Case Studies Extracted from Annual Report (July 1997 to June 1998)
View printable version of this page
Disclaimer: The summaries below have been
extracted from the 1997-1998 Annual Report of the Privacy Commissioner. They
illustrate how the Privacy Commissioner has previously resolved privacy
complaints and should not be relied on as legal advice.
Identity of provider of
public information not protected - IPP 11
The complainant had advised Centrelink of the activity of a member of their
social community alleged to be obtaining a benefit payment by fraudulent means.
The investigation of the alleged fraud included an interview with the
complainant. The complainant believed that the person conducting the interview
disclosed their identity to the alleged fraudulent party. Following the
'dob-in', threats were made against the complainant and some of their property
was damaged.
Although it was never conclusively proved that Centrelink had disclosed the
name of the complainant, Centrelink accepted that the circumstantial evidence
suggested that its staff may have made an inappropriate disclosure of personal
information in breach of IPP 11. As a consequence, the interviewer and other
staff were reminded of their responsibilities not to disclose personal
information other than in accordance with their official duties.
The issue was included in other staff training undertaken by the agency.
There was never any evidence that the property damage was related to the
disclosure, but the agency offered the complainant an apology and an amount of
$700 compensation in relation to the threats.
Disclosure to third party as a result of
incorrect address - IPPs 8 and 11
The complainant alleged that his personal information was disclosed to a
third party as a result of his address being incorrectly altered on the Child
Support Agency database. Consequently, a notice was delivered to the wrong
address and the complainant was upset that his personal details had been
disclosed to a person known to him.
The agency's investigation confirmed that the address information was not
checked for accuracy either when it was first collected or before it was used to
post out the notice. This raised two potential breaches of the Privacy Act.
Firstly, personal information was used without checking that it was accurate
(IPP 8), and secondly, personal information was disclosed to a third party in
breach of IPP 11.
The response of the Child Support Agency was to offer the complainant new
identifier information on their database. The agency also provided refresher
training to Canberra staff and established procedures to prevent a recurrence of
the breach.
Agency
disclosure of tax file number and bank accounts to a third party - TFN
The complainant's tax file number and bank account details were disclosed by
the Department of Employment, Education, Training and Youth Affairs (DEETYA) to
another person when a letter containing this information was incorrectly
inserted into correspondence being sent to another AUSTUDY student. The
investigation of the complaint by DEETYA did not adequately reveal how the error
occurred, but did suggest that there was no systemic problem in their
information handling procedures. The investigation did however determine that
there had been a breach of IPP 11 in that personal information of the
complainant was disclosed to another person.
As the disclosure involved the complainant's tax file number, there was also
a concern that DEETYA may not have complied with the Privacy Commissioner's Tax
File Number Guidelines, which require that tax file numbers be adequately
protected. However, as there was no evidence of a systemic problem, this aspect
of the complaint was not pursued. Nevertheless, even though the disclosure
appeared to be an isolated incident, DEETYA agreed to new procedures for the
checking of outgoing mail and the complainant was given an apology.
Disclosure of sexual harassment allegations -
IPPs 8 and 11
The complainant was employed for a short time as a casual employee of a
government agency. Shortly after his employment ended, another casual employee
accused him of sexual harassment. As both persons had ceased employment with the
agency, it was decided that it was inappropriate for the agency to undertake an
investigation of the allegations. Instead, the agency decided to refer the
complaint to the employment agency that had acted for both people. The
complainant was upset that the accusation of sexual harassment was disclosed to
his employment agency without it having first been raised with the complainant
himself.
This matter had been the subject of a previous investigation by the
Ombudsman's office and was resolved by way of an apology. The complainant then
asked the Privacy Commissioner to investigate the privacy aspects of the
complaint. It was decided to commence an investigation because it appeared that
the Ombudsman had dealt purely with issues of procedural fairness.
As the facts of the complaint had already been established by the Ombudsman,
it was only necessary to consider what alternative action could have been taken
by the government agency, what harm the complainant had suffered, and whether
the actions taken by the agency were reasonable. These, and some other
questions, were relevant to deciding whether the agency had disclosed personal
information about the complainant in breach of IPP 11, and whether the agency
had used the information in breach of IPP 8 by not first checking the accuracy
of the allegations.
It was decided that in the circumstances, the agency should have first put
the allegations to the complainant, before it passed them to the employment
agency. The agency apologised for not first raising the allegations with the
complainant and offered compensation of $300 to cover legal costs in relation to
the privacy issue.
Disclosure of medical information to internal
staff - IPP 10
Information that the complainant was undergoing psychiatric examination as
part of a compensation claim was provided to a number of staff within a
government agency by letter and email. IPP 10 requires that this type of
personal information is only to be used for the particular purpose for which it
was collected. As the information was collected as part of a compensation claim,
it should have only been passed to other staff who had a need to be informed,
such as the staff who were processing the compensation claim and the
complainant's supervisor. It was not necessary to pass this information onto the
complainant's colleagues as they did not need to know the actual reason for his
absence from work.
The complainant was very sensitive about this issue and was humiliated to
discover that his work colleagues knew that he had been seeing a psychiatrist.
He felt that his colleagues would assume that he was mentally unstable because
he was visiting a psychiatrist.
As the same set of facts gave rise to both the alleged privacy breach and the
exacerbation of an existing worker's compensation claim, it was not possible to
separate one claim from the other. Following negotiations between the agency and
the complainant in relation to both matters, the complainant accepted a
confidential settlement, which included the settlement of his worker's
compensation case, together with some of his legal costs.
The complainant alleged that details held by the Department of Social
Security (DSS) were disclosed to a business rival in breach of IPP 11. A letter
noting a debt to the agency was received by the business rival and an article
subsequently appeared in a newspaper, with potential detrimental effects on the
complainant's business. There was no direct evidence to show that the
information was disclosed by an officer of DSS, however the investigation of the
complaint indicated that it was most likely that the disclosure had been made by
an employee of DSS. The department provided compensation of $2,282 to the
complainant to compensate him for the disclosure. The amount of the compensation
covered the complainant's legal fees and the waiving of the debt owed by the
complainant.
Notification to
an employer of personal circumstances - IPPs 8 and 11
The complainant moved to a new position within a personal services industry
and hoped to invest in that industry. It was important to his business and his
reputation that there was no criticism of his personal life. The complainant was
paying maintenance for the support of a child and had arranged that the Child
Support Agency (CSA) would not contact his employer to arrange for deductions of
maintenance payments from his wages. He was able to do this as he had made other
arrangements to meet his maintenance obligations to the child's carer parent.
Despite these arrangements, the CSA contacted his employer to confirm his
employment details.
After the individual had complained to the CSA, an undertaking was entered
into by the CSA not to contact the employer in relation to these maintenance
payments. Subsequent contact was made by the agency with the employer in
contravention of this undertaking, resulting in the release of information about
the complainant's personal circumstances to the employer.
This complaint raise two potential breaches of the Privacy Act. Firstly,
there was a possible breach of IPP 8 in that information was used without first
checking that it was up to date and accurate (i.e. information relating to the
complainant's obligations to pay maintenance). Secondly, information about the
complainant was disclosed in possible breach of IPP 11.
The agency acknowledged the breach of the undertaking, and paid compensation
of $2,000.
Bank discloses personal credit
information to wrong individual - s.18N
The complainant alleged that his credit provider disclosed personal credit
worthiness information to his father via a telephone conversation. The credit
provider revealed to the father that his son had a delinquent personal loan
account. The son, however, no longer resided at that address. Section 18N of the
Privacy Act does not permit a credit provider to disclose credit information to
a third party except in certain circumstances. The father was not a party to the
loan agreement and therefore did not have a right to receive this information.
The bank accepted that this was an unauthorised release of the individual's
information, and $2,000 in compensation was offered by the bank for any
humiliation and embarrassment suffered by the complainant. The bank also
recognised the need to confirm the identity of the relevant individual, by
checking the full name, and/or the date of birth, before disclosing personal
credit worthiness information.
Disclosure of personal credit information to
ex-spouse - s.18N
The complainant had a loan account with a credit provider who was also the
employer of his ex-spouse. The complainant alleged that his personal credit
worthiness information was disclosed to his ex-spouse when the credit provider
refused to make an employment termination payment to the ex-spouse until all
outstanding debts owed by the complainant had been paid.
The disclosure of the complainant's debt information to his ex-spouse was
unauthorised under s.18N of the Privacy Act. The credit provider issued the
complainant with a formal apology and paid him $2,500 compensation.
Unauthorised
access by a credit provider of personal credit worthiness information -
s.18E
The credit provider, in assessing an application for an individual, had
wrongly accessed the complainant's consumer credit information held by a credit
reporting agency. The individual and the complainant shared identical first name
and surname as well as date of birth. This resulted in a credit application
enquiry being incorrectly reported by the credit provider on the complainant's
consumer credit information file. The recorded credit enquiry had the potential
of affecting the complainant's credit standing and ability to obtain credit from
a credit provider.
The credit provider admitted that there was an error, and that it had
incorrectly placed the relevant credit application enquiry on the complainant's
personal credit information file in breach of s.18E of the Privacy Act. The
credit provider issued the complainant with a formal apology and took corrective
action to remove the offending record.
Telecommunications provider lists commercial
credit default on a consumer credit information file - s.18E
The complainant alleged that an account which was opened with a
telecommunications provider for commercial purposes was listed as overdue on the
complainant's consumer credit information file held by a credit reporting
agency. Although banks, building societies and finance companies are clearly
credit providers, many ordinary businesses are also deemed to be credit
providers. For example, a telecommunications provider (as in this complaint) can
be a credit provider where it allows customers to pay their telephone bill at
the end of a three month period. In this situation, the customer is being given
three months credit by the phone company.
Investigation of the complaint revealed that the account was primarily used
for business purposes which meant that it was a commercial account.
Consequently, any resulting default on the account could only be listed on the
commercial file and could not be listed on the consumer credit information file.
Such a listing would be in breach of s.18E of the Privacy Act, which lists the
permitted contents of a credit information file held by a credit reporting
agency.
The credit provider accepted that this was an inappropriate listing of the
overdue account with the credit reporting agency. There was evidence to support
the complainant's contention that they had been denied credit as a result of the
inappropriate listing. In this regard, the credit provider removed the offending
default listing, issued a formal apology, and paid $3,500 in compensation for
any financial loss, hurt or embarrassment suffered by the complainant.
Listing of credit default
by public utility - s.18E(8)(c)
The complainant alleged that a public utility had listed a credit default
against his consumer credit information file held by a credit reporting agency.
The public utility did not notify the individual that they would be listed with
a credit reporting agency.
The public utility was considered to be a credit provider for the purposes of
the Privacy Act because it allowed its customers to pay their accounts at the
end of three months, thus extending credit to the customers. The public utility
failed to notify the complainant that it intended to list him with a credit
reporting agency, as is required by s.18E(8)(c) of the Privacy Act, before it
advised the agency that he was in default on his account. The public utility
responded to the complaint by removing the default listing and apologising to
the complainant.
|
HOME > Federal Privacy Law > Case Studies Extracted from Annual Report (July 1997 to June 1998)
