Services Australia penalised for breaching privacy of a vulnerable customer

The agency's process for updating personal information in a domestic violence situation was not only alarming, but was found to be a breach of privacy by the Information Commissioner, too.

The Australian Information Commissioner has issued Services Australia with a notice to pay a customer AU$19,890 as atonement for breaching her privacy.

The woman was in receipt of Centrelink benefits administered by the Department of Human Services, now Services Australia.

At the time, she lived with her then-partner, and as such, her entitlements were calculated by taking his income into consideration as their respective online accounts were linked.

"One effect of 'linking' records meant that if the complainant were to update her address using her online account, her partner's address on his online account would also be updated to reflect the change, and vice versa," the commissioner's finding detailed. "The agency's practice was to continue to keep such records linked unless and until it verified any claimed separation on the part of one of the linked individuals."

An Apprehended Violence Order (AVO) was taken out against the then-partner in December 2015, which the man was later imprisoned for breaching. The woman shortly after attempted to lodge a "Claim for Crisis Payment: extreme circumstance and domestic violence" form with the agency, seeking what is referred to as a crisis payment.

The agency denied this claim for payment on the basis that the complainant continued to reside at the original address, that the AVO did not exclude the former partner from returning to the original address, and that the complainant was still in a relationship with the partner, the commissioner's finding explains.

A "separation details form" was then filed, but it was marked as incomplete by the agency and the woman's details, six months later, were still not updated.

In September 2016, the woman moved to a new address and claimed that she had notified the agency of this change by attending an office in person. The following month, the new address was entered as an update to her online account and was submitted, however, the change was not processed by the agency at that time -- it wasn't until January 2017 that the agency processed the change of address.

The former partner's online account was also updated to the new address at this time.

Her marital status was also finally changed to reflect she was single.

Subsequently, the former partner posted a screenshot of the new address to a social media platform used by the complainant with a comment "change your myGov", the information commissioner said.

The AU$19,980 Services Australia has been asked to pay comprises AU$10,000 for non-economic loss, AU$8,000 for reasonably incurred legal expenses, and AU$1,980 for reasonably incurred expenses in preparing a medical report.

The agency denies that it interfered with the woman's privacy, but it does not dispute that it disclosed the new address to the former partner and that when it was disclosed, it amounted to the complainant's personal information.

The agency said it "was unable to accept that claim in the absence of full address details for referees who could verify the separation".

The commissioner found the agency failed to ensure the complainant's personal information of her separation status was kept accurate and up-to-date in breach of Australian Privacy Principle (APP) 10, similarly that her address was not accurate and up-to-date.

It was also found the agency's disclosure of the complainant's personal information to the former partner breached APPs 6 and 11.

"I find that the agency has breached APP 11 by failing to take reasonable steps to protect the complainant's personal information, being her new address, from the unauthorised disclosure that breached APP 6," the commissioner wrote.

The agency has now updated its form to provide more protections from potential domestic violence situations.

The commissioner has also directed the agency to engage an independent auditor within three months to assess its policies, procedures, and systems against the requirements of APP 11.

In a second case, the commissioner has asked the agency to pay AU$1,000 for loss caused by the interference with the complainant's privacy.

The complainant contends that his privacy was breached by the agency when it provided his personal information to an external debt collection agency for the purposes of debt recovery due to the debts being "unlawful". Due to this, the complainant is arguing that the disclosure of his information was not authorised under APP 6.

He also claims that the agency breached APP 10 by disclosing the existence of the debts to the collection firm.

The commissioner declared the agency engaged in conduct constituting an interference with the privacy of the complainant and must not repeat that conduct.

IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:

  • Suicide Call Back Service on 1300 659 467
  • Lifeline on 13 11 14
  • Kids Helpline on 1800 551 800
  • MensLine Australia on 1300 789 978
  • Beyond Blue on 1300 22 46 36
  • Headspace on 1800 650 890
  • QLife on 1800 184 527

RELATED COVERAGE

Services Australia among those found breaching privacy laws

Complaint against the government department revealed it disclosed bank statements to someone the complainant took a Family Violence Order out on.

Services Australia reported 20 security incidents to the ACSC in 2019-20

Across Social Services, the NDIS, Veteran's Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.

Accidental personal info disclosure hit Australians 260,000 times last quarter

85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally.