The Victorian Civil and Admission Tribunal (VCAT) have awarded $11,000 in damages to a teacher whose employer failed to protect person information from loss and disclosure.
The teacher had been diagnosed with medical conditions and as part of a different discrimination claim relating to the teacher, the acting principal took written notes of a phone call with the Department of Education’s legal advisors.
The note didn’t identify the teacher, but was sufficiently particular to the teacher to be identified as referring to her and her medical condition. The note was found in the staff bathroom by a colleague who had a discussion with another colleague and determined that it was regarding the teacher. They placed it in her pigeonhole.
On her return to the workplace the teacher found the note, left and did not return to work. The teacher claimed that she had suffered distress at the discovery of the note as her employer had not complied with the privacy principles in the Health Records Act 2001 (Vic) (HRA).
VCAT found that the Employer had breached the HRA and caused the teacher to suffer damages in the form of distress, an inability to return to work and deterioration in her mental health.
This case highlights that, despite the publicity around hacking and data breaches, many privacy breaches are still due to basic human error and misplacing paper records. This was reflected in second quarterly report published by the Office of the Australian Information Commissioner on 31 July 2018. The report found that 33 per cent of the notifications received indicated that the cause of the breach was human error. The most common human errors were:
- an email containing personal information sent to the wrong recipient;
- unintended release or publication of person information; and
- personal information sent by mail to the wrong mail recipient.
Damages Award to Teacher for Breach of Privacy | Moores
Human error was also believed to be behind the disclosure of hard-copy records of 31 patients from John Fawkner Private Hospital. You may remember, in 2017, when five pages of confidential hand-over notes were found in the gutter on Coburg Street. The notes contained personal, and highly sensitive, information including names, ages, diagnoses, treatment plans, medications and living conditions. Although at the time there was no obligation on the hospital to notify the patients that their privacy had been breached, this is no longer the case with the new notifiable data breach legislation.
The recent legislation changes and the common occurrence of human error highlight the importance of risk management when dealing with personal information.
To ensure that your organisation is in a strong position to effectively and swiftly respond to a data breach, we recommend that your organisation take the following 5 steps to ensure compliance and best practice:
- Assess which scheme or legislation applies to your organisation.
- Review your privacy policy to ensure it is tailored to your needs and compliance requirements.
- Create a data breach response plan to ensure swift action to mitigate risk, including:
- Legislative requirements to contract individuals affected
- Steps for potential remedial actions to prevent serious harm eventuating
- When data breaches need to be reported and process for reporting; and
- Creating templates for notifications and external communication
- Provide training to your staff on your privacy policy and data breach response plan as well as when data breaches need to be reported; and
- Review your service provider agreements and other information sharing arrangements to help you understand the responsibilities and rights on each party.
How we can help
All this information can seem overwhelming and daunting, so don’t forget Moores is here to help. If you would like more information or assistance with your data breach response plan, please do not hesitate to contact us.
Harrison v Department of Education and Training (Human Rights) (Corrected) [2017] VCAT 1128