icare must now consider 204 alleged privacy breaches by a worker after a tribunal ruled the insurer wrongly rejected her complaint as time-barred.
The NSW Civil and Administrative Tribunal handed down its decision on January 27, 2026, finding that the six-month window for lodging privacy complaints does not start ticking until a claimant actually understands that the conduct in question might breach privacy law.
The ruling stems from a workers' compensation claim lodged in May 2021 by a woman identified only as GJO, whose identity remains protected by a non-publication order. She had sustained a psychological injury during her employment with Hunter New England Local Health District and filed her claim with icare, which transferred management to QBE as its claims service provider. QBE accepted liability for the injury in September 2021.
Nearly three years later, on July 2, 2024, GJO filed an internal review application with icare. Her complaint was sweeping: 204 separate allegations that icare and QBE had mishandled her personal and health information throughout the life of her claim. The allegations covered everything from the initial liability assessment to a 2023 medical examination conducted by an injury management consultant.
icare pushed back. On August 16, 2024, the insurer refused to conduct an internal review, arguing that GJO had known about the conduct for well over six months. Under section 53(3)(d) of the Privacy and Personal Information Protection Act 1998, complainants must lodge their applications within six months of becoming aware of the conduct at issue.
GJO challenged that refusal, filing for administrative review on August 22, 2024. Her argument was straightforward: while she may have received claim documents over the years, she had no idea they raised privacy concerns until much later. She told the Tribunal that she only began researching privacy law in November 2023, after receiving notice that her information held by law firm HWL Ebsworth had been caught up in a data breach. It was not until late April 2024, she said, that she finally understood how the handling of her claim might have violated her rights.
Senior Member Dr Linda Kirk sided with the worker. Drawing on earlier case law, she found that awareness under the Act means more than simply receiving documents. A person must actually grasp that the conduct could amount to a privacy breach and that legal remedies exist.
The Tribunal accepted that GJO reached that understanding in late April 2024, placing her July filing comfortably within the six-month limit.
The decision does not determine whether any privacy breaches actually occurred. That question now falls to icare, which must consider the internal review application it previously declined to examine.
For insurers and claims administrators, the ruling serves as a pointed reminder: limitation periods in privacy matters hinge on what claimants actually know, not what documents happen to land in their inbox.
