The settlement of proceedings in
Evans v Health Administration Corporation [2019]
NSWSC 1781 - important Australian data breach litigation - features the following Confidential Opinion of Counsel -
In the present case, I had the benefit of a confidential memorandum of advice prepared by Mr Michael Rivette of Counsel (Counsel retained by the plaintiff in these proceedings) in which he expresses the opinion that the Settlement Sum and proposed distributions fall within the range of fair and reasonable outcomes, and that the settlement is in the interests of the Group Members.
Central to Mr Rivette’s opinion in that regard is that, from information obtained through the issuing of subpoenas, it now appears that the information disseminated was confined to only that information contained in what is defined in the amended statement of claim as “the Coloured List” (that being a document allegedly prepared by or at the instigation of the second defendant in which is recorded the information the subject of the present complaint).
In particular, Mr Rivette has advised that, although the Coloured List contained personal information as defined under the Privacy and Personal Information Protection Act (and contained what in his opinion was confidential information, being health information), that health information was descriptive of the injury suffered by each individual only, and did not contain any details of medical treatments or medical history. Mr Rivette also attaches significance to the fact that it now appears that the Coloured List was provided by the second defendant only to a single recipient (a lawyer who reported it to police once he suspected that the second defendant might not have had the necessary authority to give him the Coloured List).
Mr Rivette has pointed in his opinion to the inherent risks in this litigation (noting his instructions that the second defendant is unlikely to have funds to pay any compensation orders), those risks including the following: that it is presently undecided in New South Wales whether an equitable cause of action for breach of confidence will sound in damages or equitable compensation for mental distress falling short of psychiatric illness (as claimed by certain of the Group Members); that the causes of action pleaded for breach of the tort of invasion of privacy depend upon the court accepting that “it should take an incremental step and recognise the existence of the new tort” (as has been the case in New Zealand and the United Kingdom); the fact that, insofar as the second defendant committed criminal offences through conduct that was outside the scope of his engagement/employment, the first defendant may contend that it cannot in these circumstances be held vicariously liable for the second defendant’s actions (especially when the disclosures occurred around twelve months after he had left the first defendant’s employment); and, in relation to the misleading and deceptive conduct claim, that the plaintiff will need to meet the first defendant’s claim that its dealings with its employees are not in trade and commerce, and therefore not covered by either s 18 or s 29 of Schedule 2 of the Australian Consumer Law.
As to the nature of the information and its dissemination, as noted above Mr Rivette accept that the information was of a limited nature and its dissemination was limited to one person. The Coloured List contains the following types of information about the individuals there recorded: name; address; date of birth; a short general description of how the injury occurred (for example: manual handling of a patient; twist/bend-no patient; exposure to mental stress factors); and a short general description of the affected body part (for example: back-lower; forearm; psychological system). Mr Rivette is of the opinion that this constitutes personal information as defined in the Privacy and Personal Information Protection Act, health information as defined in the Health Records and Information Privacy Act and confidential information as it contains some health information relating to those individuals; but notes that any health information was generally descriptive only, and in no way detailed as to treatment or prognosis.
By way of elaboration of the risks inherent in the litigation, Mr Rivette points to the following.
As to the claim for breach of confidence, he is not aware of any decision in New South Wales in which the equitable cause of action for breach of confidence has sounded in damages or equitable compensation for mental distress falling short of psychiatric illness. He notes that s 38 of the Supreme Court Act 1986 (Vic) (which was relied upon to justify the award of compensation in Giller v Procopets (No 2) (2009) 24 VR 1; [2009] VSCA 72 (Giller v Procopets) per Neave JA), differs from the form of s 68 of the Supreme Court Act 1970 (NSW). It is, however, also noted that (as a matter of principles of precedent), as a decision of an intermediate appellate court, at first instance a court in this jurisdiction (and also the Court of Appeal) should not depart from that decision unless convinced it is plainly wrong (see Farah Constructions Pty Ltd v Say-Dee Pty Ltd (2007) 230 CLR 89; [2007] HCA 22 at [135]).
As to the causes of action pleaded for breach of the tort of invasion of privacy, it is noted that such a tort has not been recognised in this jurisdiction.
As to the claim that the first defendant has vicarious liability for the conduct of the second defendant (in addition to the direct claims made against the first defendant as to the second defendant being given direct and unfettered access to the information in question), it is noted that the first defendant will argue that it cannot be held vicariously liable for the second defendant’s actions in circumstances where: the second defendant committed criminal offences; through conduct that was outside the scope of his engagement/employment; and where the disclosures occurred around twelve months after he had left his employment with NSW Ambulance. It is noted that the first defendant will seek to rely on the decision of Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270; and that although it is arguable that this decision is distinguishable, it is a defence the first defendant will press and that will need to be met by the plaintiff in relation to the vicarious liability claims.
As to the Australian Consumer Law claims, it is noted that one argument the plaintiff must meet is that the first defendant’s dealings with its employees are not in trade and commerce, and therefore not covered by either ss 18 or 29 of the Australian Consumer Law. It is noted that although the activities of the first defendant have a commercial component to them (referring to subscription payments or charges for use of ambulances) the argument will be whether the internal relationships are relationships are in trade or commerce; and this will be a defence that the plaintiff will need to meet.
Mr Rivette notes that in order to determine whether the distribution amounts fall within the appropriate range of what may be considered a fair and reasonable outcome, guidance can be obtained from awards of compensation in different jurisdictions relating to privacy and data breaches. In this regard, it is his opinion that although direct claims for compensation have not been made under either the Privacy and Personal Information Protection Act or the Privacy Act 1988 (Cth), determinations under these Acts still offer guidance as to the appropriate range of compensation for non-economic loss in privacy breach cases.
In relation to compensation for breach of confidence, Mr Rivette draws attention to three cases in which it has been found that breach of confidence will sound in damages or equitable compensation for mental distress falling short of psychiatric illness (which he considers also offer some guidance, albeit as to what can be considered the higher end of compensation for the “most egregious disclosures”).
The most comparable complaint that Mr Rivette has identified is a complaint determined by the Office of the Australian Information Commissioner (OAIC) in Jo and Comcare [2016] AICmr 64 (Jo and Comcare). It is noted that Comcare was found to have interfered with the complainant’s privacy by disclosing information about workplace injuries at his current employment to his former employer and an insurance company, in breach of Australian Privacy Principle 6. It is noted that, unlike the current proceeding, this was a disclosure made to multiple recipients, which were all large organisations. An award of $3,000 was made by way of compensation for the loss or damages suffered by the complainant by reason of this interference with his privacy.
Mr Rivette points out that, generally, higher awards will be given by the OAIC when the dissemination is broader, or the suffering arising from the breach is greater (reference there being made to: ‘EQ’ and Great Barrier Reef Marine Authority [2015] AICmr 11; 'D’ and Wentworthville Leagues Club [2011] AICmr 9; and ‘DK’ and Telstra Corporation Limited [2014] AICmr 118).
Relevant decisions by the New South Wales Civil and Administrative Appeals Tribunal (NCAT) on the assessment of compensation for breach of the Privacy and Personal Information Protection Act as identified by Mr Rivette are: CJU v SafeWork NSW [2018] NSWCATAD 300; ALZ V SafeWork (NSW) (No 4) [2017] NSWCATAD 1; and AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179.
As to awards of compensation for breach of confidence, reference is made to Giller v Procopets; Jane Doe v Australian Broadcasting Corporation [2007] VCC 281; and Wilson v Ferguson [2015] WASC 15. It is noted that each of those cases involved the wide broadcast or dissemination of highly sensitive and personal matters relating to rape or intimate sexual material (and hence it is said that the awards must be seen to be in the highest category of compensation for non-economic loss or injury falling short of psychiatric injury). It is noted that these awards relate to far more explicit and confidential material than that disclosed by the second defendant and that in all those cases there was actual distress (or psychiatric illness) that resulted from the breach, and not a mere presumption of loss through distress.
As to the differential amount of the minimum initial distribution to the lead plaintiff (approximately four times that of the minimum initial payment to the remaining Group Members), Mr Rivette has opined that the additional amount so allocated is justified given the time, money and energy expended in preparing witness statements, attending on experts for the purposes of those experts providing expert evidence to the court, and generally providing instructions in relation to the proceeding; and the fact that she has assumed the risks associated with being the lead plaintiff in a class action.
Thus, Mr Rivette has concluded that, having regard to the awards by the OAIC and NCAT in other cases, the settlement amount and the proposed initial distributions are within the range of acceptable outcomes “even before one factors in the risks associated with the litigation”. It is his view that the awards for breach of confidence relate to the wide dissemination of highly sensitive, intimate and confidential information that was never meant to be seen or heard by any other person and are therefore not representative of what could be expected if the plaintiff’s claims in breach of confidence succeeded in the present case; and that the most comparable award of compensation is the $3,000 award by the OAIC in Jo and Comcare being for the dissemination by an employer of worker’s injury information (but noting that the disclosure in Jo and Comcare was direct and was not from an illegal act by a person employed/engaged by the defendant paying the compensation; and hence that that proceeding did not have the same inherent risks that appear in this proceeding).
