2007 - Complaint Case Note 20

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

2007 - Complaint Case Note 20

View printable version of this page

PDF, Word

Case Citation:

R v Retailer [2007] PrivCmrA 20

Subject Heading:

Accuracy and currency of personal information

Law:

National Privacy Principles 2.1, 3 and 4.2 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant was charged by police with an offence against a retailer but was not convicted. Subsequently, the complainant's name was placed on a database of individuals suspected of committing offences against the retailer. The database was a loss prevention database and was intended to record information related to actual or suspected fraudulent activity as a means of protecting the retailer's assets.

The complainant asked for access to the database, then requested that their personal information be removed from the database. The retailer granted access to the personal information, but refused to remove it from their database. The complainant considered the inclusion of their personal information inappropriate and complained to the Privacy Commissioner.

Issues:

National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of the collection unless an exception in National Privacy Principle 2.1(a) - (h) applies.

National Privacy Principle 3 provides that an organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

National Privacy Principle 4.2 provides that an organisation must take reasonable steps to destroy or de-identify personal information if it is no longer needed for any purpose under National Privacy Principle 2.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.

During the course of the investigation it became clear that the complainant's personal information was collected by the retailer well before 2001.

Although the collection, accuracy, use and disclosure of the complainant's personal information were issues the Commissioner wished to address, this was not possible. Amendments to the Privacy Act affecting the collection of personal information by private sector organisations came into effect on 21 December 2001 and could not be applied retrospectively.

The retailer informed the Commissioner that the database record did exist prior to 21 December 2001, but had not been altered or accessed - aside from granting the complainant access - since its creation. Consequently, it had not been used or disclosed since 21 December 2001 and this meant that the disclosure and accuracy provisions did not apply after 21 December either.

Nonetheless, the retailer accepted that the passing of time could affect how up-to-date personal information contained in the database was considered. As part of an update of the retailer's loss prevention system, the retailer was already replacing the existing database system. The retailer took the additional step of removing the complainant's record from their database records.

Satisfied that the retailer had responded adequately to the complaint, the Commissioner closed the matter under section 41(2)(a) of the Privacy Act.

OFFICE OF THE PRIVACY COMMISSIONER

June 2007