Case note – Queensland privacy case

The recent case of RM v Queensland Police Service [2017] QCAT 71 considered whether an email about the WorkCover claim of a QPS employee breached information privacy principles (IPP) 4, 9, 10 or 11. It is one of the few claims for breach of privacy under the Information Privacy Act 2009 (IP Act) that has gone as far as a decision by QCAT.

By way of background, RM was a former member of the Queensland Police Service (QPS) who had been medically retired. Prior to his retirement, RM had made a WorkCover claim in which he claimed, amongst other things, that he had been bullied. During the course of the WorkCover investigation, another member of the QPS, identified as ‘CF’ in the QCAT proceedings, sent an email to 10 QPS employees which contained information about RM’s WorkCover claim including his name, his claim number, the nature of the claimed injury (being psychological and psychiatric) and the three causes/factors of the claim injury identified including the QPS employee alleged to have been involved. CF had been named as a bully in the WorkCover claim.

In finding that the email contained RM’s ‘personal information’ (as defined in the IP Act), Member Deane noted that RM’s identity and information about his claimed injury and causes was apparent in the email.

Each of the IPPs claimed by RM to have been breached by the QPS is framed in terms of the agency having ‘control of a document containing personal information.’ Under s 24 of the IP Act, the term ‘control’ for the purposes of the IPPs requires the relevant entity to have the document in its possession or otherwise have the document under its control.

RM alleged in arguing a breach of IPP 9 and 10 that the QPS did not use his personal information how it was intended to be used. Member Deane agreed. She found that the personal information was in the QPS’s possession for the purpose of preparing the employer’s report and response to WorkCover. In distributing an email containing that information to staff, it sought to address rumours relating to the WorkCover claim in a manner that was not consistent with the QPS’s policy in handling WorkCover claims.

The QPS argued that the disclosure was authorised or required under law, namely to obtain and provide information to WorkCover and it therefore fell within exception (c) of IPP 10. Member Deane rejected that argument on the basis that the direction to not take any action that accompanied the email did not support that argument. Member Deane considered whether any of the other exceptions in IPP 10 applied and found they did not.

Member Deane noted a breach of IPP 4 had not been substantiated because QPS had taken all reasonable steps to protect the personal information, despite there being an unauthorised use of the information leading to a breach of IPP 10.

In relation to the breach of IPP 10, Member Deane ordered that the QPS provide RM with a written apology, reimburse RM’s legal costs in the amount of $4,400 and pay RM compensation for humiliation and embarrassment in the amount of $5,000. That is consistent with authority that awards of compensation for breach of privacy are not to be lavish.

^{The information in this publication is provided for general purposes only. It is not to be relied on as a substitute for legal advice. Crown Law and the Department of Justice and Attorney-General accept no liability for losses caused by reliance on the material in this publication. Formal legal advice should be obtained for particular matters.}