In a rare example of the Commissioner making a determination under the Privacy Act, Aerocare Pty Limited has been found liable to compensate an airline passenger for the manner in which they collected and disclosed sensitive health information about the passenger in an airport departure lounge.
The facts and determination
Aerocare was acting as a contractor to the airline known as Virgin Australia and was responsible for providing passenger services at the Sunshine Coast airport in Queensland. The passenger was blind and also suffered from cancer. He had recently had surgery and a medical device was implanted in his body. He travelled with a sighted companion and a seeing eye dog. Virgin Australia’s conditions of carriage entitled Virgin Australia to refuse to carry a passenger if they were not satisfied that the passenger was medically fit to fly. The passenger had obtained a letter from the hospital at which the surgery had been carried out, which explained that the passenger needed the implanted medical device to be turned on during the flight but that it could safely be turned off during take-off and landing. The passenger had not told his sighted companion the full details of his medical condition.
The passenger’s first leg of his journey was from Melbourne to the Sunshine Coast. He presented the letter at Melbourne airport and travelled without incident. However, on the return journey the representative from Aerocare asked a series of questions about the passenger’s medical condition in the presence of his sighted companion and also within the possible earshot of other passengers in the departure lounge.
After carrying out an investigation and receiving submissions from the passenger and Aerocare, the Commissioner determined that:
- Aerocare collected the passenger’s medical information in an unreasonably intrusive manner contrary to NPP 1.2 – Aerocare should have taken the passenger aside out of earshot of other passengers and of his sighted companion to ask the questions they considered reasonably necessary to assess whether the passenger was medically fit to fly;
- the Aerocare representative did not explain why the medical information was being collected, nor on whose behalf she was collecting it and, therefore, Aerocare breached NPP 1.3 – it was not enough for Aerocare to assume that the passenger would have been aware that the information was being collected to determine whether he was medically fit to fly, nor for them to fail to disclose Aerocare’s identity and role;
- the Aerocare representative’s questioning of the passenger in the earshot of his sighted companion, and in the possible earshot of others in the departure lounge, constituted a failure to take reasonable steps to ensure that personal information held by Aerocare was protected from unauthorised disclosure contrary to NPP 4.1
The passenger alleged that he was upset and distressed by the questioning in the departure lounge, and also felt humiliated and intimidated. The Commissioner determined that it was appropriate to award compensation for non-economic loss and, following the principles adopted by the Administrative Appeals Tribunal in the Rummery case and having regard to the passenger’s vulnerabilities, set $8,500 as the appropriate quantum of damages.
Click here to read the full decision.
Some thoughts
The Commissioner’s reasoning in relation to the collection principle appears to be entirely orthodox. The reasoning in relation to the security principle (NPP 4 – now APP 11) was more surprising to me.
However, it is logical that in conversations during which personal information is collected in an unreasonably intrusive manner due to the risk of eavesdropping by others in the vicinity, information in the hands of the regulated entity may be disclosed to those within earshot of the conversation, leading to simultaneous contraventions of both the collection principle and the security principle. These aspects of the findings are relevant to any organisation collecting personal information in a retail setting where other people may be present and overhear a conversation.
In this instance, the Commissioner also found that there had been an actual unauthorised disclosure by Aerocare of the passenger’s medical information to his sighted companion. However, the Commissioner’s reasons for decision did not discuss whether there had been a breach of the disclosure principle (NPP 2 – now APP 6). Perhaps the explanation for this approach by the Commissioner was that the purpose of any such disclosure of the passenger’s medical information by Aerocare would have been for the primary purpose for which the information had been collected – namely to assess whether or not the passenger was medically fit to fly. If that was the case, it demonstrates an instance of when an equitable breach of confidence claim may succeed where no breach of the disclosure principle exists under the Privacy Act.
As to measure of damages, the Commissioner’s approach appears to be consistent with the small number of previous determinations in which damages for non-economic loss have been awarded, and also with decisions of the Administrative Decisions Tribunal under the NSW privacy legislation. Interestingly, it is roughly in line with the quantum proposed by the Ontario Court of Appeal in 2012 in the decision known as Jones v Tsige in which the lead judge wrote:
“damages for intrusion upon seclusion in cases where the plaintiff has suffered no pecuniary loss should be modest but sufficient to mark the wrong that has been done. I would fix the range at up to $20,000”
Whilst the amount of money at stake in privacy cases involving claims of non-economic loss will be relatively low on an individual by individual basis, if the number of individuals affected by a given breach of the Privacy Act is large, the prospect of a class action or representative complaint increases. For example, after Jones v Tsige was decided in Ontario, there have been several class actions filed in Canada following data security breaches affecting groups of individuals. We are yet to see similar developments in Australia, but I suspect that it is only a matter of time.
