Commentary
IPP 2.1 – Use or disclosure is for the primary purpose of collection
- This decision suggests that even inadvertent disclosures will be taken to have a ‘purpose’ for IPP 2.1, and that this purpose should be interpreted according to the subjective intentions of the organisation.
IPP 4.1 – Data security
- This decision highlights some of the factors that VCAT may consider when determining whether ‘reasonable steps’ have been taken for the purposes of IPP 4.1. These include:
- any training and instructions provided to employees prior to the incident;
- the actions taken by the organisation to contain the incident; and
- the actions taken by the organisation to reduce re-occurrence of future similar incidents.
Facts and decision
- TSJ was the grandmother of two children who had been placed in her care following child protective orders being made.
- A social worker (S) for the Department of Health and Human Services (Department) inadvertently delivered a case plan containing TSJ’s personal information to another family (X).
- X opened and started to read the case plan but stopped after becoming aware that it was not their case plan. X telephoned S and informed them of the mistake, S came and picked up the case plan the following day.
- TSJ alleged that the Department breached IPP 2.1 and 4.1 when it disclosed the case plan containing their personal information to X. It was not disputed between either party that the mailing of the wrong case plan to X was an unintentional error.
- The error occurred when S printed the case plan and assumed that what she picked up from the printer was what she had printed, however, someone else had printed another document at the same time as her which is what she had picked up instead.
IPP 2.1 – Use or disclosure for the primary purpose of collection
Submissions and decision
- The Department contended that it had not interfered with IPP 2.1 because it did not have a purpose in disclosing the case plan to S, the disclosure being inadvertent. VCAT rejected this argument and interpreted ‘purpose’ to mean the subjective purpose of the party, in this case it being to send TSJ her case plan.
- In the alternative, the Department contended that the disclosure was for the primary purpose of collection, being the discharge of its duties in relation to the children. It’s difficult to understand VCAT’s resolution of this position from the judgement. VCAT simply states that S’s intention was to fulfill this primary purpose.
- VCAT did not conclude on whether there was/not an interference of IPP 2.1 as it resolved the issue by looking at the exception in s 118 of the Privacy and Data Protection Act 2014 (Vic.) (PDP Act).
- VCAT found that section 118 applied to excuse the Department from liability for the inadvertent disclosure by its employee, S. VCAT noted the following factors (which are also relevant to IPP 4.1, discussed below) as relevant to its finding that the Department took reasonable precautions and exercised due diligence to avoid the disclosure being made:
- The Department ‘s Client Incident Reporting System automatically assigns data breaches the highest possible severity rating.
- Prior to the incident occurring, the Department had circulated correspondence to employees urging care in dealing with personal information of clients and their families and setting out a number of ways in which this should be done.
IPP 4.1 – Data security
Decision
- VCAT held that the Department had not interfered with IPP 4.1 because it took the following reasonable steps:
- Prior to the incident
- The Department had sent correspondence to employees that urged them to take care when dealing with personal information of clients and their families and set out a number of ways employees could do this.
- The Department had provided employees with an appropriate level of training. This is what had led S to, upon becoming aware of the incident, escalate it to her supervisor and taking next steps.
- During the incident
- The Department took action to contain the incident, including: picking up the case plan from X, getting confirmation from X that they had not made copies, and informing TSJ of the incident.
- Following the incident
- The Department had implemented additional measures to reduce re-occurrence, such as informing employees how they could print confidentially.
- VCAT also seems to have been influenced by the factor that it was difficult to see what more could have been done by the Department to prevent this incident from occurring. VCAT highlighted that IPP 4.1 requires organisation to take ‘reasonable steps’ but that it is not possible to prevent all types of human error from occurring.
- Prior to the incident
About this decision
Venue: VCAT
Date of decision: 05/11/2016
Tags: