1 Feb 2008, 09:00

A woman had instructed a law firm to act for her in relation to a number of claims against a government agency. One of her files was accidentally placed in a box containing the files of another client who had claims against the same government agency. This other client discovered the woman's file among his own and briefly viewed its contents before advising the law firm that it was not his.

The woman complained to us that the law firm failed to ensure that her personal information was adequately protected from unauthorised access and that the law firm had disclosed her personal information to the other client. Her complaint raised issues under principles 5 and 11 of the Privacy Act.

Principle 5

Principle 5 places a general obligation on agencies that hold personal information to protect that information from loss, unauthorised access, use, modification or disclosure, by safeguards that are reasonable in the circumstances.

Principle 5 does not require that the safeguards are absolute, but that they are reasonable in the circumstances. In considering whether a security safeguard is reasonable, the kind of matters we take into account include:

• the steps and/or policies in place to guard against a breach of principle 5;
• whether those steps and/or policies have been followed;
• training provided to staff; and
• the sensitivity of the information.

We considered the safeguards taken by the law firm – which included the careful naming and storing of files – and we were satisfied that they were adequate. In this case, the woman’s file was marked with the same government department logo as the other client’s files and was mistakenly placed in his box for this reason. We formed the opinion that this incident was a “one-off” disclosure based on human error and, therefore, that the law firm had not breached principle 5.

Principle 11

Principle 11 provides that an agency must not disclose personal information unless one of the exceptions applies.

The law firm submitted that the disclosure of the woman’s personal information was unintentional and so there was no breach of principle 11. However, a disclosure does not have to be intentional for principle 11 to apply. In our view, the matters to be determined in relation to principle 11 are as follows:

• Did the agency disclose personal information?
• If so, do any of the exceptions apply?

On the evidence, it was clear that the other client read information concerning the woman’s claim during the time that the file was in his possession. Accordingly, we were satisfied that the law firm had disclosed personal information. In the absence of any applicable exception, the law firm had breached principle 11.

We were also satisfied that the disclosure included highly sensitive information and had caused the woman significant humiliation and loss of dignity. We therefore concluded that the law firm had interfered with the woman’s privacy by breaching principle 11 in this case.

Positive Resolution

After receiving our opinion, the parties agreed to attempt resolution and we acted as mediator. The outcome was that the law firm agreed to waive the fees that the woman owed. This was a substantial sum.

The woman was satisfied with this result and we closed the file.

August 2008

Security of personal information – law firm – file placed with another client’s files – general security safeguards adequate – one-off mistake – Privacy Act 1993 – principle 5

Disclosure of personal information – law firm - file disclosed to another client – intention to disclose irrelevant – no exception applied – disclosure caused significant humiliation – successful mediation – Privacy Act 1993 – principle 11, section 66(1)(b)