Privacy Case Notes 7 – 11 for 2009

The Privacy Commissioner has issued 5 new case notes:


In Own Motion Investigation v Airline [2009] PrivCmrA 7 the Privacy Commissioner investigated a report that an airline had failed to protect its passengers’ privacy. An individual had accessed the airline’s online flight check-in system using their personal booking number and flight number. When they entered this information the personal information of two other airline passengers was allegedly shown on the screen.


On investigation the Commissioner found that as the airline already had security processes in place and that the code problem which led to the disclosure was remedied soon after the airline was notified of the error, the steps taken to respond to the error were adequate.


In F v Medical Specialist [2009] PrivCmrA 8,the complainant had approached a medical clinic specifically seeking treatment from a consultant. The consultant refused to treat the complainant citing ethical and therapeutic reasons. The consultant then advised the clinic manager of the complainant’s need for treatment, the consultant’s personal refusal to treat the complainant and the reasons for this refusal.


The Commissioner formed the view that in the circumstances described, the disclosure of the complainant’s personal information to the clinic manager was both directly related to the purpose for which the information was collected, and was within the complainant’s reasonable expectations. The complaint was closed.


In G v Counselling Service [2009] PrivCmrA 9, the complainant complained that a counselling service had disclosed the content of their counselling sessions to their employer, that it did not inform the complainant that it would make such a disclosure, and that it had failed to keep the notes of the counselling sessions safe and secure.


The Commissioner formed the view that the complainant’s information had not been disclosed. The Commissioner also considered the service’s practices and formed the view that, although it had misplaced one page of the complainant’s notes, it had reasonable steps in place to protect client information.


In H v Telecommunications Company [2009] PrivCmrA 10 the complainant complained about a credit report default listing in relation to an overdue mobile phone account which had been paid. The complaint was closed after investigation showed the default listing was properly made.


In I v Insurance Company [2009] PrivCmrA 11, the complainant alleged that their insurance company had inappropriately disclosed a copy of a letter regarding their claim to the repairer. The Commissioner found that the primary purpose of collection of the information was to process the complainant’s insurance claim. The Commissioner accepted that the insurance company disclosed the information to the repairer for a related secondary purpose which was to investigate the complaint about the service that had been provided.


However, the Commissioner did not accept that the complainant would have expected that a full copy of their letter, including the statements made about the repairer, would be disclosed directly to the repairer.


The Commissioner did not consider that the disclosure of the complainant’s letter was permitted by NPP 2.1(a) and formed the view that the insurance company had interfered with the complainant’s privacy.


The insurance company apologised to the complainant and agreed to amend its staff training program to incorporate the handling of personal information collected in relation to customer complaints.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.