Case Studies Extracted from Annual Report (July 1998 to June 1999)
View printable version of this page
Disclaimer: The summaries below have been
extracted from the 1998-1999 Annual Report of the Privacy Commissioner. They
illustrate how the Privacy Commissioner has previously resolved privacy
complaints and should not be relied on as legal advice.
Access to documents stored
on work computer - IPP 11
The complainant was a full-time employee of a government agency and engaged
in part-time work with another government agency while also a party to a legal
action involving considerable time and energy. Documents relating to the legal
action were composed and stored by the complainant on her work computer.
Documents relating to her part-time work were also stored on the same computer.
Her employer queried her absences from work and the complainant then lodged a
workers' compensation claim. The claim was passed to Comcare for assessment and,
at Comcare's request, the agency provided copies of documents held on the work
computer. These contained intimate information concerning the complainant's
health, the birth of her child, and information about third parties related to
her part-time job.
The case raised a number of legal issues:
- whether Comcare was legally entitled to request the information held on her
work computer;
- whether the Privacy Act permitted her employer to disclose those documents
to Comcare; and
- whether her employer had a right to access the non-work-related documents on
her work computer and, in particular, whether those documents were covered by
legal professional privilege.
In relation to (i) and (ii), the request by Comcare for a copy of documents
held on the computer was valid and made in accordance with the relevant
legislation, the Safety, Rehabilitation and Compensation Act 1988. That
Act requires the employer to comply with such a request and the disclosure to
Comcare was therefore permissible under IPP 11.1(d).
In relation to (iii), where a person composes and stores personal information
on a computer owned by a third party, in this case the employer, the owner has
the right of access to the machine and the information stored on it. Legal
professional privilege does not apply as the information relating to the legal
cases of others was stored on the employer's computer and no claim for privilege
had been made prior to the disclosure.
The Privacy Commissioner concluded that there had been no breach of the
complainant's privacy.
Vexatious complaint as
means of pursuing personal grievance
The complainant alleged that, in order to harass him, his former partner had
accessed his taxation records as well as those of his current partner and other
friends. The complainant also alleged that his former partner had conducted an
audit on his friends' business without advising the agency of any potential
conflict of interest.
Relevant privacy issues are unauthorised access to the complainant's records,
security of record keeping; and unauthorised use of personal information.
Investigation by the agency and checking of computer audit trails showed that
the former partner had not accessed the complainant's records. The audit trails
also showed there was no access to the records of the complainant's current
partner or those of his friends. The former partner had conducted the audit of
the friends' business at their request though without official
authorisation.
The complainant appeared to be trying to use the Privacy Act to harass his
former partner. There was no breach of privacy and the complaint was dismissed
as vexatious. In relation to the audit of the friends' business, however, the
agency counselled the former partner about propriety and conflict of interest
issues.
Disclosure of financial information to
supervisor and health information to a foreign government agency - IPP
11
The complainant was employed by one Commonwealth agency ('the employing
agency') and was required to travel overseas to arrange for the taking of
evidence in a smuggling case mounted on behalf of another agency ('the client
agency').
As the complainant could not himself appear in the foreign court, a private
law firm was engaged to appear for the employing agency. The client agency had
provided the complainant with traveller's cheques for use overseas and, on the
complainant's return from overseas, questioned the way he had used them. As part
of its inquiry, the client agency disclosed personal information about the
complainant to the employing agency. The complainant subsequently lodged a
stress-related compensation claim and the foreign law firm was advised that he
would not be involved further in the case due to ill-health.
The privacy issues raised were:
- whether the Privacy Act permits the client agency to disclose to the
employing agency personal information relating to the enquiry into the use of
the traveller's cheques; and
- whether the employing agency was permitted to disclose information relating
to the complainant's health to the law firm engaged to appear on its behalf.
In relation to both issues, IPP 11.1(a) permits the disclosure of personal
information where the individual concerned is reasonably likely to be aware that
the disclosure would be made. The enquiry into the propriety of the handling of
the traveller's cheques was disclosed to the employing agency in order to
account for the use of the traveller's cheques and was regarded as a routine
accountability measure that the complainant should have been aware might be
taken. The notification to the law firm of the fact that the complainant would
not be engaged further on the case due to ill-health did not involve the
provision of any medical or further personal information and was seen as a usual
professional courtesy.
Alleged disclosure by
employing agency
The complainant was concerned about a possible disclosure of personal
information from her employer to Telstra. She had received a promotional letter
from Telstra that was addressed to her at her place of work and stated her
position at work.
The Office contacted Telstra and was advised that all of Telstra's name and
address information for mail-outs came from a national list broker. The list
broker was contacted and advised that the information was obtained from the
complainant during a conference she had attended. The conference organiser had
provided the information to the list broker.
The list broker offered to remove the complainant's name from its database.
The complainant accepted this offer. The complainant was advised, however, that
Telstra, the list broker and the conference organiser were not subject to the
Privacy Act in relation to such disclosures and that her complaint did not fall
within the scope of the Act. Accordingly, the Privacy Commissioner did not
formally investigate the complaint.
Disclosure of consumer credit information to
an employer - s. 18N
The complainant was concerned that a credit provider had disclosed credit
information to his employer without his knowledge or consent. The complainant
had fallen behind on his loan repayments. An employee of the credit provider
attempted to contact him at work to discuss the matter. The complainant's
employer answered the telephone and asked why the credit provider wished to
speak to him. The credit provider's employee informed the employer that the
complainant had fallen behind on his loan repayments. As a consequence, the
complainant was disciplined by his employer for his failure to adequately manage
his financial affairs.
Section 18N of the Privacy Act limits the circumstances in which credit
providers are permitted to disclose consumer credit information about
individuals. The credit provider acknowledged that in this case information
about the complainant's credit status had been unlawfully disclosed. The credit
provider apologised to the complainant, paid him $1,800 by way of compensation
and undertook to ensure that all staff are made aware of the proper procedures
for the disclosure of credit information.
Unlawful access to a
credit reporting agency - s. 18L
The complainant was concerned that a credit provider had accessed his credit
information file held by a credit reporting agency even though he had never
applied for credit with that credit provider.
The complainant's wife had applied for credit with that credit
provider. The application form sought information about the complainant as well
as his wife, who was actually making the application. The complainant had agreed
to supply his personal information to the credit provider in that context but at
no stage was he interested in applying for credit nor was he notified that his
personal information would be disclosed to a credit reporting agency for the
purpose of processing his wife's credit application.
Section 18L of the Privacy Act sets out the circumstances in which credit
providers are permitted to access and use consumer credit reports. None of the
permitted circumstances applied in this case. The credit provider agreed that it
had breached s.18L, took steps to delete the record of the enquiry from the
complainant's credit information file and sent him a written apology.
Unauthorised use of
consumer credit information by an employee of a credit provider
The complainant alleged that his ex-spouse, an employee of a credit provider,
had accessed and disclosed his consumer credit information without his knowledge
or consent. The complainant and his ex-spouse were going through divorce
proceedings in the courts. It was alleged that the ex-spouse had provided her
solicitor with information about the complainant's financial position by
accessing his credit information held by the credit provider.
The credit provider could not provide conclusive evidence to suggest that the
ex-spouse had accessed and disclosed the complainant's account records. However,
on the balance of probability it appeared that the complainant's account
information had been used by the credit provider's employee contrary to the
provisions of the Privacy Act. No formal determination was made but the credit
provider agreed to settle this matter by sending the complainant a written
apology and paying him $1000.
Improper reporting of an
overdue account - s. 18E(8)(c)
The complainant alleged that his account was not overdue at the time the
credit provider reported him as overdue to a credit reporting agency.
The complainant had an eighteen-month mobile telephone contract. After the
eighteen months had expired the complainant decided to terminate the contract
but the credit provider continued to charge him monthly access fees. The
complainant contacted the credit provider and informed them that he had
terminated the contract and that he would not pay the monthly fees outstanding.
The credit provider then informed the credit reporting agency that the account
was overdue.
Before a credit provider can notify a credit reporting agency that a payment
is overdue, it must have fulfilled the relevant requirements of s.18E(8)(c) of
the Privacy Act, which requires the credit provider to notify the individual
that his or her consumer credit information may be disclosed to a credit
reporting agency. Additionally, paragraph 2.7 of the Credit Reporting Code of
Conduct (issued by the Privacy Commissioner under s.18A of the Privacy Act)
requires that sixty days must have elapsed since the day on which the payment
was due and payable, and that the credit provider must have written to the
individual at his or her last known address advising of the overdue payment and
requesting payment.
The credit provider acknowledged that its actions in reporting the overdue
account did not comply with the requirements of the Privacy Act. The credit
provider agreed to remove the overdue listing and sent the complainant a written
apology.
Consumer or commercial
credit?
The complainant alleged that the respondent bank disclosed details of loans
secured over a number of properties to other parties who had an interest in the
properties.
Properties held by the complainant and the other parties were in dispute
between them when the bank threatened to foreclose on the loans. During the
dispute, information about the loans was obtained by the brother of the
complainant and used in legal actions related to the properties. The complainant
alleged that the disclosure had breached the Privacy Act.
The issue was whether the loan was for consumer or commercial purposes: the
Privacy Act covers only consumer, not commercial, credit information.
Documentation showed the complainant used the properties for commercial purposes
and offered them as collateral for commercial loans. There was no breach of the
Act.
Inaccurate default
listing
The complainant applied for a loan with a credit provider and was
subsequently sent a letter stating that his application was unsuccessful due to
a credit report held by a credit reporting agency which indicated that a default
had been listed against the complainant by a bank. The default related to an
amount of $5,240. The complainant denied that he had ever dealt with the bank.
The complainant then contacted the bank and, after extensive efforts, obtained a
letter stating that he was not, and never had been, a customer of the bank. The
credit reporting agency conducted an investigation and, as it appeared the
listing had been made incorrectly, removed the listing. The complainant then
requested compensation from the credit reference agency for time and cost of
telephone calls to the bank. The credit reporting agency refused to accommodate
the complainant's request for compensation. The complainant then complained to
the Privacy Commissioner.
The Office of the Privacy Commissioner approached the bank and advised that
the complainant had requested $65 in compensation for loss of productive time
and the cost of telephone calls. The bank was unable to determine why the
listing had originally been made. It also confirmed that the listing had been
removed. It stated that, as a gesture of goodwill, it would compensate the
complainant for the amount requested.
|
HOME > Federal Privacy Law > Case Studies Extracted from Annual Report (July 1998 to June 1999)
