The Acting Australian Information Commissioner has published four privacy decisions relating to unauthorised disclosure of personal information to third parties, two relating to a telco retailer and two relating to an insurer.
All decisions found claims in favour of the complainant: the damages for non-economic loss awarded ranged from $2000 to $3500.
NRMA Insurance claims
In ‘IQ’ and NRMA Insurance [2016] AICmr 36 the Commissioner decided that NRMA Insurance (NRMA) interfered with the complainant’s privacy by disclosing his personal information to third parties, in breach of National Privacy Principle (NPP) 2.1 under the Privacy Act 1988 (Cth).
NRMA was ordered to apologise to the complainant and pay the complainant $2,000 for non-economic loss caused by the interference with the complainant’s privacy.
The Commissioner also recommended that NRMA review its staff training procedures in respect of its information handling policies, having specific regard to the dealing of enquiries made by family members.
The relevant facts were:
- The complainant held a number of insurance policies with NRMA.
- The complainant’s spouse attended an NRMA office to inquire about compulsory third party (CTP) and comprehensive motor insurance for her car. She was accompanied by the complainant’s daughter.
- The complainant alleged that an NRMA staff member accessed the complainant’s records and discussed details of the complainant’s vehicle insurance policies with his spouse.
- The complainant also alleged that the NRMA staff member turned their computer monitor around so that it was visible to the spouse, daughter and other customers, and in the process disclosed details of the complainant’s motor polices.
- The complainant stated that the information disclosed was not connected to any policy which was jointly insured with his spouse or daughter.
- He also stated that his spouse and daughter were not asked for any form of proof of identification before his personal information was disclosed.
In response NRMA confirmed that the disclosure likely took place, but disputed the complainant’s allegation that reasonable steps were not taken to verify the identity of the spouse. NRMA admitted to the practice of turning monitors around so the screens are visible to customers to assist them in understanding the information which it holds about them. It claimed that this practice is only undertaken after a three-point identification check and would not be done if the screen provided unauthorised access to other customers or members of the public.NRMA claimed that its staff are trained to ensure adequate care is taken when sharing computer screens with customers.
In this case, there was no information to suggest third parties, other than the complainant’s spouse and daughter were in a position to access the complainant’s personal information on screen.
The Commissioner accepted that NRMA had training in place to make staff aware of what they must consider when providing customers with access to the monitor screens and that this practice is a reasonable step by NRMA to secure the personal information it holds.
In ‘IR’ and NRMA Insurance [2016] AICmr 37 the Commissioner decided that NRMA interfered with the complainant’s privacy by disclosing her personal information to third parties in relation to its practice of issuing certificates of insurance that set out details of all insured assets owned by the policy holder who has the most eligible policies and longest relationship with NRMA.
The Commissioner decided NRMA was in breach of Australian Privacy Principles (APP) 6 and 11 under the Privacy Act.
NRMA was ordered to apologise to the complainant and:
- remove from certificates of insurance issued to the complainant and any joint policy holder, information about the complainant’s assets (i.e. policy description and number) that are not directly related to the issued policy
- pay the complainant $3,000 for non-economic loss caused by the interference with the complainant’s privacy.
In relation to its practice of issuing certificates of insurance that set out details of all insured assets owned by the policy holder who has the most eligible policies and longest relationship with NRMA, NRMA was ordered to develop revised information guides for customers, which outline in detail the type of personal information that will be disclosed on certificates of insurance.
The relevant facts were:
- The complainant held a home building insurance policy with the respondent NRMA. The policy was held jointly with another individual (Ms X).
- The complainant also held a number of other policies with NRMA, separate to the home building insurance policy held with Ms X. Those other policies were jointly held with the complainant’s husband.
- the complainant received a Certificate of Insurance Home Building Renewal which contained details of all the complainant’s assets insured with NRMA, including assets not related to the policy with Ms X.
- The complainant realised that when Ms X received a copy of the Certificate of Insurance she would obtain a detailed list of all the complainant’s other assets insured with NRMA, which did not relate to the jointly held home building insurance policy.
Subsequent to the complainant’s complaint, NRMA updated the format of its Certificates of Insurance to reduce the level of detail in the description column. The complainant was dissatisfied with the amended format, claiming that her privacy continued to be interfered with.
The Commissioner decided that there is no information which suggests that Ms X would be able to use the asset descriptions and policy numbers of other listed policies to identify whether or not those other policies were held solely or jointly by the complainant, and if jointly held, that the joint policy holder was the complainant’s husband.
NRMA confirmed that Ms X would not be able to obtain any further information about the complainant’s other listed policies, other than the information already provided on the Certificate of Insurance. Accordingly, the Commissioner was of the view that the details of the policies listed on the Certificate do not constitute the personal information of the complainant’s husband and that there had not been an interference with the privacy of the complainant’s husband.
NRMA did not dispute that it disclosed the complainant’s personal information to Ms X but that it notified customers that the certificates of insurance will show a list of the policies that have contributed to their loyalty discount.
However NRMA did not explain why personal information that contributes to the loyalty discount offered to joint-holders, but that is otherwise unrelated to the policy being issued, is disclosed to the joint policy holder who has no connection with the information. The commissioner concluded that the loyal discount scheme benefits are linked to the number of policies any particular customer may have with NRMA. The commissioner concluded that there is no information to suggest that the type of car someone owns, or the suburbs in which owned properties might sit, has an effect on how much discount a customer might receive under the discount scheme.
The Commissioner decided that NRMA has failed to comply with APP 11 by not taking reasonable steps (those steps being, not least, the provision of notice to the complainant) to protect the complainant’s personal information from misuse, or unauthorised access or disclosure.
Telechoice
In ‘IX’ and Business Services Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42 and ‘IY’ and Business Services Brokers Pty Ltd t/a TeleChoice [2016] AICmr 44 both Telechoice complaints arose out of circumstances where Channel 9 aired a story on its ‘A Current Affair’ (ACA) program about the alleged abandonment of TeleChoice customer information which had been discovered in open shipping containers, apparently accessible to members of the public, in bushland in Hastings, Victoria.
The broadcast showed at various times footage of an open shipping container with a large mound of paper files spilling out from the container’s entrance onto the ground. During the filming there are two shots of a manila folder on which one of the complainant’s names is visible to the viewing public.
That complainant stated that she was alerted to the incident and the disclosure of her name on television by her brother-in-law who had been watching the program.
In the other case the complainant was contacted by a journalist before the story was broadcast.
TeleChoice provided the Office of the Australian Information Commissioner (OAIC) with a voluntary data breach notification about the privacy incident and subsequently offered an enforceable undertaking under s 33E of the Privacy Act to address the incident and prevent similar incidents occurring in the future.
In each case the Commissioner concluded that TeleChoice interfered with the complainant’s privacy by:
- not taking reasonable steps to protect their personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure in breach of Australian Privacy Principle 11.1 under the Privacy Act; and
- not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed in breach of APP 11.2.
TeleChoice was ordered to apologise to each complainant and pay each complainant $3,500 for non-economic loss caused by the interference with the complainant’s privacy.