Tag: Litigation and Dispute Resolution

by Imogen Thomas

Privacy and protection of personal information is riding high in the public eye after a number of high-profile breaches over the past six months. As consumers, it is important to have a good understanding of how your personal information is being handled and we rightfully expect that organisations will look after our personal information with due care. For businesses, the requirement to protect personal information of your staff, clients and stakeholders is not just a social expectation – there are legal requirements in place to ensure you manage personal information safely and appropriately.

On 22 February 2018, the Notifiable Data Breaches (NDB) scheme came into force in Australia, bringing with it some new obligations for agencies and organisations subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The scheme introduces an obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC, the national privacy regulator) when a data breach occurs that carries a risk of serious harm. The notification should include guidance on how to reduce the potential harm of the breach.

Privacy refresh – what are the APPs?

The APPs are a framework of privacy obligations that apply to all Commonwealth government agencies, private sector, not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively, ‘APP entities’).

The APPs follow the lifecycle of ‘personal information’ from collection through to use and disclosure, to eventual destruction or disposal. An overview can be found on the OAIC website.

If an APP entity breaches an APP, this is called an ‘interference with the privacy of an individual’. Interferences with privacy can lead to complaints and in some circumstances, compensation may be awarded to the individual. Over recent years, awards of compensation have ranged from $1,000 to over $20,000.

Not sure if the APPs apply to your organisation or if your privacy practices are up to standard? Contact elringtons for assistance and advice on meeting your privacy obligations.

New obligations

The NDB scheme applies to “eligible data breaches”, which are breaches that are likely to result in serious harm to an affected individual. Unless an exception applies, the APP entity is required to notify the affected individual(s) and the OAIC that the breach has occurred, so that action can be taken to mitigate any potential harm.

Notifications must include the following information:

• Identity and contact details of the organisation;
• Description of the data breach
• The type or kind of information concerned; and
• Recommendations about steps that individuals should take in response to the breach.

The OAIC has a specific form for notifying the Commissioner of notifiable data breaches.

Breaking it down

A “breach” includes an unauthorised access to, disclosure of or loss of personal information. A breach may be as simple as sending a letter to the wrong person or leaving a memory stick or a briefcase on the train. Although the thought of a “data breach” often conjures up thoughts of computer hackers or determined criminals, the reality is that they most commonly occur due to simple human error.

Not every breach will require notification. If a breach has occurred, the next question to consider will be whether serious harm is likely to occur as a result. Serious harm includes physical, psychological, emotional, financial or reputational harm. The Privacy Act sets out a number of relevant matters to assist in assessing whether serious harm is likely to occur, including the kind(s) and sensitivity of the information, what other security measures exist (e.g. is the information encrypted), the nature of the harm that may result and the likelihood that a person who could have obtained the information would have the intention of causing harm to any of the individual.

There are some exceptions to the notification requirements, including where the data breach involves more than one entity. In those circumstances, only one entity is required to undertake notification.

Prevention is better than a cure! elringtons can provide advice and guidance on best privacy practices, including undertaking privacy impact assessments or delivering training to your staff, to help your organisation manage privacy carefully and responsibly.

e: ithomas@elringtons.com.au | p: +61 6206 1300

Are you a volunteer or an organisation that employs volunteers? Are you and/or your volunteers covered by adequate insurance? Have you considered the important exemptions to public liability protection under your relevant insurance policy? Do you need help deciphering what your insurance policy document means and where your organisation might not be covered?

Under the Civil Liability Act 2002 (NSW) (“CLA”) if you have arranged for adequate insurance cover for your volunteers, and your volunteers are acting in the best interests of the organisation and not involved in any wrongdoing, they should be protected against any civil claims arising from acts or omissions by them or others during the course of their volunteer activities. This means that if your volunteer was acting within the bounds of their position description and through their own personal negligence caused a third party to injure themselves, they will most likely be protected from personal liability for the accident as long as the appropriate insurance cover has been arranged.

It is important to note that the protection of volunteers from incurring personal liability for their acts or omissions during the course of their duties does not apply where:

• The volunteer was not acting in good faith (“good faith” = acting honestly and without fraud);
• The volunteer knew, or ought reasonably to have known, that he or she was acting outside the scope of the activities organised by the community organisation, or contrary to instructions given by the community organisation (section 64 CLA);
• The volunteer was engaged in an activity that constitutes a criminal offence (section 65 CLA);
• The volunteer’s ability to exercise reasonable care and skill when doing the work was significantly impaired by alcohol or drugs voluntarily consumed (whether consumed for medication or not), and volunteer failed to exercise reasonable care and skill when doing the work (section 63 CLA);
• The volunteer was engaged in defamatory behaviour; or
• The volunteer incurred liability that would otherwise be covered by third-party insurance under the Motor Accidents Compensation Act 1999 (NSW), that is, a liability for compensation in respect of people who are injured or die as a result of transport accidents

In addition, in certain circumstances (whether a volunteer gains this protection or not) the community organisation may be liable for the volunteer under the legal doctrine of ‘vicarious liability’.

If you are running any kind of volunteer organisation, it is important to outline very clearly to your volunteers their roles and responsibilities in instruction manuals and training guides. A written job description and/or volunteer policy document may also state what behaviours or actions are prohibited (for example, the giving of medical advice).  These documents may help to define what kind of work or actions are authorised or instructed by the organisation and what volunteer actions might be considered to be outside the scope of their authority or contrary to instructions.

Please contact one of our friendly solicitors if you have any questions in relation to your organisation’s insurance policy, legal structure, or if you require advice in relation to a claim against you or your organisation.

For more information please contact:

e: info@elringtons.com.au | p: +61 2 6206 1300