2008 - Complaint Case Note 6

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

2008 - Complaint Case Note 6

View printable version of this page

PDF, Word

Case Citation:

F v Australian Government Agency [2008] PrivCmrA 6

Subject Heading:

Failure to keep personal information secure

Law:

Information Privacy Principles 4 and 10 in Part III Division 2 of the Privacy Act 1988 (Cth)

Facts:

The complainant, a former employee of a government agency, complained that their personal record held by the agency had been accessed by a current employee of the agency. The employee, for reasons unrelated to their employment, used the records to locate where the complainant was living.

The complainant stated this caused them to fear for their safety, and resulted in the complainant having to change their name and place of residence.

The complainant raised the matter with the agency and sought compensation. Although the agency acknowledged that an unauthorised access to the complainant's personal record had occurred, it rejected the complainant's claim for monetary compensation

The complainant, dissatisfied with the response from the agency, wrote to the Privacy Commissioner.

Issues:

Information Privacy Principle 4(a) obliges an agency to protect the personal information it holds with such safeguards as are reasonable in the circumstances.

Information Privacy Principle 10 requires agencies to use personal information only for the purpose for which it was collected unless one or more of certain exceptions apply.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act.

The agency advised that it had investigated the matter internally, and found that there had been an unauthorised access by an employee to the complainant's personal record.

Given the inadequacy of the steps taken to prevent unauthorised access, the Commissioner took the view that the agency had not taken reasonable steps in the particular circumstances to protect the complainant's personal information in accordance with Information Privacy Principle 4(a).

Further, the Commissioner formed the view that the complainant's personal information had been used for a purpose for which none of the exceptions in Information Privacy Principle 10 applied.

The agency advised that it had since applied additional protection to the complainant's personal record, and had terminated the employment of the individual who was identified as being responsible for the unauthorised access to, and use of, the complainant's personal record. The agency however did not consider that the complainant had provided sufficient evidence to substantiate the complainant's claims for monetary compensation.

The Commissioner conciliated the matter under section 27(1)(a) of the Privacy Act and an agreement between the parties was reached. The complainant accepted a confidential settlement for costs associated with the complainant's change of name and place of residence.

The Commissioner then closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the agency had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER
May 2008