In early August 2019, the Australian Competition and Consumer Commission (ACCC) took HealthEngine to Court for allegedly misusing patient data and manipulating reviews. The ACCC is the regulatory body that enforces consumer protection laws and takes action against businesses who engage in misleading and anti-competitive conduct.
HealthEngine admitted misconduct, and on 20 August 2020, the ACCC ordered them to:
- pay a $2.9 million fine;
- submit to ongoing independent reviews of its consumer law compliance plan;
- contact affected users to explain what had happened and assist them in regaining control of their personal information; and
- pay the ACCC’s costs for bringing the proceedings.
This article will explain the key lessons from the HealthEngine decision so that you do not make the same mistakes for your business.
Who is HealthEngine?
HealthEngine is a well-known online platform that allows users to make bookings with health practices and practitioners. It also allows them to leave reviews about their experiences receiving those services.
Previously, users of HealthEngine were able to access reviews provided by other users about the quality and service that they received. Where available, they have now limited to an indication of the percentage of users that would recommend the service. This percentage is based on the number of reviews received by HealthEngine.
What Was the Issue?
There were three key issues that the ACCC called out.
They claimed that HealthEngine had:
- manipulated the reviews of users that is published on the platform;
- misrepresented to users why a rating was not published for some health practices; and
- disclosed the personal information of users of the platform to health insurance brokers for a fee without making this sufficiently clear to those users.
What Misconduct Did the ACCC Find?
In relation to the manipulation of reviews, HealthEngine admitted that over almost three years, approximately:
- 17,000 reviews were not published; and
- 3,000 reviews were edited by adding improvements or removing the parts that were negative.
This and the misrepresentation as to why a rating was not published, were considered issues by the ACCC because users may have visited certain health practices and practitioners based on reviews that did not accurately reflect the users’ experiences.
On the disclosure of information, HealthEngine admitted that over a period of almost four years, it earnt more than $1.8 million by giving the non-clinical personal information of over 135,000 users to health insurance brokers. This information included:
- names;
- dates of birth;
- phone numbers; and
- email addresses.
The ACCC’s concern here was that this disclosure happened without HealthEngine properly informing users that they would use their information in this way. This made it a misuse or use of data that could result in consumer harm.
What Does the Decision Mean for You?
This HealthEngine decision serves as a reminder that if you allow users to make and view other users’ reviews, you should be careful about how you manage and present these reviews. This includes where your business is an online marketplace, and the reviews are about services other than your own.
It is also a warning from the ACCC that misuse of information is not just a privacy issue. It is also a consumer law issue that the ACCC is actively pursuing with very tough consequences for wrongdoers. This is in line with the ACCC’s Digital Platforms Inquiry, which recommended introducing certain General Data Protection Regulation (GDPR) principles into Australian privacy law. These include stronger notification requirements when businesses collect personal data.
Tips for Managing Online Reviews
The ACCC has a lot of useful information on its website about how to manage online reviews. Key points include that you should:
- ensure the reviews are genuine;
- make it clear to viewers what reviews are (and are not) visible;
- avoid editing reviews in any way that may be deceptive or misleading;
- restrict people from leaving a review for services they have not used or that they have not used recently (for example, within the last month or so);
- encourage reviewers to be honest, specific and factual in their reviews; and
- ensure that reviewers reveal any biases (for example, if they are receiving payment to provide the review).
Tips for Avoiding Misuse of Data
Find out whether you are an Australian Privacy Principle (APP) entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:
- an annual turnover of over $3 million; or
- less than $3 million in turnover but falls under certain exceptions.
If you are an APP entity, you must make sure that you are compliant with Australian privacy laws (including the Australian Privacy Principles).
Even where you are not an APP entity, it is good practice to:
- be upfront and clear about what personal information you are collecting;
- how you are collecting the information; and
- what you will do with this personal information.
An easy way to achieve this transparency is through a privacy policy. Alternatively, when collecting any personal information, you could provide a notice to the person you are doing so. Here, you need to outline:
- why you are collecting the information; and
- what you are planning on doing with it.
If you have a privacy policy, you should review it to make sure that it is clear, accurate and up to date. Where a privacy policy is not clear, accurate or up to date, there is a risk that it could be misleading.
Key Takeaways
A huge fine for HealthEngine shows that the ACCC is serious about making the misuse of information a consumer law issue, and preventing consumers from misleading conduct. If you have any questions or would like to know more about whether your business is compliant, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.
