2008 - Complaint Case Note 7

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

2008 - Complaint Case Note 7

View printable version of this page

PDF, Word

Case Citation:

G v Financial Institutions X and Y [2008] PrivCmrA 7

Subject Heading:

Improper disclosure of personal information and accuracy of personal information

Law:

National Privacy Principles 2.1, 3 and 6.5 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant withdrew $15,000 in cash from their account with Financial Institution X. On that same day the complainant also made a cash deposit of $10,000 to their personal account with Financial Institution Y.

Financial Institutions X and Y each reported the complainant's relevant cash transaction to the Australian Transaction Reports and Analysis Centre (AUSTRAC). Information that was reported also included the complainant's name, address, date of birth and occupation. The complainant was concerned that the reporting was a breach of privacy.

At the complainant's request Financial Institution Y provided the complainant with a copy of the report provided to AUSTRAC by Financial Institution Y. In the report Financial Institution Y had lodged incorrect information relating to the complainant's occupation.

Issues:

National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose, other than the primary purpose of the collection, unless an exception at National Privacy Principle 2.1(a)-(h) applies. National Privacy Principle 2.1(g) provides that an organisation may disclose personal information for a secondary purpose, where the disclosure is required or authorised by or under law.

National Privacy Principle 3 requires an organisation to take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

National Privacy Principle 6.5 requires an organisation to take reasonable steps to correct the information it holds about an individual where the individual has established that the information is not accurate, complete and up-to-date.

Outcome:

The Privacy Commissioner treated the complainant's letter as a complaint under section 36 of the Privacy Act and conducted preliminary enquiries into their allegations under section 42 of the Privacy Act.

Financial Institution X advised that as the transaction in question involved a cash withdrawal in excess of $10,000, it was required to report the transaction to AUSTRAC as a ‘significant cash transaction' under section 7 (1) of the Financial Transactions Reporting Act 1988. Schedule 1 of the Financial Transactions Reporting Act 1988 specifies the information which a financial institution must supply to AUSTRAC, including customer name, address, date of birth and occupation of each person conducting the transaction. Financial Institution X also advised that its Privacy Policy sets out that it does disclose personal information to regulators where required by law.

Financial Institution Y advised that it reported the cash deposit to AUSTRAC pursuant to the Financial Transactions Reporting Act 1988, which requires all banks to complete a Significant Cash Transaction form when a customer makes a cash transaction of $10,000.00 or greater.

The transactions in question occurred before the Anti-Money Laundering and Counter Terrorism Financing Act 2006 came into effect. That Act imposes similar obligations in regard to significant cash transaction reporting and came into effect on 12 December 2007.

The allegations of improper disclosures of the complainant's personal information by both Financial Institution X and Y did not appear to be an interference with privacy as defined in the Privacy Act, on the basis that both organisations were required by law to make such disclosures and could rely on the exception in National Privacy Principle 2.1(g) in this instance. As such, the Privacy Commissioner declined to investigate these complaints under section 41(1)(a) of the Privacy Act.

Financial Institution Y also advised that it had taken steps to address the complainant's concern that it reported incorrect information within the "Occupation" field on the Significant Cash Transaction form, which was provided to AUSTRAC. Financial Institution Y had provided the complainant with a written apology for the occupation information being incorrect, and advised that it was able to arrange with AUSTRAC to amend the complainant's occupation details on the form to reflect the correct information. Financial Institution Y also stated that it had corrected its own records. The Privacy Commissioner closed this aspect of the complaint against Financial Institution Y under section 41(2)(a) of the Privacy Act, on the grounds that the organisation had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER
May 2008