Comcare hit with $23k privacy fine over FOI bungle

Government workplace compensation authority Comcare has been ordered to pay a former Defence worker $23,000 after it failed to redact her personal information from a document published under FOI laws.

Comcare published the report, which outlined the former officer’s claims she was the victim of a cancer cluster at the Department of Defence, on its FOI disclosure log in May 2011, after she had requested its findings via freedom of information laws.

But while some of the report had been redacted, many sensitive details about the Defence employee slipped through the gaps.

The document sat on the Comcare website for 12 months, revealing her name, postal address, date of birth, health details, and her unique identifier for Defence’s PMKeyS payroll system, which could provide access to her phone number and personal email address.

The woman, whose name has not been released, only realised her details were on the web when she was copied in on an email from one of her senior officers that linked to the Comcare report.

Comcare took down the document and issued an apology three days after the former staffer discovered and reported the issue in August 2012.

But Privacy Commissioner Timothy Pilgrim last week ruled that publishing the poorly redacted report amounted to a breach of the Privacy Act, albeit an unintentional one.

“I consider that it would have been reasonable for Comcare to ensure the removal or de-identification of all of the complainant’s health information from the report prior to making it publicly available on its website," Pilgrim said in his ruling.

"This could have been achieved by second and third tier reviews to ensure inadvertent mistakes such as this one were not made."

He ordered Comcare to pay the former Defence worker $20,000 to compensate for the emotional toll of the disclosure, a figure well short of the $150,000 she had originally asked for.

Pilgrim also told the agency to cover $3000 worth of her $24,000 legal bill, concluding that not all of the money had been directly related to the case or reasonably spent on it.

Comcare says it has put more staff on its FOI and privacy functions in an effort to make sure this kind of slip up isn’t repeated.