the solution

Recent Cases: Commonwealth

'AYN and Fortrend Securities Pty Ltd (Privacy) [2025] AICmr 167 (15 September 2025)

Facts

‘AYN’ (“complainant”) was a former employee of Fortrend Securities Pty Ltd (“respondent”). During the 30-day period following the complainant’s notice of resignation, the complainant claimed that they felt anxious and emotionally distressed due to hostile and aggressive behaviour from the Managing Director of the respondent. The complainant sought medical advice from a psychiatrist, obtained medical certificates stating that they were unfit for work and provided copies of the medical certificates to the respondent. 

 

The complainant claimed that once they left their job, the Managing Director informed the complainant’s clients that the complainant was suffering from a nervous breakdown and was unfit to continue managing client portfolios. When one client of the complainant (“Client”) took issue with the claims, the Managing Director told the Client they had a medical certificate to prove it (“Medical Certificate”). The complainant alleges that the respondent posted their medical certificate to the Client to discredit the complainant and cause reputational damage. 

 

The Office of the Australian Information Commissioner subsequently opened an investigation under s 40(1) of the Privacy Act.

 

Held

The Commissioner held that the respondent interfered with the complainant’s privacy by disclosing the complainant’s sensitive health information to a third party in breach of APP 6.2. The respondent was ordered to pay the complainant $10,000 for non-economic loss and $3,500 for aggravated damages, as well as take additional steps to address the interference, including an independent review of their privacy policies, process and training.

 

Reasoning

Whether the respondent collected and held the Medical Certificate and disclosed it to the Client 

The Commissioner did not accept the Managing Director’s denial that the respondent received the Medical Certificate, as the complainant had provided the Commissioner with a copy of an email to the Managing Director and another staff member of the respondent with the Medical Certificate attached. Therefore, the Commissioner was satisfied that the respondent collected the information. 

 

Similarly, the Commissioner did not accept the respondent’s denial of disclosure of the Medical Certificate to the Client, as the respondent provided unreliable and limited information surrounding the alleged disclosure. Whilst the envelope that contained the Medical Certificate that was posted to the Client did not identify the sender, the Commissioner accepted the complainant’s submission that only the respondent could have sent it as they were the only one to receive a copy. The complainant’s submissions were supported by file notes, emails and a statutory declaration. Therefore, in acceptance of the complainant’s submissions, the Commissioner accepted that the respondent disclosed the complainant’s Medical Certificate to the Client. 

 

Employee records exemption – s 7B(3)

Given that the complainant was no longer employed by the respondent at the time of disclosure and the disclosure of the Medical Certificate to the Client was not for an employment related purpose, the first limb of s 7B(3)(a) was not satisfied and the employee records exemption under s 7B(3) was not applicable. 

 

APP 6 – Use or disclosure of personal information 

The Commissioner accepted that the respondent disclosed the Medical Certificate to discredit the complainant to the Client and cause reputational damage. It was determined that the disclosure was not for the primary purpose of assessing the complainant’s fitness to work, nor for the purposes of their employment more generally, because the complainant was no longer employed by the respondent at the time. There was no need to disclose the Medical Certificate to a client of the complainant for these purposes. Further, the complainant did not consent to the respondent’s disclosure of their personal information and none of the exemptions in APP 6.2 were applicable. Therefore, the respondent breached APP 6.1. 

 

Remedies 

Compensation

The Commissioner accepted the complainant’s submission that they suffered non-economic loss in the form of significant humiliation, hurt feelings and embarrassment due to the privacy breach by the respondent. This submission was supported by a statutory declaration by the complainant and a letter from their treating psychiatrist detailing the non-economic loss suffered, including anxiety and depression. The complainant was awarded $10,000 for such loss. 

 

Aggravated damages

The Commissioner was satisfied that the respondent disclosed the complainant’s sensitive health information with the intent to harm the complainant through reputational damage and embarrassment. The conduct was deemed malicious, improper and unjustifiable in the circumstances. The Commissioner also had regard to the implied duties of confidentiality and mutual trust present in an employer-employee relationship and the use of the respondent’s authoritative position to adversely affect the complainant. Finally, the Commissioner noted the respondent’s lack of cooperation during the Commissioner’s investigation, including the unreliable and inaccurate information. The complainant was awarded $3,500 in aggravated damages.

YFZN and Secretary, Department of Home Affairs (Freedom of Information) [2025] ARTA 1844 (18 September 2025)

Facts 

YFZN the (“FOI applicant”) applied to the Department of Home Affairs (“Department”) seeking to amend personal records, claiming that her real identity had been incorrectly recorded because she originally entered Australia on a false passport.  The Department refused the amendment request but annotated the records to reflect the request as required by s 51 of the FOI Act.

 

The applicant then sought a review by the applicant then sought a review by the Office of the Australian Information Commissioner (“Commissioner”), the Commissioner declined to review the decision, stating the matter was more suitable for direct review by the Administrative Review Tribunal (“Tribunal”).  The applicant then applied for a review of the Department’s decision by the Tribunal under s 57A of the FOI Act.

 

Held 

The Tribunal is prohibited by s 58AA(2) from making the decision to amend personal records as requested by the applicant; the FOI Act cannot be used to amend identity in records where the question of identity was the subject of a visa related proceeding in another Court or Tribunal.  The decision by the Department dated 26 September to refuse to amend the personal records should be affirmed on that basis. 

 

Reasoning 

Application for amendment – s 48

The applicant to amend her records to show her true name (ABC) and date of birth (1990). s 48 allows a person to apply, amend, or annotate personal records if the information is incomplete, incorrect or misleading.  The applicant validly applied under this section, triggering the FOI amendment process.

 

Amendment of records – s 50 

The Department or Tribunal has power to amends records if satisfied the information is wrong or misleading.  With reference to the evidence brought forward from both parties, the Tribunal found the records were factually wrong but could not exercise the power to amend due to the limitations set out in s 58AA(2). 

 

Annotation of records – s 51

If amendment is refused, records must be annotated with the applicant’s statement unless inappropriate.  The Department refused amendment on 26 September 2023 but annotated the records to reflect the applicant’s request, complying with this section.  The applicant’s request was noted in the records despite the refusal to amend. 

 

Decisions under enactments – s 58AA(2)(a)

s 58AA(2)(a) prohibits amendments if the record is part of a decision made under an enactment by a court, tribunal, authority, or person.  This applies to any Department records that form part of visa decisions under the Migration Act 1958 (Cth).  

 

The Tribunal emphasised that the FOI amendment process cannot be used as a “back-door method’ to challenge or pre-empt decisions that properly fall within the jurisdiction of other proceedings, such as visa reviews.  The Tribunal was prevented from amending records that were directly tied to statutory visa decisions.

 

Questions decided elsewhere – s 58AA(2)(b)

This section prohibits amendments if the same question can be determined by another decision-maker (agency, tribunal, or court). The Tribunal found the Applicant’s identity was already a central issue in the pending Protection Visa Review, so it could not decide it under the FOI process. The Tribunal was ultimately barred from amending the records in this proceeding despite finding that the records were incorrect and misleading.