The Privacy Commissioner, Karen Curtis, has released four case
notes relating to personal information handled by a law firm, banking
institution, health service provider and a credit provider:
-
T v Law Firm [2006] PrivCmrA 19,
involved a law firm that was handling two separate insurance-related
cases relating to the one person (the complainant). The complainant
alleged that the law firm had disclosed information about the
complainant that it had obtained from the client for the first case to
the client for the second case, to support the latter’s unrelated case
against the complainant.The law firm admitted
that it had used the information in this way.The Commissioner took the view that the use of the
information in this instance was not a necessary part of an
investigation of the complainant’s suspected unlawful activity and, as
such, the law firm had breached NPP 2 by using and disclosing the
complainant’s personal information. The complainant received an apology
from the law firm together with an amount of compensation. -
In U v Banking Institution [2006] PrivCmrA 20,
the complainant and their spouse had entered into a loan with a banking
institution. After moving addresses, the couple contacted the
institution to update their details. However, the banking institution
sent the next statement addressed to one of them (the complainant) at
their old address. The complainant and their spouse telephoned the
banking institution on several occasions, alerting them to their
updated contact details. Despite this, some months later the banking
institution sent loan default notices to the old address, with the word
‘default’ visible through the plastic window of the envelope.The complainant complained to the banking institution about the
incorrect address and the embarrassment they claimed had resulted from
the word ‘default’ being visible to third parties, and received both a
verbal and written apology. Dissatisfied with the handling of their
complaint, the complainant wrote to the Privacy Commissioner. The
Commissioner found that a failure by the banking institution to update
the contact details was a breach of NPP 3.Regarding the word ‘default’, the Commissioner accepted the banking
institution’s assertion that its external mailing house had incorrectly
folded the letter and that this would not recur. -
In V v Health Service Provider [2006] PrivCmrA 21,
a parent complained to a health service provider on behalf of their
teenage child at the provider’s loss of the child’s medical records.The Commissioner investigated to establish whether the provider had
breached NPP 4.1, which requires an organisation to take reasonable
steps to protect personal information it holds from loss. The
Commissioner concluded that the provider’s file management policy was
reasonable and that the loss of the file was the result of human error,
not of a systematic procedural problem. The Commissioner also noted
that the provider had made a significant effort to locate the record
and then to reconstruct the record. As a result, the Commissioner
formed the view that the provider had adequately dealt with the
complaint. -
In W v Credit Provider [2006] PrivCmrA 22,
a credit provider had listed a ‘serious credit infringement’ on the
complainant’s consumer credit information file in relation to a loan.
In accordance with its then record retention policy for a serious
credit infringement, the credit reporting agency removed the listing
after five years. However, the complainant subsequently discovered that
the credit provider had re-listed the infringement on the file.The complainant was dissatisfied with the response they had received
from the credit provider after complaining about the matter and lodged
a complaint with the Privacy Commissioner. The credit provider asserted
that, at the time of the second listing, the previous listing did not
appear on the complainant’s file. However, evidence disproved this. The
respondent also suggested that the second listing was for a different
reason: the first had been for a failure by the complainant to comply
with their credit obligations; the second was due to possible fraud.The Commissioner took the view that any subsequent refusal to fulfil
credit obligations after the first listing formed part of the same
infringement and that no evidence had been provided supporting the
claim that the second listing was made due to the complainant having
committed fraud. For these reasons, the Commissioner found that the
credit provider had breached section 18E(1)(b)(x) of the Privacy Act,
which allows credit providers to only make one serious credit
infringement listing in relation to the same infringement.The credit provider advised the Commissioner that it had changed its
procedures for listing infringements. The Commissioner was satisfied
with these actions and, as the complainant did not substantiate their
claim for compensation, the Commissioner closed the complaint.
