Australia’s First Privacy Breach Class Action: An Interview With Lawyer George Newhouse
It’s said that data has replaced oil as the most profitable commodity in today’s digital era. And like all things lucrative, the potential for data to be used in deceptive or illegal ways for financial benefit is not only there, but it’s increasingly being put into practice.
The most well-known examples of questionable data usage is the manner in which the big tech giants have been breaching the trust of their clients, when allowing their freely given personal information to be used to influence how they act.
But, a recent case – the first of its kind in Australia – highlights the fact that data breaches are in no way confined to social media. And the action brought by former paramedic Tracey Evans further shows that Australian employers can be negligible in the way they store employee data.
The Office of the Australian Information Commissioner (OAIC) outlines that a data breach occurs when personal information is accessed or disclosed without authorisation, or its lost. And in the case of Ms Evans and other NSW Ambulance employees, their personal information was sold.
A lasting impact
The NSW Supreme Court accepted a $275,000 settlement on 9 December for the class action brought against the NSW Health Administration Corporation. It concerned the 2013 disclosure of workers’ compensation files, as well as staff and medical records.
Injury management coordinator Waqar Malik was found to have accessed the data of 130 Ambulance Service NSW employees, which he then sold to at least one law firm. Malik was subsequently convicted of unlawful disclosure of data in 2016.
For Evans, the importance of the action was not the size of the payout, but that NSW Ambulance be held accountable for the data breaches that occurred over January and February 2013. She also stressed that employers need to be more vigilant in securing private information about employees.
And while this data breach occurred some seven years ago now, Ms Evans has made clear that she and some of the other paramedics involved are still suffering the consequences due to this highly sensitive information being handed on to strangers.
A growing concern
Centennial Lawyers principal solicitor George Newhouse represented Ms Evans. Following the announcement of the settlement, he remarked that “data misuse is a serious problem”, and those who are storing it should take their “responsibility seriously”.
According to Newhouse, compared with the US, the UK and Europe, Australia has flimsy data protections. And the adjunct professor stressed that it was about time local politicians put mechanisms in place that protected the private information of ordinary citizens.
Sydney Criminal Lawyers spoke to Mr Newhouse about the growing issue of data misuse in Australia, what sort of provisions he asserts need to be put in place in order to prevent ongoing breaches, and how it’s time for government to act on privacy.
Firstly, in early December, NSW Supreme Court Justice Julie Ward accepted a $275,000 settlement in a class action led by Tracy Evans against the Health Administration Corporation over a major data breach.
This was the first privacy class action in Australia. Mr Newhouse, what would you say is the significance of this first of its kind action?
The significance is profound. We’ve seen many class actions in the United States against companies like Yahoo, but we’ve never had a privacy breach class action in Australia before Tracey Evan’s case.
The problem is many practitioners have been put off taking these kinds of actions because it’s novel law, the damages are low and sometimes it’s hard to prove a breach.
The case involved contractor Waqar Malik accessing the files of 130 NSW Ambulance Service employees back in 2013 and then selling the information.
What actually happened? And why was this information worth purchasing?
We don’t know exactly what happened to the data of the NSW Ambulance workers, and that highlights the failures of the defendant in this case, as they don’t know either.
But, what we do know from the police records is that Mr Malik attempted to sell information he took from confidential workers’ compensation files to lawyers.
And in answer to your question, why would anyone pay money for it, the simple answer is that it appears that the lawyers were seeking to harvest the information for leads.
The class action was led by former NSW Ambulance Service employee Ms Evans on behalf of 108 participants. In terms of the impact this breach has had upon those involved, what was presented?
The only evidence that was presented to the court focused on the significant impacts of the data breach on Tracey.
As you’ve said, the case highlights the problem of data misuse. How much of an issue would you say this is in Australia at present?
It’s an extremely serious issue and it’s pervasive. You only have to look at the Office of the Australian Information Commissioner’s published list of data breach disclosures to see this problem is growing and it’s only going to get worse in the future.
At the time Malik was operating, there was no requirement for a mandatory data breach disclosure. However, you can now see on the OAIC website that the problem is endemic and growing.
You also stated following the case that you hope it results in employers taking more adequate steps in protecting data and that politicians put measures in place to prevent such breaches.
What sort of mechanisms do you suggest need to be established to counteract this growing issue?
There is no one size fits all solution. Organisations, particularly governments, need to take the issue of data security more seriously.
There needs to be better training, better physical and electronic security and limiting access to confidential data to those who need it only. There should be better staff identification systems, training, secure access codes, password generation and a raft of other measures. Those are just some of the issues
One critical measure is differential access, as it’s vital that only the right people have access to personal or health data, and the lists of people with access must be constantly reassessed and minimised.
And lastly, Mr Newhouse, without the suggested measures you’ve just mentioned being in place, how vulnerable would you say employees’ data is?
I’m not saying those measures aren’t in place. The NSW government may have learned its lesson and implemented at least some of them.
But, if they aren’t implementing strict security measures for personal and health information, then individuals should be very concerned about providing their personal information to governments, businesses and online.