Centrelink has been ordered to pay nearly $20,000 and issue a written apology to a domestic violence victim for breaching the Privacy Act by disclosing her new address to her abusive former partner.
The Australian Information Commissioner has issued Services Australia a notice to pay the woman $19,890 in compensation for the privacy breach.
Services Australia was found to have breached the Privacy Act when it failed in 2016 to separate the woman’s online account from her former abusive partner’s, which were linked because they had previously lived together.
But when she moved away and updated her address on myGov, his account was subsequently updated with her new address.
Domestic violence victim's privacy breached amid Centrelink botch-up
At the time, the woman was receiving Centrelink benefits and was living with her then-partner. Because they shared the same address, her entitlements were calculated by taking his income into consideration and their online accounts were linked.
But a ruling by the Australian Information Commissioner and Privacy Commissioner Angelene Falk stated that the effect of ‘linking’ the accounts meant, when one individual updates their address through their online account, the partner’s details are also updated.
The accounts would remain linked until a claim at separation is verified.
An Apprehended Violence Order (AVO) was taken out against the man in December 2015, and he was imprisoned for violating it by punching the woman in the face while driving.
The woman then attempted to lodge a crisis payment claim with Services Australia but was denied on the basis that the woman was still living with her then-partner at the original address, that the AVO didn’t bar the man from returning to the address, and that they were still in a relationship.
A ‘separation details form’ was filed but deemed incomplete by the agency and was never updated.
Nearly a year later, in September 2016, the woman had moved to another state in order to escape her former partner and decade-long relationship, and did not tell anyone where she was moving to.
She visited a Centrelink branch in person to notify the agency of the change and that she had separated from her former partner in February 2016, but her address was not processed or updated until January 2017.
Unbeknownst to her, her former partner’s address was automatically updated to the new address. Months later, the man had moved interstate to live near her.
The woman discovered the privacy breach when her former partner uploaded a Google Maps image of new home to Facebook, with the comment: “Change your MyGov”.
The woman said “her heart just sank” at the fact that he had found her, and she felt sick.
“I did everything right when I had the strength to leave him and he found me through no fault of my own.”
The $19,980 penalty Centrelink has been ordered to pay includes $10,000 for non-economic loss; $8,000 for reasonably incurred legal expenses; and $1,980 for reasonably incurred expenses to prepare a medical report.
The Commission found that the agency had breached on four accounts over failures to keep her personal information accurate and up to date and for disclosing the victim’s personal information to her former partner.
"I find that the agency has breached APP 11 by failing to take reasonable steps to protect the complainant's personal information, being her new address, from the unauthorised disclosure that breached APP 6," Commissioner Falk stated.
'We apologise deeply': Services Australia
Services Australia general manager Hank Jongen said it “fully” accepted the commissioner’s declarations.
“Services Australia acknowledges its processes failed to protect the privacy of this customer,” Jongen said in a statement.
“We apologise deeply and unreservedly to the complainant for the stress and pain caused.”
The agency has been ordered to hire an independent auditor to examine its processes around unauthorised disclosure of personal information, and must write a written apology to the woman.
Jongen said privacy and the safety of its customers were "our highest priorities" and that in the years since the incident, Services Australia has taken more steps to support customers impacted by family and domestic violence.
“For example, we have changed our process to require that we de-link a customer’s Centrelink record from their partner’s as soon as they tell us they’ve separated, without the need for paperwork,” Jongen said.
"We’re acutely aware of the heightened risks of separation for customers when family and domestic violence is a factor.
"We’ve had a suite of dedicated services and support for customers in these circumstances for many years."
Services Australia also last year launched a Family and Domestic Violence Strategy, he added.
All staff who interact with customers are provided with family and domestic violence training, with privacy training mandatory for all agency staff.
The woman described the three-year privacy complaints process as “drawn out and difficult”.
“At every turn with the department and their lawyers ... I’ve been disbelieved and doubted.”
But she said she wanted to see the case through so Services Australia would fix its processes and better assist women.