Summary of TSJ v Department of Health and Human Services (Human Rights) [2016] VCAT 687

The following summary has been adapted from TSJ v Department of Health and Human Services (Human Rights) [2016] VCAT 687. The Decision is publicly available on Austlii, which can be accessed by clicking here. The case involved a privacy complaint referred by the Office of the Commissioner for Privacy and Data Protection (CPDP) to the Victorian Civil and Administrative Tribunal (VCAT) under the Privacy and Data Protection Act 2014 (PDPA). The case raised allegations of the Respondent’s disclosure of the Applicant’s personal information in breach of Information Privacy Principle (IPP) 2.1 (Use and Disclosure) and IPP 4.1 (Data Security) contained in Schedule 1 of the PDPA.

Background

The Applicant is the grandmother and custodian of two children who have been the subject of intervention by the Child Protection Unit of the Department of Health and Human Services (the Respondent) [1].

In early 2015, a social worker for the Respondent sent mail intended for the Complainant to an incorrect address. The mail included a case plan, which is a document that discusses the goals and aims of the Child Protection Unit’s involvement with the family and a plan for the final order. It contained the name of the Applicant and her family members. The Respondent became aware of this error through a phone call from the other client that mistakenly received the Complainant’s mail. The social worker notified and apologised to the Complainant, took steps to retrieve the mail and reported the incident to her Team Manager [2]–[5].

The CPDP accepted the complaint in accordance with Section 57 of the PDPA. It raised IPPs 2 (Use and Disclosure) and 4 (Data Security) contained in Schedule 1 of the PDPA. The Applicant alleged that the Respondent had breached the IPPs by erroneously mailing the confidential document to another client [10]. The Applicant sought compensation by way of damages for stress and anxiety, medical and psychological expenses and legal costs [5]. The CPDP referred the complaint to VCAT,

VCAT’s decision

The Tribunal Member considered that there had not been a breach of the IPPs and therefore a breach under the PDPA had not occurred [12].

Reasons

IPP2

Relevant law

The counsel for the Respondent submitted that an inadvertent disclosure of the Complainant’s personal details did not have the requisite “purpose” as referred to in IPP 2.1, and that there was therefore no contravention of that IPP. The Tribunal Member did not accept this submission, concluding ‘“[p]urpose” in this context is to be interpreted as the subjective purpose of the party involved’ (citing Ng v Department of Education [2005] VCAT 1052). The Tribunal Member acknowledged that the social worker ‘did have a purpose in sending and disclosing the information, but made the error of sending it to the wrong person’ [19]. The Tribunal Member considered that the social worker’s ‘intention was to fulfill the primary purpose of the organisation of which she was an employee’ [20].
The Tribunal Member stated that ‘it follows, that this being the case, the existence or otherwise of any measures taken by the respondent in potentially minimising the likelihood of such errors occurring is relevant’ [21]. She considered the liability of an organisation under the PDPA with reference to Section 118 of the PDPA and IPP 4 [21].
Section 118 of the PDPA states that an organisation would not be responsible for its employee’s actions or practices that breach the PDPA if it took ‘reasonable precautions and exercised due diligence to avoid the act being done or the practice being engage in by its employee or agent’ [21]–[22]. The Tribunal Member held that the Respondent must satisfy the Tribunal that Section 118 of the PDPA was applicable to the case at hand (citing Kudleck v Victoria University [2013] VCAT 1971, [80]-[81]) [23].

Evidence considered

The Tribunal Member relied on evidence and submissions provided by the Respondent’s Child Protection Operations Manager of Child Protection North Division (Operations Manager), to conclude that prior to the event, the Respondent was ‘fully cognisant of its responsibilities regarding the management of clients’ confidential information’. The evidence and submissions considered were as follows:

• The Respondent’s privacy policies and procedures that existed prior to the incident occurring and also measures taken following the incident
• Reference to a Client Incident Reporting System, in which all privacy breaches automatically receive a category 1 rating (the highest rating)
• Correspondence to his colleagues dated 23 December 2014 (predating the incident) in which he urged care in dealing with the personal information of clients and their families, and setting out a number of ways in which this should be done [25]
• Measures taken by the Respondent after the incident, by the social worker and the Division as a whole, in an attempt to minimise the likelihood of such an event occurring again in the future. This evidence was indicative to the Tribunal Member that the Respondent regarded the incident seriously [26].

The Tribunal Member also considered the social worker’s submission and evidence that ‘the error was hers alone and not as a result of a fault in her training or the respondent’s procedures’ [27]–[29]. The evidence and submissions considered were as follows:

• The social worker ‘readily admitted in her evidence that it was a mistake, that she had been careless, and expressed remorse for what had occurred’ and ‘[s]he was open in acknowledging that it was unacceptable and that she now checks all document multiple times before sending them’
• Evidence that ‘she had taken immediate steps to notify her supervisor, to retrieve the document and to notify the complainant of the incident’ [27]
• Evidence that she had been spoken to about the incident to supervisors at a number of levels [28].

Analysis and conclusion

The Tribunal Member held that:

In taking the actions that she did she demonstrated an appropriate level of awareness of the seriousness of what had occurred. This would lead to an inference that she had undergone appropriate training in this regard. The fact that she had received additional counseling and training as a result of the incident is evidence that the respondent Department viewed the incident with appropriate concern [28].

The Tribunal Member concluded that the act in question was an ‘accidental or inadvertent use or disclosure’ [23]. The Tribunal Member explained that ‘[t]here will always be human errors which occur. It is therefore the responsibility of the public organisation to take all possible steps to minimise this possibility even if it cannot be completely eradicated’ [23]. The Tribunal Member was satisfied that the Respondent took reasonable precautions and exercised due diligence to avoid the act being done, and therefore IPP 2.1 had not been proven [29].

IPP 4

Relevant law

The Tribunal Member accepted the Respondent’s submission that, under IPP 4, a public sector organisation must take ‘reasonable’ steps to protect the information it holds from misuse, loss and unauthorised access, modification or disclosure [35].

Evidence considered

The Tribunal Member relied on the submission of the social worker that she had been in a hurry on the day and that the error occurred because a colleague had also printed a document and she had assumed, in her haste, that the document she collected was the one she had printed [33]. The Tribunal Member considered the social worker’s attitude in expressing regret for her mistake and the manner in which she responded promptly [35].

The Tribunal Member had regard to the Operations Manager’s evidence of the circulation of a document to staff advising of means by which sensitive documents could be printed confidentially but noted ‘this procedure would not have prevented the picking up of documents from the printer in error, which is what had occurred in this instance [34]. The Tribunal Member also considered documentation provided by the Operations Manager setting out various the Respondent’s policies regarding the importance of preserving confidentiality [35].

Analysis and conclusion

The Tribunal Member held that the incident did not arise as a failure by the Respondent to take reasonable steps [33]. She concluded that ‘it is difficult to envisage what more could have been done by the respondent to prevent this incident occurring. I am satisfied that overall the respondent took its obligations regarding confidentiality seriously and attempted to impress this upon its employees’. The Tribunal Member held that IPP 4 had not been proven [35].

Compensation

While the Tribunal Member acknowledged the Complainant’s evidence that she had suffered anxiety and distress as a result of the mistake made by the relevant employee, damages could not be awarded in light of the fact that the IPPs had not been breached as she alleged [36].