Complaint Determination No. 3 of 2004

Federal Privacy Commissioner
April 2004

Table of Contents

Complaint Determination No. 3 of 2004

1. Made under the Privacy Act 1988 (Cth) (the Privacy Act) section 52.

Parties to the Complaint

Complainants

2. The Tenants' Union of Queensland Inc and Tenants' Union of NSW Co-op Ltd, and;

Respondent.

3. TICA Default Tenancy Control Pty Ltd.

History

4. This determination relates to a complaint lodged by the Tenants' Union of Queensland Inc (TU QLD) in February 2003 under section 36 of the Privacy Act.

5. The respondent to the complaint is TICA Default Tenancy Control Pty Ltd (TICA). As set out below (see [10]) TICA's business activities involve the collection, use and disclosure of personal information. It is complained that certain acts and/or practices of TICA may be an interference with the privacy of individuals.

6. The complaint is a representative complaint, lodged pursuant to section 38 of the Privacy Act. TU QLD has identified the class of members to the representative complaint as 'tenants or former tenants, who are listed on the TICA default database'.

7. I also received a complaint made by the Tenants' Union of NSW Co-op Ltd (TU NSW). The individual the subject of that complaint fell within the class of members identified by TU QLD and, accordingly, that complaint was dealt with as a part of the representative complaint brought by TU QLD.1

8. I decided to investigate the relevant acts and practices of TICA pursuant to section 40 of the Privacy Act, being satisfied that there was an act or practice which may have been an interference with the privacy of an individual and that the complaints received were validly made under section 36 of the Privacy Act.

9. I am also satisfied that the requirements for the making of a representative complaint, set out in section 38 of the Privacy Act, have been met.

Background, allegations and remedies sought

10. TICA is one of a number of organisations that operates what is known as a tenancy database. Its Tenancy History Database holds personal information about many thousands of Australians relating to alleged defaults on tenancy agreements, including failures to pay rent or damage to property. It also holds personal information about applicants for tenancies in what is known as the Enquiries Database. TICA collects personal information about tenants and applicants from property managers that are 'members' of TICA and makes the personal information it holds on its database available to its members for a fee.

11. Information about individuals is stored on the TICA database for a period between three years and indefinitely.

12. The complainants allege that the listing time frames used by TICA are 'excessive and unjustified.' Consequently, the complainants believed that some of the information held by TICA is out-of-date and therefore it is in breach of National Privacy Principle (NPP) 3 (set out below at [19]) and further that it holds out-of-date information, in breach of NPP 4.2 (set out below at [20]). In particular the complainants allege that:

  • when balanced against the likely detriment suffered by the listed tenant, the listing periods are excessive;

  • the length of time the TICA listings are kept is inconsistent with other comparable legislation. The complainants gave examples such as the Consumer Credit Reporting Code of Conduct and the Spent Convictions Schemes which afford individuals the right to 'clear the slate';

  • five years is an excessive timeframe for a consumer to be denied access to housing;

  • consumer detriment should be weighed against the risks involved for the lessor;

  • circumstances of individuals can change and information collected some time ago may not be relevant;

  • bond claims by lessors are on average for relatively small amounts of money;

  • the Federal Privacy Commissioner should take into consideration the views of other government bodies who have examined the tenancy database industry, for example the Report of Special Government Backbench Committee To Inquire Into The Operation of Tenancy Databases believed that listings should be removed either after the debt is cleared; or otherwise after a period of two years;

  • a five year timeframe bears no correlation to assessing tenancy risk and is akin to punishment.

13. Section 38(2) of the Privacy Act requires amongst other things that a complaint identify the remedy sought. The remedy sought by the complainants is a declaration by the Federal Privacy Commissioner that TICA will delete personal information from its database:

  • after a debt is cleared; or

  • otherwise after a period of two years.

14. TU QLD emphasise that they seek the removal of this information and the order sought should also have the effect of prohibiting TICA from keeping the information on the database and merely describing it in another manner (such as a listing of 'Tenancy History Only' - discussed below).

The law

15. The NPPs in Schedule 3 of the Privacy Act outline standards for handling personal information that legally bind organisations, as defined by section 6C(1) of the Privacy Act.

16. Section 13A of the Privacy Act specifies that an act or practice of an organisation will be an interference with the privacy of an individual if, amongst other things, the act or practice breaches an NPP in relation to personal information that relates to that individual.2

17. The issues in this complaint are whether TICA is retaining personal information for longer than it is permitted to by NPPs 2, 3 or 4.2.

18. NPP 2 allows organisation to use or disclose personal information freely for the purpose for which it was collected but limits secondary uses and disclosures to specified circumstances including those the individual would expect. NPP 2 states that:

    2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

    1. both of the following apply:

      1. the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

      2. the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose;
        3. or

    2. the individual has consented to the use or disclosure; or

    3. if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

      1. it is impracticable for the organisation to seek the individual's consent before that particular use; and

      2. the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

      3. the individual has not made a request to the organisation not to receive direct marketing communications; and

      4. in each direct marketing communication with the individual, the organisation draws to the individual's attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

      5. each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation's business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

    4. if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

      1. it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and

      2. the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

      3. in the case of disclosure-the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

    5. the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

      1. a serious and imminent threat to an individual's life, health or safety; or

      2. a serious threat to public health or public safety; or

    6. the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

    7. the use or disclosure is required or authorised by or under law; or

    8. the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

      1. the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

      2. the enforcement of laws relating to the confiscation of the proceeds of crime;

      3. the protection of the public revenue;

      4. the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

      5. the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

    Note 1: It is not intended to deter organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.

    Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

    Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

    2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

    2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation's primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

    2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

    1. the individual:

      1. is physically or legally incapable of giving consent to the disclosure; or

      2. physically cannot communicate consent to the disclosure; and

    2. a natural person (the carer) providing the health service for the organisation is satisfied that either:

      1. the disclosure is necessary to provide appropriate care or treatment of the individual; or

      2. the disclosure is made for compassionate reasons; and

    3. the disclosure is not contrary to any wish:

      1. expressed by the individual before the individual became unable to give or communicate consent; and

      2. of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

    4. the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

      5. 2.

    2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

    1. a parent of the individual; or

    2. a child or sibling of the individual and at least 18 years old; or

    3. a spouse or de facto spouse of the individual; or

    4. a relative of the individual, at least 18 years old and a member of the individual's household; or

    5. a guardian of the individual; or

    6. exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

    7. a person who has an intimate personal relationship with the individual; or

    8. a person nominated by the individual to be contacted in case of emergency.

    2.6 In subclause 2.5:

      child of an individual includes an adopted child, a step-child and a foster-child, of the individual.

      parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

      relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

      sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

19. NPP 3 states that:

    An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

20. NPP 4.2 states that:

    An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

21. Section 6D(1) of the Privacy Act defines a small business as one with an annual turnover of '$3,000,000 or less'. Section 6D(3) to 6D(9) of the Privacy Act provides for a small business to be classed as 'a small business operator' and therefore not subject to the Privacy Act except in specified circumstances, including where an organisation trades in personal information.

22. The Privacy Act also provides that small businesses which are subject to the Privacy Act would not be subject to the provisions of the NPPs until 21 December 2002. Consequently, when investigating this complaint I have been restricted to examining evidence relating to the acts and practices of TICA which occurred after 21 December 2002 except where the Privacy Act provides otherwise.

23. In this regard with respect to small businesses:

  • Section 16D(3) of the Privacy Act provides that NPP 3, as far as it relates to the use and disclosure of personal information, and NPP 4.2 apply to personal information regardless of when it was collected; and

  • Section 16D(4) of the Privacy Act provides that NPP 2 applies to personal information collected after 21 December 2002.

24. Section 52 of the Privacy Act provides that after I have investigated a complaint I may make a determination:

  • dismissing the complaint; or

  • finding the complaint substantiated and making a declaration that:

      • the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; and/or

      the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant; and/or

      the complainant is entitled to compensation for any loss or damage - including injury to the complainant's feelings or humiliation suffered by the complainant.

25. In my view it is also within my powers under s 27 of the Privacy Act to make recommendations which will promote compliance with the NPPs.

Investigation process

26. Section 40(1A) of the Privacy Act provides that I must not investigate a complaint where the complainant has not first complained to the respondent, unless I consider that it was not appropriate for the complainant to have done so. In the present case, I am aware that TU QLD has had ongoing contact with TICA in relation to a number of privacy issues arising out of its activities and that this contact may be considered to be by way of 'complaint'. To the extent that the present complaint falls beyond those 'complaints' made to the respondent, which I note have not resulted in the resolution of these matters, I am satisfied that the complex nature of the issues raised and their significance for the rights of the people concerned makes it inappropriate for them to be the subject of direct complaint to the respondent.

27. My Office's investigation of this complaint involved the following:

  • formally advising the parties that I was opening an investigation into the complaint under section 40(1) of the Privacy Act and inviting the parties to respond;

  • gathering evidence and considering information provided by TU QLD, TU NSW, the individual complainants and TICA in submissions or in response to matters raised by my staff or the complainants;

  • providing the respondent and the complainants with opportunities to comment on an initial preliminary view on the complaint in September 2003;

  • visiting TICA's premises to discuss the issues raised in the complaint, to observe its database in practice and gather additional information about the operation of the database;

  • providing the parties with the current Office position on the complaint in February 2004 following changes in some aspects of the views since September 2003 and extending an invitation to make oral and/or written submissions;

  • holding a hearing on 3 March 2004 affording the parties the opportunity to appear before me - TU QLD and TU NSW accepted the invitation to appear at the hearing;

  • considering written and oral submissions and gathering information to clarify claims made by the parties;

  • providing the primary representative complainant (TU QLD) and TICA with the opportunity to see information and submissions provided by the other party;

  • checking TICA listings relating to 50 individuals to assess if the personal information in the listings was accurate, complete and up-to-date;

  • pursuant to section 43(5) of the Privacy Act and the principles of procedural fairness, providing the parties with the revised preliminary view of March 2004 and a final opportunity to comment before I finalised the determination;

  • holding a further hearing on 8 April 2004 affording the parties the opportunity to appear before me - TICA accepted the invitation to appear at the hearing; and

  • providing TICA and TU QLD with copies of the submissions, excluding some material that involved personal information of third parties, made by the other party in response to my March preliminary view.

General considerations

28. Before setting out my findings and reasons in relation to this complaint I will make some general comments about the context in which this complaint is made.

29. Housing is essential for all people and is one of the basic human rights set out in the Universal Declaration of Human Rights.3 The operation of tenancy databases is controversial because of their perceived impact on the ability of individuals listed on the databases to obtain housing. On the other hand tenancy databases, such as TICA, can be seen as a legitimate risk minimisation tool for property managers.

30. A number of the NPPs relevant to this complaint require an assessment of 'reasonableness' (for example, the 'reasonable steps' required of an organisation under NPP 3). I take the view that in making an assessment of 'reasonableness', it is appropriate to take into account the purposes for which personal information is collected and the consequences for the individuals concerned. In this case I am satisfied that tenancy databases, such as the one operated by TICA, do have an impact on an individual's ability to obtain housing; my understanding is that this is part of the intention when establishing such databases.

31. However, this is only one factor I have taken into account. I have also considered the overall intention of the Privacy Act including that business needs to be able to operate efficiently and effectively and that the NPPs are general high level principles and are not prescriptive in how they apply.

32. In this complaint I need to consider TICA's functions, activities and purposes of collecting, using and disclosing tenancy application and tenancy history information and decide if it can lawfully keep personal information about tenants and approved occupants for extended periods.

33. I have set out below issues that this complaint raises together with information, evidence and discussion about the application of the law that I consider relevant to the question of whether TICA complies with its obligations under NPPs 2, 3 and 4.2.

34. It is relevant to note that this complaint is against TICA, not its members. Accordingly, I will not consider how the NPPs apply to the acts and practices of its members. That would be the subject of separate investigation should such a complaint be made against a member. I acknowledge TICA's request in its submission in response to my March preliminary view that it be advised about practices of its members that may be breaches of the Privacy Act so that it can assist to address these practices.

Findings

Small business provisions

35. I find that TICA is an 'organisation' as defined by s 6C(1) of the Privacy Act, and is accordingly bound by the NPPs.

36. I find that TICA does not fall within the exemption to the Privacy Act which applies to 'small business operators'.4 TICA is a 'small business' in terms of the Privacy Act, in that its annual turnover is '$3,000,000 or less'. However, as TICA trades in personal information, it does not fall within the definition of 'small business operator' by virtue of s 6D(4)(c) of the Privacy Act.5

37. Because of the delayed application of the NPPs to small business, it is open to TICA to decide that it will use and disclose personal information collected before 21 December 2002 without taking account of NPP 2. However, if it adopted that approach it would need to have in place practices to distinguish between listings that are not subject to the Privacy Act and those that are. I understand that in practice TICA does not make a distinction between personal information collected pre and post 21 December 2002 and would, for example, impute the same primary purpose to all the personal information it holds.

Current listing timeframes

38. As noted above (see [10]) TICA holds two separate databases of personal information (to be referred to as 'the database'). The 'Enquiries Database' lists tenancy applications made by prospective tenants and prospective approved occupants. The 'Tenancy History Database' is a record of the tenant's behaviour during the tenancy. The Enquiries Database contains identifying information about the individual concerned and the name of the member with which the prospective tenant lodged the application.

39. Depending on the listing type, TICA states that the information is held on the TICA Tenancy History Database and Enquiries Database between three years and indefinitely, as explained below:

  • If a listing is recorded on the Tenancy History Database for a breach of a tenancy agreement and no monetary sum has been recorded the listing will remain for three years. After the three years has expired and upon confirmation from the listing member that no monies are owed the listing will be changed to read 'Tenancy History Only'.

  • If a listing is recorded on the Tenancy History Database for a debt incurred which arose in relation to the tenancy and a dollar value has been recorded the listing will remain for five years. Once the debt is paid TICA will record that the debt was paid and the listing will be altered to show the date on which it was paid. After five years the debt amount will be removed and the listing will be changed to read 'Tenancy History Only'. Default details will remain on the database until such time as the debt owed has been satisfied.

  • 'Tenancy History Only' and the other history listings (that is; past tenant no default recorded, satisfactory payment history and recommended tenant) are listed indefinitely.

40. The complainants submit that all TICA timeframes are 'manifestly excessive', unjustified and therefore in breach of the Privacy Act. The complainants argue against the TICA's practice of keeping listings in the category 'Tenancy History Only' indefinitely.

41. TICA argues that the information it holds in its database is relevant to the real estate industry in assessing an individual's tenancy. Further, it claims that this information is relevant for a number of years and in some cases it is relevant for an indefinite period. TICA states that disclosing information to members about rectified rent defaults is essential and necessary for one or more of its functions. It claims this is the case because it provides an indication of the individual's ability to maintain the property and pay the rent. Rectified rent defaults indicate any arrears, how much and for how long before outstanding money was paid.

42. TICA further states that the listing 'Tenancy History Only', which is the notation given to defaults that have expired, is necessary because it confirms that a tenant has listed through a particular agency and the purpose of this listing is to provide a history of where a tenant rented. TICA states tenancy databases are one of the tools available to property managers and 'landlords and agencies are entitled to know where a tenant previously rented; and who they rented through. Tenancy History allows members to clarify a tenancy application form'. TICA claims that this listing is used when members do not want to give a 'satisfactory' or 'recommended' listing to tenants but there is no need to list a default.

43. The use of the 'Tenancy History Only' listing and its accuracy, completeness and currency is discussed in Determination No. 2 of 2004. I find the 'Tenancy History Only' category appears to be, in effect, a continuing adverse listing as it frequently indicates that a listing concerning the breach of a tenancy agreement has existed in the past. This listing is held indefinitely and it is possible that a potential adverse implication may be drawn and that the individual is branded a bad risk even though the specific default listing has been purged.

44. In this complaint I need to consider whether TICA's practice of holding personal information for periods ranging from three years to indefinitely is consistent with its obligations in relation to NPP 3 to take reasonable steps to make sure personal information is accurate, complete and up-to-date and in relation to NPP 4.2 to take reasonable steps to delete or permanently de-identify personal information if it is no longer needed for any purpose for which it may be used and disclosed under NPP 2. To make this assessment I will:

  • consider TICA's primary purpose of collection in terms of NPP 2 and for the purposes of this complaint; and

  • identify relevant considerations by which I can decide if the personal information that TICA holds is accurate, complete and up-to-date.

Primary purpose of collection

45. TICA states that its functions and activities include the facilitation of 'proper assessment of risk by landlords and agents and the determination of the suitability of an individual for tenancy of a premises'. It has advised that it is 'a tenancy history database that allows its members to store and recall information about tenants and their tenancy history. Members are able to list tenants on the TICA database for various categories both good and bad'. Although I was not initially convinced that the collection of information concerning tenancy applications was necessary for its functions or activities, TICA has since advised that the purpose of collecting information about tenancy applications for inclusion in the Enquiries Database, enables members to assess the validity of tenancy applications by providing a tool to confirm the accuracy of information provided on the tenancy application form.

46. TU QLD does not accept that the Enquiries Database has as its primary purpose the assessment of risk by prospective landlords and agents. A detailed discussion of the purpose of the Enquiries Database as a risk management tool can be found in Determination No. 4 of 2004. In my opinion the Enquiries Database is a legitimate risk management tool and therefore this information is necessary for TICA's functions or activities.

47. I find that TICA collects the personal information of individuals from its members for the primary purposes of making this information available to its members to be used as a risk assessment tool to assess an individual's suitability for a tenancy.

Utility of information

48. I find that the length of time information is held may affect its validity and usefulness. I disagree with TICA's contention that 'the time factor has no bearing on the information being accurate, complete and up-to-date as TICA maintains and submits that the information about accurate, complete and up-to-date...is in relation to information that was recorded'.

49. In the context of making a risk assessment of a prospective tenant, it is relevant to consider, for example, the fact that people (including their behaviour, circumstances and environment) change over time. It is also relevant to note the difficulties that may be encountered in verifying the accuracy and completeness of information as time passes.

50. As such, time would appear to be a relevant factor in deciding whether the information recorded in the Enquiries Database and Tenancy History Database is accurate, complete and in particular, up-to-date for the purposes of NPP 3 and whether it is 'no longer needed' and therefore required to be destroyed under NPP 4.2.

51. I note the existence of legislative schemes relating to spent convictions as well as the provisions of the Privacy Act in relation to consumer credit reporting, (for example section 18F(2) Privacy Act), which establish 'purge dates' to allow 'fresh starts'. These would appear to acknowledge that circumstances and behaviour can change and that information related to an individual's past actions may become irrelevant.

NPP 3 - Currency of personal information held by TICA

52. TICA advises that it takes a number of steps to make sure that the personal information in its Tenancy History Database is, amongst other things, up-to-date. These steps include requiring its members to only make listings that are true and correct and conducting random checks of listings to ensure they are supported by appropriate evidence. There are no steps taken to ensure that the information in the Enquiries Database is up-to-date even though, as noted earlier, TICA has advised that one purpose of collecting information about tenancy applications is to enable its members to confirm the accuracy of applications. TICA also advises that it moves information from the Tenancy History Database to the 'dead tenant database'6 after the expiration of the timeframes discussed above (see [39]). I have addressed whether this response is sufficient for TICA to meet its obligations under NPP 3 and NPP 6 in Determination No 2 of 2004.

53. The question I need to consider here is whether or not TICA has taken 'reasonable steps' to ensure that personal information is up-to-date in the circumstances in which it is not only collecting but also using and disclosing the information. In my opinion, it is relevant to consider the potential significance of the listing for an individual. This will impact upon what is 'reasonable' in ensuring currency. In the present case I am of the view that for the steps to be 'reasonable' they should include elements such as:

  • criteria and mechanisms to assess the likely risk assessment value of different categories of listings;

  • development of listing timeframes that are appropriate given the risk assessment value of the personal information;

  • mechanisms for reviewing the utility of information on a case by case basis. For example allowing individuals to provide submissions to explain why information is out-of-date and how their circumstances have changed;

  • opportunities for individuals to apply to have information reviewed on the basis that it does not adequately reflect their current tenancy risk. For example, inviting individuals to apply for a listing to be deleted in certain circumstances.

54. I have carefully considered TICA's current practices in relation to the steps taken to ensure the accuracy and currency of personal information. Although TICA has asserted that is does take reasonable steps, I find that TICA's current mechanisms are inadequate to ensure information is accurate, complete and up-to-date. Consequently, I find that, taking into account of all the circumstances, TICA has not taken reasonable steps to make sure the personal information it collects, uses and discloses is up-to-date. I therefore find that TICA has breached NPP 3.

55. Another aspect of data management which may form part of the 'reasonable steps' taken in compliance with NPP 3 (as well as NPP 4.2) is the adoption of a 'uniform deletion timeframe' under which records are routinely deleted after a certain period. Such a policy forms part of TICA's processes. However, I am concerned that information is held for an inappropriate length of time. I would recommend that TICA develops an appropriate uniform deletion timeframe in conjunction with other appropriate measures such as those that I have outlined above (see [53]).

56. In considering what might be an appropriate timeframe in this regard, it is appropriate to look to other legislative schemes relating to the recording of personal information. In particular, consumer credit reporting in the Privacy Act may be a useful comparison as credit reporting seeks to perform a similar function as reporting in the present case - namely to report on the failure to perform contractual obligations in relation to financial matters. Under the Privacy Act scheme (section 18F(2)), overdue accounts and credit applications are purged from an individual's consumer credit file after five years. Serious credit infringements are listed for a period of seven years.

57. The TICA database is distinct from credit reporting databases in some key respects. These are that: listings are not confined to financial matters; listings in relation to non-financial matters are subjective (for example, different property managers may have a different view about how untidy a garden should be before a listing is made); and the consequences of a listing are potentially more serious in that it may result in significant difficulty in finding housing.

58. I note that the Federal spent convictions scheme [Crimes Act 1914, Part VIIC] provides for a 'clean slate' in relation to minor convictions after ten years (five years for minors). However, these timeframes relate to criminal convictions rather than to the failure to meet contractual obligations. Consequently, I do not believe that uniform deletion timeframes for tenancy databases can mirror credit reporting timeframes and arguably should be shorter.

59. The Office's view on appropriate deletion timeframes for tenancy databases has altered a number of times during the investigation of this complaint. This is a complex issue and as the Office obtained additional evidence and submissions about TICA's processes and its use of personal information, the position has changed accordingly.

60. In considering all the material before me, I have also taken into account the fact that the information on a tenancy database may impact upon an individual's ability to obtain housing, distinguishing this situation generally from, for example, that of the provision of credit. I have concluded that it would be appropriate under a uniform deletion timeframe policy to delete personal information in the Tenancy History Database after four years and personal information in the Enquiries Database after three years. I suggest that there is likely to be limited utility in such information as far as it is useful or relevant in assessing an individual's current tenancy suitability. I would encourage TICA to consider a shorter listing time, such as three years, for non-financial listings on the Tenancy History Database.

NPP 2 and NPP 4.2 - destruction or de-identification of personal information no longer needed

61. TICA believes that the listing timeframes are warranted and that all personal information is being disclosed for a lawful purpose permitted under NPP 2 or has been removed from the Enquiries Database and Tenancy History Database and transferred to a 'dead tenant database' where it cannot be accessed by TICA members.

62. The question I have to consider here is whether TICA must destroy or de-identify personal information that is out-of-date, because, as it no longer has utility as a risk assessment tool, it is no longer needed for the primary purpose for which it was collected or for other permitted purposes under NPP 2.1. If I find TICA must destroy or de-identify out-of-date personal information then I need to consider if the steps it is currently taking in this regard are reasonable in the circumstances.

63. I find that TICA's primary purpose of collecting personal information is to establish a risk assessment tool for property managers. The personal information TICA collects into its database loses its utility in relation to risk management over time. As noted above (see [18]) NPP 2 does not restrict the use or disclose of personal information for the purpose for which it was collected.7 However, information that is no longer fit for the purpose for which it was collected cannot, in my opinion, be properly said to be needed for that purpose.

64. TICA should therefore be taking reasonable steps under NPP 4.2 to destroy or permanently de-identify personal information from its database that is out-of-date and therefore no longer needed for a relevant purpose.

65. I find that TICA does not take such steps. The step that TICA currently takes in relation to out-of-date personal information is to remove it to the 'dead tenants' database'. I find that this step is not reasonable in the circumstances for the following reasons:

  • TICA does not appear to have in place reasonable measures to decide when personal information is out-of-date;

  • TICA does not appear to take any steps to destroy (as opposed to move) personal information that is out-of-date; and

  • Although the 'dead tenant database' is only available to TICA, and is not disclosed outside of the organisation, it does not de-identify the information it contains.

66. It is therefore my finding that TICA has failed to take reasonable steps to destroy personal information which is no longer needed for any purpose for which the information may be used or disclosed under NPP 2 and is in breach of NPP 4.2.

Determination

67. I find that TICA has breached NPP 3 by failing to take reasonable steps to make sure the personal information it collects, uses and discloses is up-to-date. I therefore find this element of the complaint substantiated and declare that TICA has engaged in conduct constituting an interference with the privacy of individuals who are members of the class identified in the complaint. I declare that this conduct should not be continued or repeated.

68. I further find that TICA has breached NPP 4.2 by failing to take reasonable steps to destroy or de-identify personal information that is no longer needed for any purpose. I therefore find this element of the complaint substantiated and declare that TICA has engaged in conduct constituting an interference with the privacy of individuals who are members of the class identified in the complaint. I declare that this conduct should not be continued or repeated.

69. The complainants have asked me to make declarations requiring TICA to remove personal information from its database after specified periods of time. I am not satisfied that I should do so. While I have declared that TICA should not repeat or continue conduct which constitutes an interference with the privacy of an individual, I do not, in my view, have the power under section 52(1)(b)(i)(B) of the Privacy Act to otherwise generally prescribe how TICA should act. As I have made clear in the body of this determination, it is in my view desirable that a uniform deletion timeframe be adopted as part of the measures designed to achieve compliance with the NPPs. Such a policy is, however, only one of the measures that, in my view, will ensure TICA's compliance with the Privacy Act. I have made recommendations relevant to this issue below.

70. I am also of the opinion that section 52(1)(b)(ii) of the Privacy Act does not provide the basis for making a declaration of the type sought by the complainants as to the future conduct of TICA. I am not, on the information presently before me, satisfied that there has been any identifiable loss or damage suffered by the complainants that would be redressed by a course of conduct required by such a declaration. If individuals can provide evidence of loss or damage that they have suffered by virtue of an interference with their privacy, I am willing to consider this matter via individual complaints.

71. I recommend that the following steps be implemented by TICA to promote compliance with the NPPs:

  • Deletion of 'history' information being stored in the Tenancy History Database after a period of not longer than four years; and

  • Deletion of 'application' information being stored in the Enquiries Database after a period of not more than three years; and

  • Permit each default to be listed only once; and

  • Permit an individual to be listed for multiple breaches simultaneously. These listings may have different deletion dates; and

  • Deletion of information moved to the 'dead tenant database' (that is the database which stores deleted listings) not less than once a month. I believe it is acceptable to hold information temporarily in the 'dead tenant database' to ensure that information which is 'accidentally' deleted can be retrieved.

Malcolm Crompton
Federal Privacy Commissioner

Dated 15 April 2004

1. I note that section 38C of the Privacy Act gives me the power to amend a complaint so that it can be dealt with as a representative complaint. In the event that it is necessary to amend the complaint received from TU NSW so as to make it a part of the wider representative complaint, I would do so pursuant to section 38C of the Privacy Act.

2. TICA is not bound by an approved privacy code in terms of section 13A(b)(ii) of the Privacy Act.

3. Article 25 of the Universal Declaration of Human Rights http://www.un.org/Overview/rights.html.

4. I note that TICA was offered the opportunity to make any submissions or provide any material to me in relation to this exemption. I did not receive any submissions or material in relation to this issue.

5. I note that section 6D(4)(c) of the Privacy Act does not prevent a body corporate from being a 'small business operator' only because it discloses personal information with the consent of the individual, or as required or authorised under legislation. I find that TICA does not have the consent of all of the individuals whose personal information appears on their database (in particular, those individuals whose personal information was collected before 21 December 2002) and is disclosed to TICA's members. I note that TICA has not claimed that it does have such consent, although it was given the opportunity to do so.

6. The dead tenant database is an internal database held by TICA and which cannot be accessed by its members.

7. Organisations using or disclosing personal information for the primary purpose of collection still must comply with the other provisions of the NPPs.

Return