On 9 December 2019, the Supreme Court of New South Wales accepted a $AU275,000 ($NZ288,000) payment in settlement of a class action against the NSW Ambulance service.
This claim, which was brought by current and former employees of the NSW Ambulance Service, was the first data breach class action to have resulted in Court proceedings in Australia, as well as the first to conclude in a settlement.
The class action provides a clear model for similar actions in New Zealand, and a potential route to make privacy claims economic, especially in cases where many people are affected but where substantial damages would not be available to any individual.
The NSW claim
In early 2013, a contractor at the New South Wales Ambulance Service unlawfully accessed the workers' compensation files of 130 current and former employees, and sold this data to personal injury law firms. These files included sensitive medical and psychiatric records of the employees. In 2016, the contractor was convicted of unlawfully disclosing personal information.
On 20 November 2017, a class action was filed against the NSW Ambulance Service on behalf of 108 of the affected employees. The proceeding alleged that the NSW Ambulance Service was liable in relation to a raft of claims, including breach of confidence, breach of contract, misleading and deceptive conduct, and invasion of privacy, due to its alleged failure to adequately protect the personal records of its employees.
The plaintiffs claimed that NSW Ambulance's failure to protect their privacy entitled them to compensation for pain and suffering, psychological injuries and economic loss.
In its defence to the claim, NSW Ambulance argued that the claimants had no relevant right to privacy and accordingly had no cause of action.
In December 2019, the lead plaintiff and the NSW Ambulance Service agreed to settle the proceedings on the basis that the NSW Ambulance Service would make a payment of $275,000 to the affected NSW Ambulance Service employees as compensation for the data breach.
The New Zealand context
Despite being well-established in other jurisdictions such as Australia, representative actions have only recently become a prominent feature of New Zealand's legal framework.
As we have previously written about here, the Court of Appeal recently held in Ross v Southern Response Earthquake Services Limited [2019] NZCA 431 that everyone with the same type of claim as a plaintiff may automatically become a class member claimant, unless they actively take steps to "opt-out" of that class. The NSW Ambulance Service case is an example of an opt-out claim, and lawyers acting for the plaintiffs have advised that any class members who were not active in the proceeding have until 10 June 2020 to make a claim for compensation under this settlement.
The Court of Appeal's decision in Southern Response is likely to increase the number of representative actions, as it makes it much easier to form a substantial class. It will also increase the sum of damages available by increasing the size of the class of potential claimants compared to what would be the case for an "opt-in" claim. Even modest damages for individuals can amount to substantial sums when applied to large classes.
The NSW Ambulance Service class action also comes in the context of a recently implemented mandatory privacy and data breach notification regime for Australia. New Zealand is also set to implement mandatory privacy and data breach notification regime in 2020. This regime will require agencies to notify individuals affected by privacy or data breaches where it is reasonable to believe that breach has caused, or is likely to cause, "serious harm". Such notifications already occur frequently, of course, but the increased visibility from mandatory notification is likely to raise awareness and may increase the likelihood of litigation.
What's next?
It is only a matter of time before New Zealand sees its first class action for a privacy breach. The availability of opt-out actions combined with compulsory notification, and increasing social anxiety about the misuse of personal information, all suggest that it is a question of when, not if, the first class actions are filed.
It is a good reminder for organisations that do not want to be on the cutting edge of privacy litigation to review their practices to minimise the risk of data breaches and mitigate the effects of any breaches that do occur.