisation that caused the interference.

Types of financial compensation that can be awarded

Financial compensation for ‘economic loss’

Financial compensation may be awarded where a privacy breach has caused a complainant to suffer financial loss, such as out of pocket costs. The aim of the financial compensation is to restore the complainant back to the position they would have been in, if the privacy breach had not occurred.

It is important to understand that the PDP Act does not envisage compensation for potential future losses that are speculative in nature. This means that while you can potentially claim for reimbursement for legal costs reasonably incurred directly related to the privacy breach, you cannot claim for potential future legal costs.

At this time, there has not been a complaint under the PDP Act where VCAT or another court has ordered financial compensation for economic loss. However, privacy complaints in other jurisdictions, and conciliation settlements with OVIC, have included compensation for certain expenses incurred where they directly relate to the privacy breach.

For example, in some instances organisations have provided financial compensation to reimburse the costs of:

• an agreed number of psychology sessions; or
• a subscription to identity or financial monitoring services.

Financial compensation for ‘non-economic loss’

Financial compensation may be awarded where a privacy breach has caused a complainant to suffer non-economic loss – sometimes known as emotional harm – including distress or humiliation. Financial compensation for emotional harm is the most frequently sought type of remedy for loss or damage in privacy complaints.

As the nature and extent of harm caused by a non-privacy breach differs from person to person, emotional harm can be more difficult to measure and quantify.

VCAT has only awarded financial compensation to Complainants in such circumstances on two occasions, for $1,000 and $9,000. These amounts were awarded for the ‘hurt feelings’² and ‘humiliation and distress’³ demonstrated by the Complainants after the actions of the organisations were determined to be non-compliant.

Financial compensation for non-economic loss has also been achieved through conciliation settlements with OVIC, however it is not provided in all circumstances, and there is no automatic entitlement to financial compensation where a privacy breach has occurred.

Understanding the source of your harm

Privacy breaches are rarely an isolated event.

Sometimes a complainant may be experiencing emotional harm due to events that happened before the incident with the organisation, or emotional harm caused by other triggers within their personal or professional lives. This can make it challenging to disentangle the emotional harm caused by a privacy breach from other emotional harm caused by non-privacy matters.

When thinking about emotional harm, it can be useful to reflect on:

• the types of feelings you are having;
• when you first started to have those feelings; and
• what happened for you to feel that way.

This process can help to identify what harm is attributable to the privacy beach, assist a complainant to express what questions they have for an organisation about what has taken place, and help to consider what procedural changes may prevent a similar act or practice from occurring again.

As an example, an individual may feel stressed and upset about receiving negative feedback from their manager at work. If the same individual is approached by two colleagues a month later who have seen an email containing the same feedback, and this leaves the individual feeling distressed and humiliated – they have the right to make a privacy complaint. In making a privacy complaint, the emotional harm from the privacy breach would only be linked to the distress and humiliation of others having seen the feedback – not the initial stress and upset of receiving the feedback.

VCAT has been clear that there is a need to separate out the various causes of harm when considering the impact of a privacy breach, and that while organisations may hold some responsibility for any emotional harm incurred, organisations are not liable for the harm caused by others, or for existing long-term distress.

For example, In NLD v DFFH,⁴ VCAT accepted that DFFH’s inappropriate disclosure of the complainant’s previous sexual assault caused the complainant to experience flashbacks and feelings of humiliation. VCAT acknowledged that DFFH was not responsible for the Complainant’s long term distress about the crime that occurred, and that some of the distress experienced by the Complainant may have been related to the fact the Complainant had not sought counselling after the assault. Therefore, VCAT concluded that the organisation was only liable for some of the Complainant’s harm and $9,000 was awarded for non-economic loss.

Considering your harm in monetary terms

Assessing harm from a privacy breach is not an exact science. Not everyone responds to a privacy breach in the same way, and it can be challenging to put a number on something that has impacted you emotionally.

For example, a letter sent to the wrong address may cause minor frustration to one individual for not receiving it on time – but for another individual it could reveal their location or contact information to a perpetrator of family violence and cause serious mental and physical harm.

When making a privacy complaint, individuals should have an amount of financial compensation in mind that they consider would remediate the impact and harm they have suffered due to the privacy breach, and which they would be willing to accept from an organisation to resolve the complaint.

It is uncommon for organisations to make an offer without understanding the complainant’s perspective. This is because OVIC and VCAT encourage organisations to assess harm by looking at the impact to the particular complainant and their reaction, and not to the perceived reaction of most of the community or of a reasonable person in similar circumstances.⁵

Therefore, individuals will need to think about their harm and identify the amount that is most likely to remediate the impact and harm of the privacy breach.

The impact and harm of a privacy breach falls on a spectrum.

At one end, a privacy breach may cause little to no harm or impact as the individual is simply annoyed, frustrated or inconvenienced – these privacy breaches are often resolved with an apology, an explanation or an action taken to improve processes or procedures to prevent it from occurring again and are unlikely to warrant financial compensation.

At the opposite end of the spectrum, a privacy breach may result in severe humiliation, loss of dignity, distress and impacts to physical safety. Where individuals are impacted by these types of breaches, there is often greater evidence of harm that can be substantiated both through the explanation of the individual and supporting documentation to establish the severity of the impact of the privacy breach. These types of privacy breaches are more likely to warrant financial compensation; however, it is uncommon to receive more than $15,000 to $20,000.

Other privacy breaches will fall within the middle of the spectrum, and may result in moderate harm, including some reputational damage, reactivation of psychological symptoms and distress. Whether financial compensation for these types of breaches is offered varies greatly depending on what has occurred and what harm is demonstrated. In OVIC’s experience it is uncommon for complainants to receive more than $10,000 for these types of breaches – and most compensation payments fall between $500 and $5,000.

Although there is a statutory maximum of $100,000 for compensation in the PDP Act, this amount has never been ordered by VCAT, nor achieved through OVIC conciliation.

What to expect from OVIC when discussing financial compensation

During conciliation, we often ask individuals about what has happened and the impact it has had on them in their own words.

We may:

• ask you questions about your feelings, and whether there are other factors that may be contributing to them
• ask you to provide more information to be shared with the organisation to help it understand the harm you have suffered, in your own words
• ask you to provide any evidence of the harm you have suffered. This can also help you to prepare for VCAT if conciliation fails
• inform you or the organisation that from our experience the amount being sought or offered is, or is not, reasonable or proportionate.

We take these steps to encourage the parties to consider fair, reasonable and proportionate amounts of financial compensation to resolve complaints though OVIC without having to resort to VCAT.

How to communicate your harm

Ensuring the organisation understands the impact and harm a privacy breach has had on an individual is crucial for the consideration of financial compensation.

Individuals can express their harm in their own words when completing OVIC’s privacy complaint form. Further, during OVIC’s conciliation process individuals can provide a statement, or use OVIC’s Complainant Impact Statement Template to assist in setting out the economic and non-economic harm.

Individuals may also think about what other evidence they have to support themselves in demonstrating harm. For example, text messages or emails establishing an imminent or serious risk to their physical safety; receipts or invoices of costs incurred; or medical evidence.

There is no set criteria for what evidence should be provided. However, VCAT has indicated that the greater the amount of compensation being sought – the greater the evidence required. For example, in NLD v DFFH, VCAT indicated a greater amount may have been provided if medical evidence was provided.⁶

1. Organisations’ to which the PDP Act apply are set out in section 3 and include Departments, local government, universities and water corporations.
2. Zeqaj v Victoria Police [2018] VCAT 1733.
3. NLD v Department of Families, Fairness and Housing (Human Rights) [2023] VCAT 544.
4. NLD v the Department of Families, Fairness and Housing [2023], VCAT 544.
5. Zeqaj v Victoria Police [2018] VCAT 1733 at [155] citing principles from Hall v A & A Sheiban Pty Ltd [1989] FCA 92 and adopted by the Administrative Appeals Tribunal of Australia in Rummery and Federal Privacy Commissioner and Anor [2004] AATA 1221
6. NLD at [97].