Compensation for Privacy Breaches – Summary of Cases (2016—2019) Determined by the Australian Information Commissioner and Privacy Commissioner

Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016-2019 by the Office of the Australian Information Privacy Commissioner in relation to privacy breaches.  Case Summaries provided after the Table of Cases.

---

CASE	PRIVACY PRINCIPLES BREACHED	COMPENSATION RECEIVED
‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr 60 (22 August 2019)	NPP 1.5	$1,500 for non-economic loss
‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr 48 (28 June 2019)	APP 10.2	$15,000 for non-economic loss
‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AlCmr 20 (28 May 2019)	NPP 2 and 4	A total of $60,000 for non-economic loss shared between 14 Complainants
‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AlCmr 51 (23 March 2018)	NPP 2	No compensation was awarded
‘LU’ and Department of Defence (Privacy) [2017] AlCmr 61 (26 June 2017)	IPP 4 and 10	$10,000 for non-economic loss $3,000 for expenses reasonably incurred
‘LS’ and ‘LT” (Privacy) [2017] AlCmr 60 (26 June 2017)	APP 12.5 and 12.9	$1,000 for non-economic loss
‘LP’ and The Westin Sydney (Privacy) [2017] AlCmr 53 (7 June 2017)	APP 3.5	$1,500 for non-economic loss
‘LB’ and Comcare (Privacy) [2017] AlCmr 28 (24 March 2017)	IPP 4 and 11	$20,000 for non-economic loss $3,000 for expenses reasonably incurred
‘LA’ and Department of Defence (Privacy) [2017] AlCmr 25 (17 March 2017)	APP 6	$12,000 for non-economic loss $3,420 for expenses reasonably incurred
‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AlCmr 81 (25 November 2016)	Sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth)	$10,000 for non-economic loss   $5,830 for expenses reasonably incurred
‘JO’ and Comcare [2016] AlCmr 64 (21 September 2016)	APP 6 and 11	$3,000 for non-economic loss
‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AlCmr 44 (30 June 2016)	APP 11.1 and 11.2	$3,500 for non-economic loss
‘IX’ and Business Service Brokers Pty Lts t/a TeleChoice [2016] AlCmr 42 (30 June 2016)	APP 11.1 and 11.2	$3,500 for non-economic loss
‘IV’ and ‘IW’ [2016] AlCmr 41 (27 June 2016)	APP 6.1 and 10.2	$10,000 for non-economic loss
‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AlCmr 37 (27 June 2016)	APP 6 and 11	$3,000 for non-economic loss

---

SUMMARY of CASES (2016 – 2019)

‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019] AlCmr60

Date of Decision: 22 August 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The Respondent maintained a public record database (‘PRD’), collated from publicly available sources, such as daily court lists.

The Commissioner found that the following information which was published and disclosed in the Respondent’s PRD, without the Complainant’s knowledge, contained ‘personal information’ about the Complainant within the meaning of Section 6 of the ‘Privacy Act.:-

1. The names of the parties to a proceeding in the NSW Civil and Administrative Tribunal (‘NCAT’) being the Complainant and the NSW Land and Housing Corporation;
2. The number of that proceeding;
3. The hearing date of that proceeding (19 February 2014)
4. The venue for that proceeding.

The Complainant’s name in that PRD listing was listed as her first initial followed by her surname.

Privacy Breach:

Breach of National Privacy Principle (NPP) 1.5 by the Respondent collecting personal information about the Complainant from someone else without taking ‘reasonable steps’ to ensure that the Complainant was or had been made aware of the matters listed in National Privacy Principle (NPP) 1.3 – including how the personal information was collected and used.

The Complainant only became aware of the listing in the Respondent’s PRD when she was alerted to it by an employee of a real estate agent in late February, 2014 while she was looking for private rental accommodation.

When asked by that real estate to confirm it, the Complainant confirmed that she was the party referred to in that PRD listing.

The PRD listing was again accessed by another real estate agency on 5 March 2014.

The Complainant applied to NCAT to have the PRD listing removed on 4 April 2014.

The Complainant submitted information:-

• that had she been made aware of the listing she would have been better prepared to discuss the situation with real estate agents; and
• that by the time she was made aware of the PRD listing, the damage had already been done and she had to contact the Respondent and commence proceedings in the NCAT at her own expense, causing her and her family significant distress and inconvenience.

Damages Award:

$1,500 for non-economic loss

---

‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48

Date of Decision: 28 June 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Requested:

In connection with and for the purposes of verifying information provided by the Complainant in the Complainant’s home loan applications with certain credit providers:-

1. The Complainant’s credit history with the Respondent;
2. Repayment status of Complainant’s credit card with the Respondent..

Privacy Breach:

The Complainant previously held a credit card for his business with the Respondent (‘CBA credit card’).

On 15 November, 2013, the Respondent had assigned to the Credit Corp Group (CCG) ‘all its right, title and interest’ in the Complainant’s remaining CBA credit card debt . The following month the Complainant sold his house as he was unable to refinance his home loan to pay off an unrelated debt.

On 15 January 2015 CCG wrote to the Complainant advising that the CBA credit card debt had been paid off and finalised.

Between 2013 and 2014, the Complainant and his wife applied for home loans with six (6) different credit providers, all of which were declined.

In March 2015, the Complainant and his wife again applied for a joint home loan, this time with Liberty Financial Pty Ltd (Liberty).  This home loan application was conditionally approved by Liberty but subsequently declined, resulting in the Complainant being unable to proceed with the purchase of a property in May 2015.

Upon being phoned by the Complainant’s wife, Liberty advised her that it had declined their loan application because they had failed to disclose an outstanding credit card debt to the Respondent.

Relevant CBA phone call transcripts were provided:-

• of phone conversations between the CBA and various credit providers (but not Liberty) discussing the Complainant’s credit history with the CBA in connection with the Complainant’s loan applications; and
• of the CBA’s telephone conversation with the Complainant on 5 June 2015 during which the Complainant was told that his CBA credit card debt was showing as still outstanding.

The Australian Information Commissioner and Privacy Commissioner noted that the Complainant had acknowledged that he consented to the Respondent’s use and disclosure of his personal information and did not dispute the permitted use of information.

Breach of Australian Privacy Principle (APP) 10.2 by:-

• the Respondent using and disclosing personal information about the Complainant which was inaccurate, out-of date and/or incomplete; and
• the Respondent not taking reasonable steps to ensure that the personal information it used and disclosed about the complainant was accurate, complete and/or up-to-date.

Damages Award:

The Complainant’s wife submitted statements regarding the effect of the disclosures on the Complainant. She also provided her statutory declaration in support of the claim for non-economic loss in which she described the resulting and ongoing stress and ‘shame’ being suffered by the Complainant and their family.

$15,000 for non-economic loss.

The Commissioner considered that an additional award of aggravated damages was not appropriate because in awarding the Complainant compensatory damages for hurt and humiliation, the Commissioner had “taken into account that this is not a case of a single privacy breach but rather there were three substantiated uses and/or disclosures of the inaccurate, incomplete and/or out-of-date information; that the interference with the complainant’s privacy took place over a prolonged period of time; and that each time the inaccurate, incomplete and/or out-of-date information was used or disclosed it impacted on the complainant’s emotional wellbeing.” (1)

(Note that an amount of $800,000 for non-economic loss was claimed by the Complainant.)

---

‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20

Date of Decision: 28 May 2019

Heard By: Australian Information Commissioner and Privacy Commissioner, Angelene Falk

Type of Personal Information Disclosed:

The names of the Complainants, as part of lists of names of casual employees of Cleanevent (‘List of Names’).

The disclosures were made without the knowledge or authority of the Complainants, as part of an arrangement between Cleanevent and the Australian Workers’ Union (AWU) which included:-

• lists of names of casual employees of Cleanevent (which included the names of the Complainants) being provided by Cleanevent to the AWU;
• payments being made by Cleanevent to AWU for AWU membership of those persons named in the List of Names;
• the payments made by Cleanevent not being dependent on applications being made for membership of the AWU by the Complainants or any other persons named in the List of Names; and
• in the case of those Complainants who were not already AWU members at the time of the disclosures, not being made aware of their purported membership or receiving any benefits of AWU membership.

Privacy Breach:

The fourteen (14) Complainants were employees of Cleanevent Australia Pty Ltd (Cleanevent), a subsidiary of the Respondent.

The Complainants became aware of the disclosures by Cleanevent to the AWU in May 2015 through the proceedings of the Royal Commission into Trade Union Governance and Corruption (Royal Commission).

At the time of the disclosures, 6 Complainants were not an AWU member, while 8 Complainants were already AWU members.

The Respondent acknowledged that the disclosures had occurred.

The Respondent’s Privacy Policy (dated April 2011) which included that ‘we may disclose your information to a third party in the event it is legal to do so and/or we are compelled to do so by law’ was found by the Commissioner to be “insufficient to ensure that employees were aware of the kind of use and disclosure of employee information that was subsequently undertaken by the Respondent in relation to the arrangement between Cleanevent and the AWU” (2)

Breach of National Privacy Principle (NPP) 2 and 4 by:-

1. Breach of NPP 2 – Respondent improperly disclosing, through its related entity Cleanevent, the Complainants’ personal information to the Australian Workers’ Union (AWU), with Respondent’s approval but without the Complainants’ authority or knowledge;
2. Breach of NPP 4 – Respondent failing to take reasonable steps to protect the complainants’ personal information from misuse and unauthorised disclosure.

Damages Award:

A total of $60,000 for non-economic loss (including an aggravation component) comprised of:-

• $39,000 – made up of $4,500 for each of the 6 Complainants who were not an AWU member at the time of the disclosures AND $1,500 for each of the 8 Complainants who were already a substantive AWU member at the time of the disclosures; and
• $21,000 as aggravated damages – being $1,500 for each Complainant.

In their submissions, the Complainants’ had documented their work ethic, their long years of service and their feelings of anger, outrage, injustice and betrayal on becoming aware of the disclosures. They also expressed that they had been experiencing feelings of ‘stress and/or anxiety’ at the actions of their employer – though no additional evidence was provided on these matters.

The Respondent, on the other hand, contended that the Complainants had acted unreasonably in the circumstances, resulting in a protracted process and ongoing costs.

The Commissioner noted that the Respondent’s conduct took place in the context of an employment relationship – a relationship of confidence and trust – and accepted that the Respondent’s apparent indifference towards its privacy obligations in respect of employee information, was a source of additional hurt for the Complainants.

---

‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51

Date of Decision: 23 March 2018

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

One of the Complainants made the complaint on behalf of him/herself and the other Complainants – acting as the representative complainant for a class of 328 complainant members in total (after opt outs).

The Complainants were employees of two related companies in the concrete/construction industry which were providing services under contract to a third unrelated company (‘Contractor Company ’)‘

The Complainants were members of a superannuation fund operated by the Respondent;

The following personal information was disclosed in three (3) emails forwarded by the Respondent to an employee of the Contractor Company:-

• The Complainants’ full name;
• The Complainants’ date of birth;
• The Complainants’ superannuation member number;
• The Complainants’ most recent employer superannuation contributions; and
• The Complainants’ duration of employment.
• AND In the case of some of the Complainants, the emails also identified any voluntary contributions and employee salary-sacrifice contributions made by those members

Privacy Breach:

The Respondent breached of National Privacy Principle (NPP) 2 by disclosing the Complainants’ personal information to an external organisation for a secondary purpose without the Complainants’ consent to that disclosure.

The Respondent’s Privacy Policy described the purposes for which personal information could be disclosed to third parties and expressly stated that “Your personal information will not be used or disclosed for any other purpose without your consent, except where required by law.” (3)

However, the Respondent’s safeguards in place to protect the security of members’ personal information were found to be reasonable in the circumstances.

Damages Award:

The Commissioner was not satisfied on the information or statements provided by any of the individual members of the class, that they had suffered any actual loss or damage.

The Commissioner also declined to make an award for damages for non-economic loss. While acknowledging there may have been ‘hurt feelings’ upon becoming aware of the breach, the Commissioner decided that, in the circumstances of the matter, “the most appropriate form of redress is… a public apology that explains the circumstances of breach and what systems [the Respondent] has in place to minimise the risk of the breach recurring” (4)

---

‘LU’ and Department of Defence (Privacy) [2017] AICmr 61

Date of Decision: 26 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

1. the Complainant’s name, postal address and date of birth;
2. the Complainant’s Personnel Management Key Solution (PMKeyS) number, a unique employee number allocated to Defence personnel, which provides access to phone number and personal email address information; and
3. the Complainant’s health information

contained in a redacted investigation report (‘Comcare Report’) produced by Comcare, the agency responsible for workplace compensation in the Respondent.

Privacy Breach:

At the time of the disclosures the Complainant was employed by the Respondent in one of its Divisions (the ‘Complainant’s Division’).

At the Complainant’s request, Comcare had investigated whether the Complainant’s employment with the Respondent had contributed to her contraction of a form of cancer and produced an investigation report about its findings (Comcare Report).

A redacted version of the Comcare Report, which had not been properly redacted to de-identify the Complainant, was subsequently made publicly available through the freedom of information log on Comcare’s website.

The disclosures by the Respondent occurred:-

• when, in connection with another Respondent employee’s concerns about an alleged “cancer cluster”, the Respondent sent an email (the ‘Email’) to approximately 1,270 staff in the Complainant’s Division, including the Complainant, which included a link to the redacted Comcare Report; and
• when the Respondent provided a copy of the redacted Comcare Report to a consulting firm which the Respondent had engaged to investigate allegations concerning workplace practices.

The Complainant subsequently became aware that a copy of the redacted Comcare Report had been saved in a general folder of the Respondent’s defence records management system which could be freely accessed by Respondent employees and staff of the Complainant’s Division

The Complainant was referred by the Respondent for psychological and psychiatric assessment.

The Respondent breached Information Privacy Principle (‘IPP’) 4 and 10 by:

1. Failing to protect the Complainant’s personal information (including sensitive health information) against loss, unauthorised access, use, modification or disclosure and other misuse, by such security safeguards as was reasonable to take in the circumstances ; and
2. Improperly using the Complainant’s personal information and sensitive health information for a purpose not directly related to the purpose of collection.

Damages Award:

$10,000 for non-economic loss

$3,000 to reimburse the Complainant’s expenses reasonably incurred in making the complaint and having the complaint investigated.

The Complainant provided:-

1. a copy of her medical and case assessment reports confirming that she underwent psychological and psychiatric assessments following the privacy breaches;
2. a copy of the Complainant’s receipts and invoices for legal costs

The Commissioner took into account that the Respondent’s audit log recorded that five (5) individuals had accessed the redacted Comcare Report during the one year period that it had been available in a general folder of the Respondent’s defence records management system and that four of them were in key executive roles within the Complainant’s Division and the fifth was the employee who had raised the concerns about the alleged cancer cluster.

The Commissioner also noted that part of the Complainant’s distress was caused by Comcare’s interference with her privacy, and that the Commissioner had awarded the Complainant $20,000 for non-economic loss in the Complainant’s matter against Comcare. (5)

---

‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60

Date of Decision: 26 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Requested:

1. Clinical notes for the respondent’s treatment of the complainant
2. Hospital records for the complainant’s inpatient treatment
3. Written passages by the complainant
4. Second opinion reports
5. Character references

Privacy Breach:

Respondent was a consultant psychiatrist.

Complainant was a patient of respondent between 2003 and 2013.

Respondent administered electroconvulsive therapy (ECT) on the complainant.

In 2014, the complainant made a complaint to the Medical Board of Australia (Board) about the administration of the ECT.

As a part of the Board’s investigation, the respondent provided a response to the Board which included personal information relating to the complainant’s treatment by the respondent.

The complainant requested access to the personal information provided by the respondent to the Board. The respondent refused to provide the complainant with access to the information.

Breach of Australian Privacy Principles (APP) 12.5 and 12.9 by:

1. Breach of APP 12.5 – Respondent failing to consider what steps, if any, may have addressed any concerns as to the effect of access on the complainant’s health, having regard to the circumstances and meeting the needs of the entity and the complainant
2. Breach of APP 12.9 – Respondent failing to provide the complainant with a written notice setting out the reasons for refusal and mechanisms to complain about the refusal

Damages Award:

$1,000 for non-economic loss

The complainant provided information to the OAIC that she experienced “pressure” from “this protracted frustrating process”.

---

‘LP’ and The Westin Sydney (Privacy) [2017] AICmr 53

Date of Decision: 7 June 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Privacy Commissioner found that ‘personal information’ was disclosed, not sensitive information or health information

The phone call disclosed that the complainant was unhappy with the room downgrade and regarded it as ‘obviously unacceptable’.

Privacy Breach:

The Westin Sydney recorded a telephone conversation involving the complainant, without the complainant’s knowledge and in doing so, obtained the complainant’s personal information unfairly, in breach of APP 3.5.

Damages Award:

$1,500 for non-economic loss

---

‘LA’ and Department of Defence (Privacy) [2017] AICmr 25

Date of Decision: 17 March 2017

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the complainant’s hospital admissions for a period from the 1970s to 1980s

Privacy Breach:

Breach of APP 6 by disclosing information that was collected for a particular purpose, for some other purpose, without the consent of the complainant

Complainant was employee of the Royal Australian Air Force

The Department of Defence released the personal information to the complainant’s son, upon receiving a request from the complainant’s son for access to the information

Damages Award:

$12,000 for non-economic loss

$3,420 for expenses reasonably incurred

The disclosure of information included disclosure of the complainant’s entire medical history including a prior gambling addiction, which had an adverse effect on the complainant’s psychological health and family relationships.

---

‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81

Date of Decision: 25 November 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information:

Credit information of a person who was not the complainant was included on the complainant’s credit report, because the complainant and the person whose credit information was included on the complainant’s credit report had a similar name and lived in the same apartment building

Privacy Breach:

Veda had breached sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) by:

1. Failing to take such steps as were reasonable in the circumstances to ensure that credit information it collected about the complainant was accurate, up-to-date, and complete
2. Failing to take steps as were reasonable in the circumstances to ensure that credit reporting information it disclosed was, having regard to the disclosure, accurate, up-to-date, complete and relevant
3. Using or disclosing credit reporting information that was false or misleading in a material particular
4. Failing to give each recipient of the incorrect information written notice of correction within a reasonable period

Veda confused two individuals (the complainant and another person with a similar name who lived in the same apartment building) and included all of the second person’s poor credit information (including details of a judgment debt of $7,000) on the complainant’s credit report

This impacted on the complainant’s ability to conduct business as per usual, because his credit cards were blocked as a result and suppliers would not supply goods to him for his business until they received payment from him

Damages Award:

$10,000 for non-economic loss

$5,830 for expenses reasonably incurred

---

‘JO’ and Comcare [2016] AICmr 64

Date of Decision: 21 September 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the complainant’s workers’ compensation claims to Comcare regarding workplace injuries sustained by the complainant whilst working for the Department of Defence and the Department of Human Services

The information disclosed included:

• Complainant’s name
• Complainant’s postal address
• Complainant’s email address
• Complainant’s injury dates
• Registered dates
• Claims status: accepted/rejected
• Claims status: open/closed

Privacy Breach:

Comcare breached APP6 and 11 by:

1. Disclosing information about workplace injuries at the complainant’s current employer to his former employer and an insurance company
2. Failing to take reasonable steps to protect the complainant’s personal information from unauthorised disclosure

Damages Award:

$3,000 for non-economic loss

---

‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 44

Date of Decision: 30 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

The complainant’s driver’s licence, Medicare card and a copy of a telecommunications contract signed by the complainant

Privacy Breach:

TeleChoice breached APP 11.1 and 11.2 by:

1. Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
2. Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed

A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria

The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place

TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident

Damages Award:

$3,500 for non-economic loss

---

‘IX’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42

Date of Decision: 30 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

The complainant’s name appeared on the A Current Affair program about the abandonment of TeleChoice customer information on footage of a manila folder spilling out of the shipping container’s entrance onto the ground

Privacy Breach:

TeleChoice breached APP 11.1 and 11.2 by:

1. Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
2. Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed

A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria

The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place

TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident

Damages Award:

$3,500 for non-economic loss

---

‘IV’ and ‘IW’ [2016] AICmr 41

Date of Decision: 27 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Medical diagnosis of the complainant of ‘delusional depression’

Privacy Breach:

Breach of APP 6.1 and 10.2 by disclosing complainant’s personal information to six (6) individual third parties

Respondent was a medical doctor who disclosed the information by email to six individual third parties. Complainant was also a recipient of the email

Damages Award:

$10,000 for non-economic loss

The Privacy Commissioner had regard to the following factors when determining the amount of non-economic loss to award:

• The sensitive nature of the personal information that was disclosed
• The fact that as a patient of the respondent’s, the complainant was in a position of vulnerability
• The fact that the disclosure was made to six third parties
• The responsibility of the respondent as a medical professional to have a sound understanding of his privacy obligations

---

‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AICmr 37

Date of Decision: 27 June 2016

Heard By: Australian Privacy Commissioner, Timothy Pilgrim

Type of Personal Information Disclosed:

Details of the insurance policies held by the complainant with NRMA Insurance, which included the following information:

• Policy types
• Policy numbers
• Details of the complainant’s car make, model, year and registration number
• The complainant’s full property address

Privacy Breach:

NRMA had breached APP 6 and 11 by disclosing the complainant’s personal information to a third party, which was a person with whom the complainant shared one home building insurance policy.

Damages Award:

$3,000 for non-economic loss

The complainant claimed that she suffered distress and anxiety as a result of the disclosure. However, the Privacy Commissioner considered that financial information may be considered ‘more sensitive’ than other information and the disclosure was overtly made to a known party and as such, a modest amount of damages should be awarded.

---

Authored by Katarina Klaric and Rochina Iannella

© Stephens Lawyers & Consultants. February 2020.

This update is not intended to be a substitute for obtaining legal advice. 

For further information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au 

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007

---

(1) ‘QP’ and the Commonwealth Bank of Australia Limited (Privacy) [2019] AlCmr48 at Par. 107

(2) ‘QF’ & Others and Spotless Group Limited (Privacy) [2019] AICmr 20 at Par. 59

(3) ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Par. 69

(4) ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 at Pars. 91 -93

(5) ‘LB’ and Comcare (Privacy) [ 2017] AICmr 28 (24 March 2017)