July 14, 2020

In an ever increasing digital landscape email remains the chief mode of communication whether it be personal, commercial or otherwise. With an increased reliance on this mode of communication comes an increased burden to ensure its accuracy. That accuracy has no higher stake than when confidential medical information and sensitive information is being provided and dealt with. A simple mistype of deletion can result in extremely sensitive medical information being disclosed to unintended recipients.

This was the case in ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 where the two Complainants, a couple, where patients at the Respondents medical clinic when their privacy was breached. One of the Complainants recently received HIV positive results and as a result was offered to participate in a Global Study being undertaken through the Respondent’s medical clinic. When sending correspondence about this opportunity, the Respondent’s clinic administered an incorrect email address, omitting the Claimant’s middle initial, and in turn resulting in the release of sensitive information to an unknown recipient.

The Complainants were not required to prove that the sensitive information through the incorrect email address was actually received by another individual. It was sufficient to demonstrate that the information sent was sent to an email address that did not belong to the Complainants.

This occurred on two occasions, resulting in a Claim of both non-economic and economic loss suffered by both Complainants.

Upon review of the matter, the Australian Information Commissioner considered two possible breaches of the Australian Privacy Principles by the Respondent:-

  1. APP 6 – Disclosure of sensitive personal information; and

  2. APP 11.1 – Failure to take reasonable steps to protect the Complainant’s person information from unauthorised disclosure.

The Commissioner found on both principles that the Respondent had breached the Australian Privacy Principles and as result was ordered to pay the amount of $13,400.00 to the first Complainant and $3,000.00 to the second Complainant. Further, the Respondent would also have been required to attend to their own legal costs in defence of the Commissioners review.

This decision highlights the magnitude of risk involved in utilising electronic communications when dealing with personal and sensitive information. Utilising an old or incorrect email address can have catastrophic consequences if information is provided to an individual that it is not intended for. Businesses and organisations cannot be complacent in their data management and privacy protocols when dealing with any type of personal information, as this decision demonstrates.

A copy of this decision can be found here.