A business has breached a person’s privacy after it accidentally sent an invoice containing their personal information to an incorrect email address.

The person requested that the business’ invoices be sent to a different email address because his former partner had access to the former email account. The person had moved to a new address with his new partner, and did not wish for his former partner to know his address as a Trespass Order was in place.

When the business’ invoice was sent to the incorrect email address, the person’s new address was disclosed to the former partner.

After making a complaint to the business, the person was offered $10,000 in compensation.

Feeling this was insufficient, he complained to the Office of the Privacy Commissioner, alleging that the business had breached three privacy principles:

  • that an agency shall ensure the personal information it holds is protected by such security safeguards as are reasonable in the circumstances against loss, access, use, modification, disclosure or misuse;

  • that an agency shall not use the personal information it holds without taking such steps as are reasonable in the circumstances to ensure the information is accurate, up to date, complete, relevant and not misleading; and

  • that an agency shall not disclose the personal information it holds unless it believes on reasonable grounds that it was permitted to do so (for example that an exception applied).

The Privacy Commissioner contacted the business which admitted to breaching the person’s privacy, but insisted that while it had safeguards in place no system was perfect.

The business increased its settlement offer which was again rejected. The Office of the Privacy Commissioner offered to conduct a mediation. During mediation, the person explained the impact that the breach had on himself and his new partner including having to relocate again.

Ultimately, both parties agreed on a final sum of $32,000 as compensation.

Alan Knowsley
Privacy Lawyer