The OAIC has released 16 new case notes on Privacy Act complaints.
Here’s a summary:
H v Health Service Provider [2010] PrivCmrA 9: the Commissioner dismissed a complaint that a sale of a health clinic and transfer of files breached the National Privacy Principles.
I v Commonwealth Agency 2010 PrivCmrA 10: The Commissioner was satisfied that the complainant, in having the MP’s office make representations on their behalf, impliedly consented to the disclosure of their personal information by the agency to the MP’s office.
J v Credit Reporting Agency [2010] PrivCmrA 11: The complainant complained that their credit file was inaccurate because it included information contained on a credit file under a different name. The credit reporting agency had combined the two files because of some common identity details. However, the common features were not significant and the credit reporting agency acknowledged that the credit files should not have been combined. As required by the Credit Reporting Code of Conduct, the credit reporting agency removed the inaccurate information, provided the complainant with a copy of their amended credit file and offered to write to any credit provider that had accessed their file in the last three months to inform them of the amendments made. The Commissioner treated the complaint as resolved.
Own Motion Investigation v Airline [2010] PrivCmrA 12: The Commissioner commenced an investigation when an individual received an email from the airline, which contained another traveller’s itinerary. The details disclosed were the other traveller’s name, address, financial information, flight details and the full name and address of a third individual who booked the flight. The airline’s IT department found that due to an overload of its server, data from one customer was populated in an itinerary intended for another customer. As a result of this incident the airline introduced new protections to improve IT security including new servers and the regular ‘flushing’ of the database logs to allow more space on the database; a new testing process where a test email would be sent to the IT department every hour and the IT department would verify the contents of the outgoing email; the flight itinerary program would be reviewed on a periodic basis.
K v Commonwealth Agency [2010] PrivCmrA 13:The agency investigated a complaint and came to the view that it had improperly disclosed the complainant’s personal information to their former partner. To resolve the complaint, the agency made a written apology to the complainant for the improper disclosure of the personal information, provided training to the employee involved in the disclosure and offered monetary compensation to the complainant for non-economic loss. In the absence of further evidence of loss, the Commissioner dismissed the complaint that the compensation was not adequate.
L v Commonwealth Agency [2010] PrivCmrA 14: the complainant had complained publicly about the agency’s handling of their application.The agency received several enquiries from the media about the issues and disclosed the complainant’s personal information in responding to those enquiries. A journalist included that information in an article. The information provided by the agency was confined to responding to the issues raised publicly by the complainant. The complainant alleged that the agency improperly disclosed their personal information to the journalist. The Commissioner considered that the complainant was reasonably likely to have been aware that the agency may respond, in the way it did, to the issues raised. Therefore, the Commissioner took a preliminary view that IPP 11.1(a) permitted that disclosure.
M v Body Corporate [2010] PrivCmrA 15: The complainant complained that the body corporate had listed their residential address instead of their post office box as their mailing address. Although addressing the mail to the residential address was a use of inaccurate information under NPP 3, the Commissioner concluded that it was a one-off error which did not suggest that the body corporate had not taken reasonable steps to protect the individual’s personal information.
Own Motion Investigation v Telecommunications Company [2010] PrivCmrA 16: A telecommunications company which allowed individuals to access their mobile phone account information by calling a 1800 number, following the voice prompts and keying in the relevant mobile phone number responded to the Commissioner’s view that it was not adequatelty protecting personal information by making various changes including that the telecommunication company system would now only authenticate and process the incoming call when the calling number was the number of the account.
N v Restaurant [2010] PrivCmrA 17: The complainant applied for a job at a restaurant while employed at another local restaurant. The complainant alleged the restaurant disclosed their personal information to their current employer by mentioning at a social function that a member of its staff had applied for a position at the respondent restaurant. The complainant was not mentioned by name. However, because the current employer telephoned the complainant that night to verify the information, the complainant considered the employer had identified them from the information disclosed by the respondent. The matter was closed after the respondent apologised for any distress its actions caused. It also reviewed and improved its recruitment information handling procedures.
O v Financial Institution [2010] PrivCmrA 18: The complaint related to a financial institution disclosing details of a cheque paid the person’s account to the complainant’s former partner. Even though the former partner was a joint payee of the cheque the financial institution should have referred the query to the drawer of the cheque. The respondent agreed to issue a written apology to the complainant; conduct an analysis of the complainant’s accounts across a specified timeframe to reassure the complainant that no other unauthorised disclosures had occurred; and counsel the staff member who had dealt with the former partner’s enquiry. The respondent also paid compensation to the complainant.
P v Insurer [2010] PrivCmrA 19: The complainant complained to the Commissioner when the insurer refused to remove listings relating to her former partner from her personal insurance policy file. As a result of the investigation it contacted the principal insured who confirmed that the complainant had separated from them over ten years ago but they had not removed the complainant from the insurance policy. Consequently, the Insurer removed the claims from their individual insurance file to comply with its obligations under NPP 6.5.The complainant was satisfied with this action.
Q v Law Firm [2010] PrivCmrA 20 : The Commissioner did not pursue a comp0laint by a client against his law firm after decing that its disxclosure of client information to an investigatory agency was authorised by the National Privacy Principles.
R v Retailer [2010] PrivCmrA 21: The complainant alleged the retail company had inappropriately disclosed their personal information to a third party insurer so that it could offer an extended warranty. The retailer agreed to change its procedures so that staff specifically referred customers to its privacy policy when collecting customer information. It also agreed to retrain staff about the content of its privacy policy.
S v Debt Collector [2010] PrivCmrA 22: An individual complained that a debt collector listed a payment default on their consumer credit information file with a credit reporting agency which did not relate to them. In response to the Commissioner’s inquiries, the debt collector initially denied the complaint but on investigation found that the default listing had been updated after the initial listing, significantly increasing the amount of the default and the increased amount had been incorrectly referenced from an unrelated account. The debt collector acknowledged it was in error and said it wished to resolve the matter. The complainant provided evidence indicating that the payment default had prevented them from attaining a significant loan and had led to the loss of a deposit on a major asset. The respondent agreed to compensate the individual and remove the default.
T v Investment Services Provider [2010] PrivCmrA 23: The Commissioner rejected a complaint that an investment service provider which was being investigated by an enforcement body in relation to an investment by the complainant had improperly disclosed to the enforcement agency the fact that the principal investigator for the enforcement body was a close relative of the complainant. The Commissioner decided that the disclosure was authorised.
Own Motion Investigation v Information Technology Company [2010] PrivCmrA 24: The Commissioner’s own motion investigation into the activities of the information technology company in relation to its collecting of geographical location data about mobile phone customers who used its location-based services revealed that the information technology company was not collecting personal information. Instead, when the information technology company received a customer request for data about their current location from a mobile device, it collected information about nearby cell towers and Wi-Fi access points, and then sent this information back to the customer’s device. The customer’s device then used this information to determine the customer’s exact location. Neither the exact location of the device nor identifying information about the customer was sent back to the information technology company.
