6 August 2020 | Reading time: 2 minutes
We’ve all seen it – an email sent to the wrong person. Perhaps a misspelled email address or an email sent to the wrong ‘Jennifer’.
A recent decision by the Australian Information Commissioner and Privacy Commissioner shows how a simple clerical error can turn into a $16,400 payment for compensation.
2 married individuals lodged a complaint with the Office of the Australian Information Commissioner in relation to a medical clinic who sent emails about the individuals to an incorrect email address. The individuals previously participated in a global study into HIV transmission facilitated by the medical clinic and were being invited to participate in a further study.
The emails contained sensitive information about the individuals, including their names and HIV positive status.
The emails were intended to be sent to the individuals but were instead sent to 1 of the individuals and another unknown recipient due a typo in the email address.
Breaches of the Privacy Act.
The Commissioner found the medical clinic breached 2 Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act):
Importantly, the medical clinic was notified of the error and did not respond on the issue until over a month later, after a follow up by the individuals. The Commissioner considered the medical clinic’s delay in the assessment of damages.
The importance of privacy controls.
Organisations should ensure they have data and privacy controls in place, and act quickly to rectify a mistake involving personal information. This includes implementing an appropriately drafted Data Breach Notification Policy and Response Plan.
Reach out to our team to chat about whether your organisation is required to comply with the Privacy Act, and how to navigate those obligations.