A Department of Defence employee was asked if he consented to a medical report commissioned by the Department being made available to his own doctor, in relation to a compensation claim he'd made. He said no. Defence sent it to the doctor anyway.
The employee was quite miffed and made a complaint to the Privacy Commissioner, requesting an apology and some cash. The Commissioner obliged, finding that Defence had breached its obligation not to disclose personal information without consent, and ordering that it say sorry and pay the complainant $5,000. The Department also got some homework: to amend its personal information handling procedures and report back in six months.
We don't think $5k will cause a blip on Defence's financial radar, but the decision has us wondering what the Commissioner will do about more serious breaches of privacy. In the digital age, single data breaches can affect millions of people at once (think the recent examples of 250,000 Aussie dating site users, 40 million US Target and 60 million Home Depot customers, all of whom had their credit card details stolen). If the Commissioner is willing to award $5k to an individual who had a medical report sent to his own doctor, what should you expect if someone handed your credit card details to the Russian mafia? Multiply a few million customers by $5,000 and we're talking scary numbers.
What's more, the Defence case was decided under the old Privacy Act. The laws were overhauled in March this year, and the Commissioner now has much broader powers to award compensation, including to individuals who haven't even asked for it. He can also now impose penalties on corporations of up to $1.7 million. If you're not taking the protection of your customer's personal info seriously yet, you are betting against the house.
We do not disclaim anything about this article. We're quite proud of it really.
