Identifying Realistic Outcomes In Privacy Complaints
One of the purposes of the Privacy and Data Protection Act 2014 (PDP Act) is to provide remedies for individuals when their privacy is interfered with by a Victorian Government organisation or local council. That is, to provide a legal way for you to stop an organisation from interfering with your privacy, and to require the organisation to fix any damage that their interference with your privacy might have caused. You can access these remedies by making a privacy complaint.
Privacy complaints are primarily about setting things right for you, rather than punishing individuals or organisations for doing the wrong thing. The Information Commissioner has other powers, separate from the complaints process, by which he can hold public sector organisations to account.
At the Office of the Victorian Information Commissioner (OVIC), our job is to try to resolve privacy complaints by conciliation. When you bring your privacy complaint to OVIC, one of the first things that we will ask you is: “What would you like the organisation to do to resolve the matter?” The purpose of this information sheet is to help you answer that question.
There are no formal limits on what you can ask for, but remedies should be fair, practical and proportionate to the harm you’ve suffered. It’s also helpful to consider your requests from the organisation’s point of view — some remedies are easier to provide than others, and some things may be beyond the power of the organisation to provide.
Finally, only the Victorian Civil and Administrative Tribunal (VCAT) can order an organisation to provide you with a particular remedy. That means that it is ultimately VCAT who determines whether or not you are legally entitled to a particular remedy. Because of this, it is useful to consider how VCAT might view your complaint and the remedies you are seeking.
Public sector organisations should be prepared to admit their mistakes and correct them. If an organisation has interfered with your privacy, it should be willing to offer a remedy that is fair, practical and proportionate to the seriousness of the issue. The goal of conciliation is to bring the parties together to talk about what this might look like.
How have you been affected?
Privacy means different things to different people, and the impact of a privacy breach may vary depending on the context and circumstances of the affected individual. For example, a person who operates a small business from home may not be concerned if an organisation accidentally publishes their home address online — indeed, they may publish the address themselves as part of their business activities — but for a celebrity or a person in witness protection, the same accident might cause significant harm.
Because privacy is so personal, it can be difficult for organisations to know what the appropriate remedy for an interference with your privacy should be. This is why the conciliation process starts with you — we need you to explain how the interference with your privacy has affected you, and what you think needs to happen to set things right.
Common outcomes sought in conciliation
Each complaint is different, and every outcome is dependent on both parties being willing to agree on a way to resolve the complaint. Some commonly sought outcomes include:
- an explanation of what occurred;
- an apology;
- a change of procedures;
- education of staff on privacy issues;
- action remedying loss or damage suffered; or
- compensation for loss or damage suffered (including injury to feelings or humiliation suffered) as a result of the alleged privacy breach.
FAIR, PRACTICAL AND PROPORTIONATE
Conciliation is about finding common ground, so when you’re thinking about what to ask for, it’s helpful to aim for something that the organisation might be able to agree to. As a guide, try to consider whether your requests are fair, practical and proportionate to the harm you’ve suffered.
A fair remedy is one that is just and equitable and in line with community standards. Remedies should be related to the harm that has been suffered and fair for everybody involved, including third parties who might be affected. For example:
- If you have incurred financial costs as a direct result of an organisation’s mistake, it might be fair to expect that organisation to reimburse you for those costs.
- It might not be fair to impose substantial punishments (such as fines, termination of employment or imprisonment) on an individual simply because they made a clerical error that led to a privacy breach (such as mistyping an email address).
- If you applied for a job and there was a privacy breach during the recruitment process, it would not be fair to the other applicants for the organisation to give you the job to make up for the privacy breach.
A practical remedy is something that is reasonably possible for the organisation to deliver. Some things might be impractical because they are difficult or impossible to deliver, or because they are not permitted by law. For example:
- If personal information has been lost or stolen, it may not be possible for the organisation to recover it. Depending on the circumstances, it may not even be possible for an organisation to provide an adequate explanation of how the information was lost or stolen. It may be more practical to focus on how the organisation can protect you from harm or prevent future breaches.
- Because of unfair dismissal laws, organisations are not normally able to fire an employee in order to resolve your privacy complaint. If your complaint relates to misconduct or a mistake made by a specific individual, the organisation will need to manage that individual according to its own internal disciplinary procedures, separately to your complaint. As noted above, privacy complaints should focus on remedying any harm caused, rather than punishing misconduct.
- Due to their record keeping obligations, organisations may not be able to simply ‘delete’ personal information that they hold. A more practical remedy might be to annotate, archive or restrict access to the information.
A proportionate remedy matches with the harm that has resulted from the interference with your privacy. If a privacy breach has only caused you minor inconvenience, it may not be proportionate to expect an organisation to fire their CEO, publish an apology in a major newspaper, or pay more than nominal monetary compensation. It may be more proportionate to provide additional training to the officer that made the mistake, apologise in person and cover any expenses that you incurred.
The PDP Act allows VCAT to award compensation of up to $100,000 for loss or damage (including humiliation or injury to your feelings) that you have suffered as a result of an interference with your privacy. However, VCAT has never made such an award, so it is difficult to assess how much you might be entitled to in a given situation.
In the absence of any Victorian rulings, determinations made by the Australian Information Commissioner under the Privacy Act 1988 (Cth) provide a useful guide (under the Privacy Act 1988 (Cth), the Australian Information Commissioner has the power to make determinations and order the payment of compensation in relation to privacy complaint).
Awards made by the Australian Information Commissioner range from $1000 – $3000 in less serious cases up to almost $25,000 for the most serious and high impact breaches. The maximum that the Australian Information Commissioner has awarded for ‘non-financial loss’ is $20,000. This amount was awarded when an individual’s health information was published on a website for over a year, causing humiliation and resulting in a deterioration of the complainant’s pre-existing stress and anxiety (confirmed by a psychologist and psychiatrist).
Large claims for monetary compensation may need to be supported by evidence. In the case of financial costs incurred as a result of a privacy breach, invoices and receipts may suffice to support your claim. If you are seeking a large amount of compensation on the basis of humiliation, stress or injury to feelings, you may need to produce other evidence, such as a letter from your doctor, bills for psychologist visits or evidence of time taken off work for stress.
This kind of evidence can be very persuasive at the conciliation stage, and is often necessary in order to substantiate your claim should the matter be referred to VCAT for hearing.
WHAT HAPPENS IF YOU CAN’T AGREE
You should also consider what the outcome is likely to be if your complaint is not resolved at conciliation. If conciliation fails you have two basic options:
- you may choose not to pursue the matter further, or to pursue it through some other legal or political mechanism, rather than as a privacy complaint under the PDP Act. In some cases, pursuing your objectives outside of the PDP Act might be your best option. For example, if your primary goal is to get access to particular documents or to correct information, making a request under the Freedom of Information Act 1982 (Vic) is likely to be a more effective approach.
- you may choose to have your privacy complaint referred to VCAT for hearing.
What happens at VCAT
VCAT is a tribunal that hears and decides civil and administrative legal cases. When hearing a case, VCAT will allow all parties a chance to give and hear evidence, ask questions of you and your witnesses, and provide supporting documents. After listening to the evidence and arguments, a VCAT will make a legally binding determination about whether your privacy has been interfered with, and if it has, what remedies you are entitled to.
At VCAT, the burden of proof falls on the person making the complaint. That means that you will be required to produce evidence to convince the Tribunal that your privacy has been interfered with in the way that you claim.
If is satisfied that your privacy has been interfered with, the Tribunal might:
- uphold the complaint but take no further action — for example, if it found that your privacy had been interfered with, but that you had not suffered any harm, or if the organisation had already compensated you appropriately.
- order the organisation to stop or not repeat the acts complained of — for example, if your complaint relates to an ongoing act or practice that interferes with your privacy.
- order the organisation to take some action that will redress any loss or damage that you have suffered (including humiliation or injury to your feelings) — for example, to apologise to you or to contact a third party or publish a statement to try to address some reputational damage.
- order the organisation to pay you compensation of up to $100,000 for loss or damage that you have suffered (including humiliation or injury to your feelings) — for example, to reimburse you for financial costs caused by the interference or pay you an amount to compensate for emotional harm.
It is important to note that consistently with the purpose and principles underlying the privacy complaints system, which are outlined in the introduction to this document, VCAT’s powers are limited to stopping an organisation from interfering with your privacy, and/or requiring an organisation to fix any damage that their interference with your privacy might have caused. VCAT cannot make orders to punish individuals or organisations for wrongdoing.