PB - oaic.gov.au€˜As per our discussion can you please confirm the status of Liscon Services conurbations [sic] to their workers superannuation fund, that CBUS have commenced legal

‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 (23 March 2018) | 2

NPP 2 ............................................................................................................................... 8

Primary Purpose ............................................................................................................. 9

NPP 2.1(a) ..................................................................................................................... 10

NPP 4 ............................................................................................................................. 12

Compensation and other remedies ..................................................................................13

Aggravated Damages .................................................................................................... 15

Declarations ....................................................................................................................16

Determination 1. I find that the respondent, United Super Pty Ltd as Trustee for Cbus (Cbus) interfered with the privacy

as defined in the Privacy Act 1988 (Cth) (Privacy Act) of class members by disclosing their personal information to an external organisation for a secondary purpose without their consent to that disclosure.

2. Within 60 days from the date of this determination, Cbus must issue an apology to class members acknowledging its interference with their privacy, and confirm with, and update the Office of the Australian Information Commissioner (OAIC) on, the proposed remedial measures undertaken post- breach.

Background 3. In July 2013, Lis-Con Services Pty Ltd (Lis-Con Services) and Lis-Con Concrete Constructions Pty Ltd (Lis-

Con Concrete) were providing services under contract to Civil, Mining and Construction Pty Ltd (CMC) in relation to a road construction project. At that time, a number of employees of Lis-Con Services and Lis-Con Concrete were members of a superannuation fund operated by Cbus (the fund).

4. At 2:11pm on 29 July 2013, CMC sent an email to Cbus, which provided as follows:

‘As per our discussion can you please confirm the status of Liscon Services conurbations [sic] to their workers superannuation fund, that CBUS have commenced legal proceedings against Liscon Services for non-payments of contributions, not meeting their legal obligations and not adhering to an agreed payment plan between yourselves and Liscon Services. Can you also please inform me of the last payments paid and to whom the money was actually paid for.

You mentioned that the next payment is due in the first week of August (can you pls confirm?) also can you confirm that it is a legal requirement that contributions are made monthly not every 3 months?’

5. In response to CMC's request, Cbus made enquiries of Superpartners Pty Ltd (Superpartners), which administered member accounts on behalf of Cbus. Superpartners sent three emails to Cbus on 30 July 2013, containing information about superannuation contributions made to Cbus member accounts by


Lis-Con Services and Lis-Con Concrete. On the same day, Cbus forwarded the three emails from Superpartners to CMC.

6. The first email contained the details of 300 Lis-Con Services employees. The second email contained the details of 35 Lis-Con Concrete employees. The third email contained the details of eleven employees of Lis-Con Services; five of whom were mentioned in the first email. The details included the following personal information:

full name;

date of birth;

superannuation member number;

most recent employer superannuation contributions; and

duration of employment.

7. In relation to those employees mentioned in the first and second emails, the emails also identified any voluntary contributions and employee salary-sacrifice contributions made by those members.

8. On 31 July 2013, CMC forwarded the three emails it had received from Cbus to an employee of Lis-Con Services (the disclosures).

The complaint 9. On 11 September 2013, a complaint was made to the OAIC on behalf of Lis-Con Services, Lis-Con

Concrete and employees of both companies, whose names were included in a list attached to the complaint.

10. A revised complaint was made on 12 December 2013 by an employee of Lis-Con Concrete, on behalf of themselves and the other 340 employees of Lis-Con Services and Lis-Con Concrete whose information had been disclosed by Cbus to CMC.1 The complaint was lodged as a representative complaint. I discuss the requirements in s 38 of the Privacy Act for the making of a representative complaint below.

11. The revised complaint alleges that Cbus interfered with the privacy of Lis-Con employees by improperly

disclosing their personal information to CMC, a third party. In particular, the complaint alleges that the conduct of Cbus was in breach of National Privacy Principles (NPPs) 2 and 4.

12. The representative complainant advised the OAIC that they would write to each of the class members to

inform them of the representative complaint, that they were included in the complaint, and they should notify the solicitors if they wished to 'opt-out' of the complaint.2

13. On 12 December 2013, the OAIC opened an investigation into the complainants’ allegations under subsection 40(1) of the Privacy Act.

1 The representative complainant subsequently withdrew. On 13 March 2014 another employee of Lis-Con who wished to continue the complaint assumed the role of representative complainant. 2 Representative complainant's letter to the OAIC dated 19 November 2013.


14. On 12 May 2014, the representative complainant advised the OAIC of the publication of two newspaper articles on that date. The articles claimed that Cbus had disclosed the personal information of its members who were employees of 'Lis-Con' to representatives of the Construction, Forestry, Mining and Energy Union (CFMEU).3 The representative complainant later advised the OAIC that the disclosures had occurred on 12 July 2013 and 29 July 2013. While those disclosures related to some of the same employees mentioned in the emails that form the basis of this complaint, the groups of employees are not identical.4

15. No complaint under the Privacy Act has been made in relation to any disclosure by Cbus to the CFMEU. The scope of this determination is therefore limited to the three emails sent by Cbus to CMC on 30 July 2013. Accordingly, I have not had regard to any submissions made by Cbus or the representative complainant in relation to alleged improper disclosures to the CFMEU. I note that the disclosures by Cbus to CFMEU have been the subject of examination by the Royal Commission into Trade Union Governance and Corruption.

16. On 31 July 2015, the representative complainant introduced a new allegation, that of breach of NPP

1.3.5 NPP 1.3 sets out the obligations on an organisation to notify individuals about how the organisation deals with personal information.

17. Section 52(1) of the Privacy Act provides that, after investigating the complaint, I may make a

determination:

(a) dismissing the complaint (s 52(1(a)); or

(b) finding the complaint substantiated and make a determination that includes one or more of the following declarations:

(i) that the respondent has engaged in conduct constituting an interference with privacy of an individual and must not repeat or continue such conduct (s 52(1)(b)(i)(B))

(ii) that the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant

(iii) that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint (s52(1)(b)(iii))

(iv) it would be inappropriate for any further action to be taken in the matter.

18. The representative complainant on behalf of all class members seeks an award of compensation (including aggravated damages) and an apology for each member of the class.

The investigation process 19. Section 40(1A) of the Privacy Act provides that I must not investigate a complaint where the

complainant has not first complained to the respondent, unless I consider that it was not appropriate for the complainant to have done so.

3 Representative complainant's letter to the OAIC dated 12 May 2014. 4 Representative complainant's letter to the OAIC dated 23 March 2015. 5 Submissions of representative complainant dated 31 July 2015.


20. On 1 August 2013, solicitors acting for Lis-Con Services wrote to Cbus enclosing a copy of the first email

sent by Cbus to CMC. The letter stated that:

'The misuse of our client's confidential information by your employee … is a serious breach of, at the very least, your own Member Privacy Policy and the Privacy Act 1988 (Cth).'

21. Cbus submits that s 40(1A) amounts to a bar to my investigation of this matter, on the basis that the solicitors acting for Lis-Con Services, were not acting for the representative complainant. Accordingly, Cbus contended that the complainant had not first complained to the respondent before lodging a complaint with the OAIC.

22. I am satisfied that the letter to Cbus from Lis-Con Services’ solicitors was sufficient to communicate the substance of the complaint to Cbus, and that given the complexity of the issues raised by the representative complainant it was not appropriate for the representative complainant to complain directly to Cbus.

23. The OAIC's investigation of this complaint involved the following:

written submissions were provided to the OAIC by Cbus and the representative complainant

Cbus and the representative complainant attended a conciliation conference on 10 December 2015

as the complaint was not resolved through conciliation, the complaint was referred to me for determination under s 52 of the Privacy Act.

The law 24. At the time of the alleged breaches on 30 July 2013, the NPPs were the standards for handling personal

information which private sector organisations subject to the Privacy Act were obliged to uphold.

25. From 12 March 2014, the Australian Privacy Principles (APPs) replaced the NPPs and the Information Privacy Principles. The APPs apply to both Australian Government agencies and private-sector organisations covered by the Privacy Act.

26. I note from the outset that because this matter relates to a complaint made prior to the 2014 reforms to

the Privacy Act, the complaint is dealt with under the legislative regime as it applied at the time the complaint was made.6 The NPPs therefore apply in this instance to the question of whether or not Cbus has contravened the Act.

27. Section 13A of the Privacy Act held that an act or practice of an organisation was an interference with

the privacy of an individual if the act or practice breached an NPP in relation to personal information that related to the individual. Section 16A relevantly provided that an organisation 'must not do an act, or engage in a practice, that breaches a National Privacy Principle.' Pursuant to s 6A(1), an act or practice breached an NPP if, and only if, it was contrary to, or inconsistent with, that NPP.

6 Item 16 of Schedule 6 to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).


28. There is no dispute that Cbus was an ‘organisation’ for the purposes of the Privacy Act, and the NPPs applied to it in respect of the acts and practices the subject of the privacy complaint by the representative complainant.

29. The term 'personal information' was defined in s 6 of the Privacy Act as:

‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’

30. The representative complainant alleges a breach of NPP 1.3, NPP 2 and NPP 4.

31. NPP 1.3 provided:

1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and (b) the fact that he or she is able to gain access to the information; and (c) the purposes for which the information is collected; and (d) the organisations (or the types of organisations) to which the organisation usually discloses

information of that kind; and (e) any law that requires the particular information to be collected; and (f) the main consequences (if any) for the individual if all or part of the information is not provided.

32. NPP 2.1 relevantly provided:

An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

a. both of the following apply: i. the secondary purpose is related to the primary purpose of collection and, if the

personal information is sensitive information, directly related to the primary purpose of collection;

ii. the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

b. the individual has consented to the use or disclosure; …

(b) NPP 4.1 required organisations to take reasonable steps to protect an individual’s personal information from misuse and loss and from unauthorised access, modification or disclosure.

The issues

The representative complaint

33. Section 38 of the Privacy Act sets out the conditions for making a representative complaint. A representative complaint may be lodged under s 36 only if: (a) the class members have complaints against the same person; and (b) all the complaints are in respect of, or arise out of, the same, similar or related circumstances; and


(c) all the complaints give rise to a substantial common issue of law or fact.

34. A representative complaint made under s 36 must: (a) describe or otherwise identify the class members; and (b) specify the nature of the complaints made on behalf of the class members; and (c) specify the nature of the relief sought; and (d) specify the questions of law or fact that are common to the complaints of the class members.

35. In describing or otherwise identifying the class members, it is not necessary to name them or specify

how many there are. Further, a representative complainant can lodge a complaint without the consent of the class members.

36. Pursuant to s 38B(2) of the Privacy Act, a class member may, by notice in writing to the Commissioner, withdraw from a representative complaint at any time before the Commissioner begins to hold an inquiry into the complaint. Section 39 of the Privacy Act provides that a person who is a class member for a representative complaint is not entitled to lodge an individual complaint in respect of the same subject matter.

37. On 5 May 2014, the representative complainant advised the OAIC that they had received two opt-outs'.

The representative complainant did not directly supply the names of the individuals, but provided a revised list of class members.7

38. On 1 May 2015, the representative complainant advised the OAIC that further members of the class had

opted out of the complaint, and the number of the class reduced to 328 members. Once again, the representative complainant did not directly supply the names of the individuals, but they provided a revised list of class members.8

Findings

39. The complaint was made under s 36 of the Privacy Act, which provides for the making of representative complaints. Additionally, a representative complaint must meet the requirements of s 38 of the Privacy Act, which I have outlined at paragraphs [33] and [34].

40. I am satisfied that the revised complaint received 12 December 2013 was validly made under s 36 of the Act. In the case of an act or practice that may be an interference with the privacy of two or more individuals, any one of those individuals may make a complaint under s 36 on behalf of all of the individuals. I am also satisfied that the complaint meets the requirements under s 38 of the Privacy Act for representative complaints. There is no dispute that the conditions under s 38 for representative complaints were met. I am satisfied that they are made out.

41. Cbus contends that the representative complainant should be required to demonstrate that they have the authority to act for all class members.9 I do not accept this contention. Section 38(3) of the Privacy Act plainly provides that a representative complaint does not require the consent of class members.

42. Section 38B (2) provides a mechanism by which class members may withdraw from the complaint. This

office was advised by letter of 5 May 2014, that an offer to ‘opt-out’ had been made to each class

7 Representative complainant's letter to OAIC dated 5 May 2014. 8 Representative complainant's letter to OAIC dated 1 May 2015. 9 Cbus Submissions dated 22 September 2015.


member. As at the date I decided to determine this matter, 11 class members had opted out of the representative complaint.

NPP 1.3

43. Cbus did not address the allegation of breach of NPP 1.3 in its submissions and the representative complainant did not make further submissions in relation to NPP 1.3 subsequent to its initial allegation of breach on 31 July 2005.

44. In my view, based on the information available, Cbus met its obligations with respect to NPP 1.3. Cbus has a comprehensive Privacy Policy which provides information to customers on why its collects their information, and how Cbus uses and discloses that information. I am satisfied that Cbus did not interfere with the privacy of class members in this respect. Accordingly, I find there is no breach of NPP 1.3.

NPP 2

45. The representative complainant alleges a breach of NPP 2 on the basis that the class members' personal information was improperly disclosed by Cbus to CMC and, in the circumstances, Cbus cannot rely on any exceptions to the prohibition of disclosure under the Privacy Act.

46. Cbus does not dispute it made the disclosures on 30 July 2013. In response to the 1 August 2013 letter to Cbus from Lis-Con Services, advising Cbus that it had misused Lis-Con Services’ employees confidential information and was ‘in serious breach of the Privacy Act 1988 (Cth)’, Cbus stated in a letter dated 7 August 2013 that:

‘CBUS accepts that it was inappropriate for the material relating to your client and its employees to be sent to CMC without your client's consent and inappropriate for personal details of your client's employees to be provided to a third party.

Our client is satisfied that this incident is an isolated occurrence and has taken steps to ensure that all CBUS employees are aware of their obligations and that such data cannot be distributed in this way in the future.’

47. There is also no dispute that the information disclosed by Cbus to CMC was personal information within the meaning of s 6 of the Privacy Act and included the personal information of class members.

48. Cbus, in its submissions, has proposed alternative ways that the disclosures may be construed, which on any construction it contends, satisfies its obligations under NPP 2:

a) firstly, disclosure was for primary purpose of collection; that is, that the disclosures were to facilitate

payment of Cbus members’ contributions (the primary purpose of collection)

b) secondly, disclosure fell within the NPP 2.1(a) exception to the prohibition of disclosure. That is, the disclosures were made for the related secondary purpose of facilitating payment of Cbus members’ contributions, or thirdly, the related secondary purpose of receipt and management of superannuation contributions, and class members would have had a reasonable expectation that Cbus would take all necessary steps to ensure that superannuation contributions are made to their respective accounts.


Primary Purpose

49. When an organisation collects personal information, it must only do so where the information is necessary for the organisation’s functions or activities. This is the primary purpose of collection. Cbus’ member privacy policy provides that personal information is collected which ‘is necessary for [members’] membership’. The policy describes the intended uses for personal information collected from members by Cbus, including establishing of membership accounts, processing contributions, enabling benefit payments and assisting in the collection of employer contributions for members’ accounts.

50. The Cbus trust deed also provides advice about the personal information Cbus holds, receives or becomes aware of in its capacity as trustee. It relevantly states at clause 6.4, under the heading ‘Privacy’:

‘…the Trustee …shall not disclose or make known any such records or information to any third party except as may be required in relation to the administration of the Fund or to facilitate the provision of services or Benefits to Members or as may be required by the relevant Law or as it may otherwise by lawfully required to do except that a Member may authorise the Trustee to release information pertaining to that Member to a third party...’

51. Thus, it would appear that the specific function or activity for which Cbus collects members’ information is for the administering and management of members’ superannuation accounts.

52. The representative complainant does not contend otherwise. They describe the primary purpose of the collection and the holding of members’ personal information as being for the administration of their individual accounts, the proper calculation of taxation and fees due on the amount of contribution and the investment and payment out of those funds in due course in accordance with superannuation law.

53. The controversy arises in relation to firstly, whether the disclosures of members’ personal information

to a head contractor (like CMC) to assist the sub-contractors to take steps to comply with their superannuation obligations falls within primary purpose of collection; and secondly, the applicability of the disclosures to the NPP 2.1(a) exception to the prohibition on disclosure.

54. I consider that the information available supports a finding that Cbus made the disclosures to assist CMC (in its capacity as head contractor) to take action intended to ensure that Lis-Con Services and Lis-Con Concrete paid outstanding employer superannuation contributions. The 29 July 2013 email from CMC to Cbus relevantly detailed at paragraph [46], is consistent with this purpose. On a plain reading, the three emails, which form the basis of this complaint, do not disclose any other purpose. In an affidavit sworn by the Cbus employee who made the disclosures, the employee declares that the sole purpose for the disclosures was to assist in the recovery of the employees' unpaid superannuation. Notwithstanding this, it remains unclear what action Cbus anticipated CMC might take.

55. To this end, I note and accept the following contentions made by the representative complainant:

disclosure of the class members’ personal information, including past contribution details to the head contractor was irrelevant to any present or future entitlement to employer superannuation payments they may had

it is unclear how disclosure to the head contractor could assist in recovering superannuation payments on behalf of class members


the Cbus administrator was concurrently proceeding with the fund’s normal credit control processes in respect of the Lis-Con group, which included a payment schedule with the trustee’s credit controller. Disclosure to CMC was not part of Cbus’ ordinary administrative process.

56. I further note that there is no evidence that Cbus satisfied itself that all of the Lis-Con employees who were Cbus members had in fact worked on the CMC site. It is possible that some of those employees whose details were included in the emails had not worked on that particular site, and were not relevant to CMC’s request.

57. Cbus, in its submissions, provided a description of Cbus’ ordinary operation of using personal information to assist in the collection of employer contributions for members’ accounts (known as the ‘compliance line’):

firstly, access to the ‘compliance line’ is limited to authorised representatives of Cbus’ member sponsoring organisations

secondly, these sponsoring organisations are provided with very limited access to data on whether an employer is meeting its obligations to make superannuation contributions for their employees who are Cbus members

thirdly, personal information is not disclosed. Instead, on receipt of the name and Cbus identification number of an employer, Cbus provides aggregated data about whether the employer is up to date with their superannuation contributions10

fourthly, this system was implemented by Cbus to prevent the unauthorised disclosure or access of personal information, while still providing information to assist in the collection of contributions on behalf of Cbus members.

58. I am not satisfied that the primary purpose of collection, that is, the administration and management of members’ superannuation accounts, extends to disclosures to head contractors to permit those entities to take action in respect of outstanding superannuation contributions owed by their subcontractors. Disclosure of personal information, including names of employees, dates of birth and past contribution details to a head contractor, seems patently outside the scope of primary purpose of administration of class members’ accounts.

NPP 2.1(a)

59. As noted at paragraph [32], NPP 2.1 sets out the exceptions to the prohibition on disclosure where disclosure is for a secondary purpose; relevantly here, NPP 2.1(a). That is, whether the individual would reasonably expect the organisation to use or disclose the information for a related secondary purpose.

60. Whether or not this exception applies, depends on the notion of ‘reasonable expectation’ of the relationship between the primary and secondary purposes.

61. A secondary purpose is any purpose other than the primary purpose for which the organisation

collected the personal information. Cbus contends that the secondary purpose in this case, is to facilitate payment of Cbus members contributions or alternatively, to receive and manage superannuation contributions.

10 Letter from Cbus to the OAIC dated 20 December 2013, Annexure B.


62. As I have noted at paragraph [54], the information available indicates that this is the most likely rationale for the disclosure. This is then the secondary purpose.

63. NPP 2.1(a)(i) requires the secondary purpose be related to the primary purpose. This requires something

more than just a tenuous link. For example, a hotel’s disclosure of a guest’s name and residential address to another guest to enable that guest to contact the former has been considered unrelated to the primary purpose of having collected the guest’s details for the purpose of staying at the hotel.11

64. At the same time, the purposes do not have to be directly related as they must be when considering

‘sensitive information’. The relationship between the purposes need only be one of ‘association’ or ‘connection’.12

65. In my view, the secondary purpose was related to the primary purpose within the meaning of NPP

2.1(a)(i). Cbus had collected the personal information of the class members for the purposes of administering and managing their superannuation accounts. The disclosures were in response to a request from CMC to confirm the status of Lis-Con Services contributions to its workers’ superannuation fund. The disclosures were associated or connected with the administration of the fund and the provision of superannuation benefits to the members.

66. The ‘reasonably expect’ test is an objective one that has regard to what a reasonable person, who is

properly informed, would expect in the circumstances. It is a question of fact in each case. The question here then is: would a reasonable person expect their personal details to be disclosed to a head contractor for the purposes of assisting in the recovery of their superannuation payments?

67. In making decisions about the handling of personal information, Cbus was constrained by the Privacy Act

and its trust deed, which was to operate in accordance with the 'Relevant Law'. The ‘Relevant Law’ included the Privacy Act. The Cbus member privacy policy (policy) explained to its members how Cbus would handle their personal information. It follows then that the privacy policy informed members’ reasonable expectations about the handling of their personal information. The privacy policy explained that Cbus would 'only' use members' information for a number of purposes specified in the policy. Those purposes included using the information 'to assist in the collection of employer contributions for [members’] accounts'. The privacy policy did not refer to ‘disclose’ for this purpose, and I do not accept Cbus’ contention that the term ‘use’ should be widened to include ‘disclose’ for the purposes of the policy. In accordance with the advisory Guidelines to the National Privacy Principles, issued by the former Office of the Federal Privacy Commissioner, the term ‘use’ refers to the handling of personal information within an organisation.13 I note the privacy policy itself uses terms such as 'provide' and 'supply' when describing disclosures of personal information to third parties, clearly recognising the difference between the two terms.

68. The privacy policy described those purposes for which personal information may be disclosed to third parties. These included:

supplying information to sponsoring organisations from time to time, as part of the process of monitoring contributions

11 B v Hotel [2008] PrivComA 2. 12 Macquarie Dictionary, 2nd Rev Ed. 13 Guidelines to the National Privacy Principles, Office of the Federal Privacy Commissioner, September 2001, [25].


providing a third-party debt collection agency with access to information for the purposes of collecting outstanding contributions.

69. The policy went on to say that 'Your personal information will not be used or disclosed for any other purpose without your consent, except where required by law.'

70. I do not accept that the purpose of the disclosures to CMC was for the purpose of monitoring contributions or for providing access to information to a third-party debt collection agency. The information available to me suggests that the disclosures to CMC extended beyond that. Cbus was already well aware that the Lis-Con companies owed substantial amounts of unpaid superannuation contributions. Further, there is no evidence to suggest that CMC was a debt-collecting agency for the purposes of the fund. Moreover, there is no evidence that Cbus had a practice of routinely disclosing members’ personal information to head contractors. In fact, based on Cbus’ statements on privacy contained in its trust deed and privacy policy, it seems clear that such a practice would have been at odds with how a class member would have ordinarily expected Cbus to handle their information in relation to unauthorised third parties.

71. In its submissions, Cbus has described the manner in which it provides information to sponsoring

organisations via its ‘compliance line’ process and has explained that these disclosures do not include personal information. In ordinary circumstances, Cbus only provides aggregated information. As such, I accept that members might have reasonably expected Cbus to disclose aggregated information to sponsoring organisations to allow them to take action in accordance with an applicable award, industrial agreement or enterprise bargain agreement (if any). The disclosures the subject of this representative complaint occurred in quite different circumstances and included personal information.

72. Cbus has conceded that it was not necessary for Cbus to disclose whether members had made voluntary contributions towards their superannuation account. It however has offered no specific explanation as to why it considered it necessary to provide names and dates of birth to CMC to allow for identification of relevant employees by CMC. I am not satisfied that the class members would have reasonably expected Cbus to disclose their personal information to CMC. Accordingly, I conclude that the exception at NPP 2.1(a) could not have been relied on by Cbus to make the disclosures to CMC. No other exceptions to the prohibition on disclosure are relevant in the circumstances. I therefore find Cbus has breached NPP 2.

NPP 4

73. NPP 4 required organisations to take reasonable steps to protect an individual’s personal information from misuse and loss and from unauthorised access, modification or disclosure.

74. The representative complainant did not make detailed submissions in relation to the allegation that Cbus had breached NPP 4.

75. Cbus provided information about the processes and procedures it had in place as at 30 July 2013, by which it contended, it met its obligations under NPP 4.1. Aside from its member privacy policy discussed at paragraphs [67] to [69], Cbus stated, and provided evidence of, the following:


it had an online Privacy Statement on its publicly accessible website, and provided all employees with a copy of its Code of Conduct, which required employees to protect, amongst other things, the confidential information of Cbus members14

employees were required to sign a confidentiality agreement, and new employees received training on privacy obligations in their induction program

office procedures included requiring employees to dispose of documents containing personal information in designated secure bins, and clearing their desks of any personal information before leaving their workstations

Cbus's Executive Manager was the Privacy Officer

its IT security measures at the time included a firewall and intruder prevention software, daily back up of data, password access and restrictions on users' rights to modify data

it had a practice of including compliance with privacy law and confidentiality obligations as contractual terms in contracts with service providers.

Findings

76. I consider that as at 30 July 213 Cbus had adequate measures in place to satisfy the requirement in NPP 4 for the organisation to take reasonable steps to protect an individual’s personal information from misuse and loss and from unauthorised access, modification or disclosure.

77. The conduct of the Cbus employee who was otherwise authorised to deal with the personal information made the disclosures to CMC through, it seems, a lapse of judgement or misjudgement. Notwithstanding this, the employee made the disclosures for a purpose within the scope of their work functions. Pursuant to s 8 of the Privacy Act, an act done or a practice engaged in by of a person employed in the service of, relevantly here, an organisation, shall be treated as having been done or engaged in by the organisation.

78. Nonetheless, although I have found the disclosures unauthorised and in breach of NPP 2, NPP 4 imposes

an obligation only to adopt safeguards as are reasonable in the circumstances. I am satisfied that Cbus has met this obligation under NPP 4. Accordingly, I find there is no breach of NPP 4.

Compensation and other remedies 79. I have the discretion under subparagraph 52(1)(b)(ii) of the Privacy act to declare that the respondent

should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant.

80. I also have the discretion under subparagraph 52(1)(b)(iii) of the Privacy Act to award compensation for ‘any loss or damage suffered by reason of the interference with privacy’. Section 52(1A) states that loss or damage can include ‘injury to the complainant's feelings or humiliation suffered by the complainant'.

81. In a s 52 determination ‘complainant’ in relation to a representative complaint means the class

members.

14 See: Letter from Cbus to OAIC dated 20 December 2013.


82. In Rummery and the Federal Privacy Commissioner15, the Administrative Appeals Tribunal summarised the principles in awarding compensation, including that where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course.

83. The declarations I may make under s 52(1) are discretionary, including the order for compensation. The

onus on establishing loss or damage is on the complainant, and even where a complainant establishes loss or damage as a result of the conduct of the respondent, this does not automatically mean I must make a declaration for an award of compensation. Moreover, redress may be in the form of an apology, or some other undertaking by the respondent.

84. Cbus’ immediate response to the data breach was as follows:

on 31 July 2013, and again on 2 August 2013, it requested that CMC delete the emails disclosed on 30 July 2013. There is however no evidence before me to indicate that CMC agreed to delete the emails or the information contained therein, or confirmed it had done so

it developed a privacy training pack which was provided to the employee who made the disclosures. This employee was also given a warning and a one-day remedial privacy training session with representatives of Cbus' Governance and Risk business unit.

85. Notably, Cbus did not issue an apology to class members, or notify class members about the disclosures to CMC.16

86. The representative complainant has sought the following declarations in regard to loss or damage:

(a) $2,000-$3,000 in general damages for each member of the class17 (b) an award between $3,000 and $4,000 in aggravated damages per class member,

which collectively is a sum of $2.97 million, that the representative complainant contends be paid on trust to the complainant representatives’ solicitors, or alternatively, be divided amongst the class members as a share of $7,000 (or as otherwise worked out by me).18

87. The representative complainant contends that legal costs incurred by class members, as well as costs incurred by the distribution of any compensation amounts to class members should be taken into account in the awarding of damages. The representative complainant also argues that I have the power to declare an award for damages to compensate for infringement of the ‘dignitary interest’ of class members.

88. The representative complainant has submitted ten statements from the 328 class members, ranging in date from July 2015 to January 2016, each of which lay claim to various emotional states, allegedly suffered as a result of the data breach. The statements contain complaints from class members being ‘unhappy’, ‘angry’, ‘upset’, ‘disappointed’ or ‘uncomfortable’ once made aware of the data breach. One

15 [2004] AATA 1221, [32]. 16 Email from Cbus to the OAIC dated 17 July 2015. Cbus submits that it sent a letter of apology to ‘all but 12’ of the class members, but it seems that the apology was directed to Cbus’ disclosures to the CFMEU, which are outside the scope of this determination. 17 On 11 September 2013 when the complaint was originally made, the representative complainant sought an amount of $1,000 in compensation for each class member. This has been revised up to a total of $7,000 per class member. 18 The representative complainant also suggested that, as an alternative, $660,000 be paid on trust to their solicitors (approximately $2,000 per class member), together with such sum as I might further determine after individually assessing the loss and damage of each affected member.


class member claims the data breach compounded the level of anxiety they were already suffering as a result of a relationship breakdown. They did not provide any evidence for this assertion. Another class member claims they were stressed. They also, did not provide any evidence for this assertion.

89. The representative complainant submits that these statements are likely illustrative of how all the class

members were affected by the breach.

90. Cbus submits, amongst other things, that the damages amount of $7,000 per class member is not justified by reference to the evidence.

Findings

91. The NPP 2 breach provides a potential basis for an award of compensation in favour of the class members. Nonetheless, I am not authorised under the Privacy Act to award compensation simply because an organisation has breached the Act. Unless an individual member of the class supplies evidence of loss or damage, they are not entitled to a remedy.

92. In this case, attributing causal effect to the breach is difficult on the limited evidence available. Any loss or damage claimed must be as a direct result of the Cbus data breach. Moreover, I can only assess actual loss or damage, not potential or future loss or damage.

93. From the statements provided, I am left unsatisfied that the disclosures have caused actual loss or damage in respect of these class members, though I accept there was a genuine concern amongst these Cbus class members that they had not been made aware of the breach when it occurred. As loss or damage may include ‘hurt feelings’, the concern which I accept class members had when they were made aware of the breach, arguably enlivens my capacity to provide some remedy. Notwithstanding this, in the circumstances of this matter, I think the most appropriate form of redress is to provide an apology. A public apology that explains the circumstances of the breach and what systems Cbus now has in place to minimise the risk of such a breach recurring, should go some way to alleviating the concerns expressed by class members who provided statements. In view of this, I decline to make an award for damages for the class members who have provided statements or any other class members.

94. I also note that as this is a representative complaint, I am precluded, pursuant to s 52(3) of the Privacy

Act, from including a declaration relating to reimbursement of any legal expenses that the representative complainant or any other class members may have incurred in making the complaint or during the investigation.

Aggravated Damages

95. As I have declined to make an award for damages, the issue of aggravated damages does not arise. I should note for completeness sake, that the representative complainant had pressed for aggravated damages on the basis that the act was done by a trustee who had a special role of trust and confidence in respect of members and a duty to abide by the trust deed and the conditions contained therein. The representative complainant also indicated that aggravated damages were warranted because of the failure of Cbus to immediately disclose to affected members that the breach had occurred, failed to provide a specific apology, and amongst other things, did not take steps to ensure the information disclosed was deleted or what if any other third parties had accessed the information.


96. I have previously made reference to two principles which provide useful guidance in determining whether an award for aggravated damages is warranted:

(a) where the respondent behaved ‘high-handedly, maliciously, insultingly or oppressively in committing the act of discrimination'19

(b) where the manner in which a defendant conducts their case may exacerbate the hurt and injury suffered by the plaintiff.20

97. I do not consider that the way Cbus has conducted its case falls within those categories, so as to justify an award of aggravated damages if in fact it was open for me to find on this. I accept Cbus’ contention that Cbus employees were acting in pursuit of overdue superannuation contributions, not ‘high-handedly, maliciously, insultingly or oppressively’. The lack to date of a formal specific apology, and failure to take remedial steps would not in the totality of the circumstances before me, justify an award of aggravated damages.

98. I note that Cbus states, since the data breach, it has taken substantial remedial steps to prevent future privacy breaches, including:

(a) reform of its privacy policy and procedures, with additional restrictions and controls in respect of access to the member database for the running of reports

(b) the establishment of a special purpose privacy sub-committee of the Cbus Board

(c) the creation of the role of Superannuation Arrears Manager, the aim which is to enhance the processes and systems by which Cbus collects outstanding arrears, and to minimise the necessity or expediency of involving third parties (such as unions) in the collection of arrears

(d) the implementation of a Privacy Program and Privacy Impact Assessment Procedure and review of privacy policies

(e) the implementation of a member consent regime for the provision of member information to sponsoring organisations for the purpose of recovering arrears.

Findings

99. For the reasons I have given, I have decided to make a determination finding the representative complaint against Cbus substantiated. I have made that decision on the ground that Cbus’ disclosure of the class members’ personal information to CMC was not for the primary purpose of collection and did not fall within any of the exceptions to NPP 2, set out in NPP 2.1(a) to (h) of the Privacy Act.

Declarations 100. I declare that the complaint is substantiated in accordance with s 52(1)(b)(i)(B) of the Privacy Act, on

the basis that Cbus disclosed class members’ personal information to CMC in breach of NPP 2.

19 Hall v A & A Sheiban Pty Ltd [1989] FCA 72, [75]. 20 ‘D’ v Wentworthville Leagues Club [2001] AICmr 9, [50]; ‘S’ v Veda Advantage Information Services and Solutions Limited [2012] AICmr 33, [93]; ‘BO’ v Aerocare Pty Ltd [2014] AICmr 37, [57].


101. I therefore declare, under s 52(1)(b)(ii) of the Privacy Act that within 60 days of this determination, Cbus must issue an apology to class members, acknowledging its interference with their privacy, specifically dealing with the circumstances around the disclosures to CMC.

102. I declare that under s 52(1)(b)(ii) of the Privacy Act, Cbus must:

o by 30 April 2018 provide a written confirmation to the OAIC that the proposed remedial measures subsequent to the breach, detailed at paragraph [98] of this determination, were in fact adopted and implemented by Cbus, and

o by 30 September 2018 undertake a review of those remedial measures and advise my office in writing of the findings and outcomes of that review.

Timothy Pilgrim

Australian Privacy Commissioner

23 March 2018

Review rights

A party may apply under s 96 of the Privacy Act 1988 to have a decision under s 52(1) or (1A) to make a determination reviewed by the Administrative Appeals Tribunal (AAT). The AAT provides independent merits review of administrative decisions and has power to set aside, vary, or affirm a privacy determination. An application to the AAT must be made within 28 days after the day on which the person is given the privacy determination (s 29(2) of the Administrative Appeals Tribunal Act 1975). An application fee may be payable when lodging an application for review to the AAT. Further information is available on the AAT’s website (www.aat.gov.au) or by telephoning 1300 366 700.

A party may also apply under s 5 of the Administrative Decisions (Judicial Review) Act 1977 to have the determination reviewed by the Federal Circuit Court or the Federal Court of Australia. The Court may refer the matter back to the OAIC for further consideration if it finds the Information Commissioner’s decision was wrong in law or the Information Commissioner’s powers were not exercised properly. An application to the Court must be lodged within 28 days of the date of the determination. An application fee may be payable when lodging an application to the Court. Further information is available on the Court’s website (http://www.federalcourt.gov.au/) or by contacting your nearest District Registry.

Making a complaint to the Commonwealth Ombudsman

If you believe you have been treated unfairly by the OAIC, you can make a complaint to the Commonwealth Ombudsman (the Ombudsman). The Ombudsman's services are free. The Ombudsman can investigate complaints about the administrative actions of Australian Government agencies to see if you have been treated unfairly. If the Ombudsman finds your complaint is justified, the Ombudsman can recommend that the OAIC reconsider or change its action or decision or take any other action that the Ombudsman considers is appropriate. You can contact the Ombudsman's office for more information on 1300 362 072 or visit the Commonwealth Ombudsman’s website.

Accessing your information

If you would like to access the information that we hold about you, please contact the enquiries line. More information is available on the Access our information page on our website.

Documents

PB - oaic.gov.au€˜As per our discussion can you please confirm the status of Liscon Services conurbations [sic] to their workers superannuation fund, that CBUS have commenced legal