A $16,400 fine was recently imposed against a medical practice in Victoria for an email the practice sent to an address to which it should not have been sent.

The fine was imposed by the Australian Information Commissioner and Privacy Commissioner applying the Australian Privacy Principles.

The email was sent to one wrong email address. It included plenty of what in privacy law is termed “personal information” (ie info that can identify a person). Further, the email identified and related to two persons (the claimants) diagnosed with HIV. The claimants had been involved in a prior medical study facilitated by the practice and the email queried if they would like to participate in a further study.

What types of information are “sensitive information” under privacy law?

That health or medical context under privacy law raised the sensitivity of the personal information. High risk areas are listed in the Australian Privacy Principles in its definition of “sensitive information“. That phrase means:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual orientation or practices; or

(ix) criminal record;

that is also personal information; or

(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information; or

(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

(e) biometric templates. [emphasis added]

The two complainants sought compensation of $250,000 and received $16,400. They submitted psychological evidence including invoices they had paid for trauma or other affects.

The existence and level of the fine can be better appreciated on noting there was no evidence of any public disclosure or that anyone opened or read the wrongly sent email. A follow-up email to the same address was not answered.

Practical lessons

  1. Document: Have documented privacy policies and practices in place.
  2. Train: Ensure an ongoing training program is in place for personnel, eg to check every email.
  3. Beware of high risk “sensitive information”: Recognise certain types of information raise the seriousness of privacy law breaches into a “sensitive information” category. One of those types of information is “health information”. A pattern of cases illustrates that regulators feel bound to apply the rigour of privacy law where sensitive information is involved even if what has taken place is an accident.
  4. Apologise and remedy immediately: While the medical practice had issued an apology letter to the complainants, it seems it took too long (a month and a week). Hence, act briskly to try to remedy the position or ensure no further wrongdoing.

The full 111 paragraph and 72 footnotes decision can be read here ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21 (12 June 2020)

For more blog posts go here