2007 - Complaint Case Note 27

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

2007 - Complaint Case Note 27

View printable version of this page

PDF, Word

Case Citation:

Y v Ticketing Company [2007] PrivCmrA 27

Subject Heading:

Security of personal credit card information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant purchased tickets to an event through the ticketing company using a credit card. The complainant was concerned that the ticketing receipt displayed their full credit card details, including their name, full credit card number, type of card and expiry date.

The complainant felt that this compromised the security of their information as any person gaining custody of this receipt would subsequently be provided with sufficient information to complete a credit card transaction charged to their credit card account.

Issues:

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act. The ticketing company stated that the information was for purposes of identification and to minimise the incidence of fraud. It held that this is a common practice across a number of industries.

The ticketing company also informed the Commissioner that it used a merchant EFTPOS facility provided by a banking institution and it was this facility that printed full credit card details on the receipt.

The Commissioner reached the view that the ticketing company had not interfered with the privacy of the individual as it appeared that the company was fulfilling its obligations under National Privacy Principle 4.1 by providing customer credit receipts directly to the credit card holder only, and that steps were taken to secure the merchant copy of the receipt held by the ticketing company.

The Commissioner reached the view that the primary responsibility for the printed content of the receipt from the merchant EFTPOS facility itself, rests with the merchant EFTPOS facility provider, which was in this instance, a banking institution.

The Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONER
December 2007