The Supreme Court of New South Wales on Monday accepted the settlement of a pioneering class action in Australia.
Justice Julie Ward accepted the $275,000 settlement in the class action led by Tracy Evans against the NSW Ambulance Service over a major data breach. The lawsuit is the first privacy class action and the first to go to court, according to George Newhouse of Centennial Lawyers, solicitor for the lead plaintiff.
Centennial Lawyers filed the class action in 2017. Evans, a former paramedic, alleged that Waqar Malik, who was a contractor of NSW Ambulance Service, was given access to personal workers’ compensation information of around 130 employees of the service. Details gleaned from the records were then sold by Malik to at least one law firm in Sydney.
Malik was convicted in 2016 of unlawfully disclosing personal information for selling the compensation information, some of which contained sensitive medical and mental-health records.
“For me, the result is adequate as the case is about accountability rather than money,” Evans said.
She said that the class action has been frustrating, empowering, and a learning experience.
“You can’t put price on what has been learned and gained by engagement in the process of challenging this privacy breach,” she said. “We need to be sure this doesn’t happen again and to change the system to ensure that.”
She said that paramedics in the service are still being affected by everything that has occurred, as well as the atmosphere the data breach created.
“Other class action members await a letter of apology and may feel that the compensation does not reflect the impacts of the breach,” she said.
Win for ordinary people
Newhouse said that the settlement is a win for “the little, the ordinary people.” He also said that government agencies, multinationals, employers, and others “are collecting data about us and exploiting it every day.”
“Data misuse is a serious problem and those who hold it and make money from our data need to take their responsibilities seriously,” he said.
The class action shows that the law will intervene to protect ordinary people from the misuse and the theft of their data, he said.
“Employers have a duty of confidence to their employees and they must take adequate steps to protect their employee records, and this case highlights the damage that can be done if data security is breached,” Newhouse said.
Regulatory reform needed
Newhouse also called on Australia’s leaders to bolster protections against the misuse of data and data breaches.
“This class action is an Australian first, but it was a long and difficult road to travel. Our politicians need to intervene urgently and provide individuals with a satisfactory remedy for breaches of privacy and data breaches. If those who held our data were able to be held accountable for its misuse, then perhaps they would be more careful,” he said.
He said that there are “incredible profits to be reaped” from exploiting data, but there are no serious mechanisms in Australia to hold those responsible for data breaches accountable.
“Australia has one of the weakest regulatory regimes compared to the US, UK and Europe,” he said. “The fact that this is the only class action when there have been so many data breaches speaks loudly Scott Morrison must do more. Regulatory reform is urgently required.”