Comcare has been ordered to pay $20,000 in damages to a Department of Defence employee after failing to protect her identity in a redacted report that it published online.
The Department of Defence major had been pursuing a compensation claim that alleged her employment caused or contributed to her cancer. Upon request, Comcare supplied the major with a redacted report of its findings, which had been published on the Comcare’s website through its freedom of information disclosure log.
The major found that the report contained sensitive details about her health, along with her name, postal address, date of birth and her personnel management key solution number – her code to access to Defence contact details.
The major became aware that her information was publicly accessible receiving an email containing a link to the redacted Comcare report; the email had been sent to over 1200 Defence employees.
Comcare subsequently removed the report from its website and issued a written apology. However, the major discovered that the report had been publicly available online for around 12 months.
She took the case to the Office of the Australian Information Commissioner, seeking $250,000 in damages for future economic loss and $150,000 for non-economic loss, arguing that the breach could result in her dismissal.
Privacy Commissioner Timothy Pilgrim found that Comcare breached the Privacy Act 1988 (Cth) and Information Privacy Principles when they “inadvertently overlooked” the sensitive nature of the major’s health information in the online report, and when they failed to protect the information with reasonable safeguards.
The privacy commissioner noted Comcare has since introduced more stringent security safeguards, and ordered them to pay the major $20,000 in damages plus $3000 for costs.
Bottom line for organisations:
It is vital to minimise your risk of data breaches – particularly relating to sensitive information – by meeting your privacy responsibilities and legal obligations. Ensure your organisation has the right procedures and policies in place to safeguard personal information, and that your employees have received appropriate privacy training.
Get involved with Privacy Awareness Week:
Privacy Awareness Week is an annual initiatives of the Asia Pacific Privacy Authorities (APPA) forum and the Office of the Australian Information Commissioner and is the largest privacy campaign event in Australia. This year’s theme is trust and transparency, which speaks to the consumer and community trust that flows to organisations who handle personal information in clear and transparent ways. We are official partners for the event, and we’re encouraging all businesses to use this campaign to start their own internal one, highlighting the importance of cybersecurity and privacy training in the workplace. Download our free toolkit to get started: