Disclaimer: The summaries below have been extracted from the 1997-1998 Annual Report of the Privacy Commissioner. They illustrate how the Privacy Commissioner has previously resolved privacy complaints and should not be relied on as legal advice.

• Identity of provider of public information not protected - IPP 11
• Disclosure to third party as a result of incorrect address - IPPs 8 and 11
• Agency disclosure of tax file number and bank accounts to a third party - TFN
• Disclosure of sexual harassment allegations - IPPs 8 and 11
• Disclosure of medical information to internal staff - IPP 10
• Disclosure of information by a government department to a business rival - IPP 11
• Notification to an employer of personal circumstances - IPPs 8 and 11
• Bank discloses personal credit information to wrong individual - s.18N
• Disclosure of personal credit information to ex-spouse - s.18N
• Unauthorised access by a credit provider of personal credit worthiness information - s.18E
• Telecommunications provider lists commercial credit default on a consumer credit information file - s.18E
• Listing of credit default by public utility - s.18E(8)(c)

Identity of provider of public information not protected - IPP 11

The complainant had advised Centrelink of the activity of a member of their social community alleged to be obtaining a benefit payment by fraudulent means. The investigation of the alleged fraud included an interview with the complainant. The complainant believed that the person conducting the interview disclosed their identity to the alleged fraudulent party. Following the 'dob-in', threats were made against the complainant and some of their property was damaged.

Although it was never conclusively proved that Centrelink had disclosed the name of the complainant, Centrelink accepted that the circumstantial evidence suggested that its staff may have made an inappropriate disclosure of personal information in breach of IPP 11. As a consequence, the interviewer and other staff were reminded of their responsibilities not to disclose personal information other than in accordance with their official duties.

The issue was included in other staff training undertaken by the agency. There was never any evidence that the property damage was related to the disclosure, but the agency offered the complainant an apology and an amount of $700 compensation in relation to the threats.

Disclosure to third party as a result of incorrect address - IPPs 8 and 11

The complainant alleged that his personal information was disclosed to a third party as a result of his address being incorrectly altered on the Child Support Agency database. Consequently, a notice was delivered to the wrong address and the complainant was upset that his personal details had been disclosed to a person known to him.

The agency's investigation confirmed that the address information was not checked for accuracy either when it was first collected or before it was used to post out the notice. This raised two potential breaches of the Privacy Act. Firstly, personal information was used without checking that it was accurate (IPP 8), and secondly, personal information was disclosed to a third party in breach of IPP 11.

The response of the Child Support Agency was to offer the complainant new identifier information on their database. The agency also provided refresher training to Canberra staff and established procedures to prevent a recurrence of the breach.

Agency disclosure of tax file number and bank accounts to a third party - TFN

The complainant's tax file number and bank account details were disclosed by the Department of Employment, Education, Training and Youth Affairs (DEETYA) to another person when a letter containing this information was incorrectly inserted into correspondence being sent to another AUSTUDY student. The investigation of the complaint by DEETYA did not adequately reveal how the error occurred, but did suggest that there was no systemic problem in their information handling procedures. The investigation did however determine that there had been a breach of IPP 11 in that personal information of the complainant was disclosed to another person.

As the disclosure involved the complainant's tax file number, there was also a concern that DEETYA may not have complied with the Privacy Commissioner's Tax File Number Guidelines, which require that tax file numbers be adequately protected. However, as there was no evidence of a systemic problem, this aspect of the complaint was not pursued. Nevertheless, even though the disclosure appeared to be an isolated incident, DEETYA agreed to new procedures for the checking of outgoing mail and the complainant was given an apology.

Disclosure of sexual harassment allegations - IPPs 8 and 11

The complainant was employed for a short time as a casual employee of a government agency. Shortly after his employment ended, another casual employee accused him of sexual harassment. As both persons had ceased employment with the agency, it was decided that it was inappropriate for the agency to undertake an investigation of the allegations. Instead, the agency decided to refer the complaint to the employment agency that had acted for both people. The complainant was upset that the accusation of sexual harassment was disclosed to his employment agency without it having first been raised with the complainant himself.

This matter had been the subject of a previous investigation by the Ombudsman's office and was resolved by way of an apology. The complainant then asked the Privacy Commissioner to investigate the privacy aspects of the complaint. It was decided to commence an investigation because it appeared that the Ombudsman had dealt purely with issues of procedural fairness.

As the facts of the complaint had already been established by the Ombudsman, it was only necessary to consider what alternative action could have been taken by the government agency, what harm the complainant had suffered, and whether the actions taken by the agency were reasonable. These, and some other questions, were relevant to deciding whether the agency had disclosed personal information about the complainant in breach of IPP 11, and whether the agency had used the information in breach of IPP 8 by not first checking the accuracy of the allegations.

It was decided that in the circumstances, the agency should have first put the allegations to the complainant, before it passed them to the employment agency. The agency apologised for not first raising the allegations with the complainant and offered compensation of $300 to cover legal costs in relation to the privacy issue.

Disclosure of medical information to internal staff - IPP 10

Information that the complainant was undergoing psychiatric examination as part of a compensation claim was provided to a number of staff within a government agency by letter and email. IPP 10 requires that this type of personal information is only to be used for the particular purpose for which it was collected. As the information was collected as part of a compensation claim, it should have only been passed to other staff who had a need to be informed, such as the staff who were processing the compensation claim and the complainant's supervisor. It was not necessary to pass this information onto the complainant's colleagues as they did not need to know the actual reason for his absence from work.

The complainant was very sensitive about this issue and was humiliated to discover that his work colleagues knew that he had been seeing a psychiatrist. He felt that his colleagues would assume that he was mentally unstable because he was visiting a psychiatrist.

As the same set of facts gave rise to both the alleged privacy breach and the exacerbation of an existing worker's compensation claim, it was not possible to separate one claim from the other. Following negotiations between the agency and the complainant in relation to both matters, the complainant accepted a confidential settlement, which included the settlement of his worker's compensation case, together with some of his legal costs.

Disclosure of information by a government department to a business rival - IPP 11

The complainant alleged that details held by the Department of Social Security (DSS) were disclosed to a business rival in breach of IPP 11. A letter noting a debt to the agency was received by the business rival and an article subsequently appeared in a newspaper, with potential detrimental effects on the complainant's business. There was no direct evidence to show that the information was disclosed by an officer of DSS, however the investigation of the complaint indicated that it was most likely that the disclosure had been made by an employee of DSS. The department provided compensation of $2,282 to the complainant to compensate him for the disclosure. The amount of the compensation covered the complainant's legal fees and the waiving of the debt owed by the complainant.

Notification to an employer of personal circumstances - IPPs 8 and 11

The complainant moved to a new position within a personal services industry and hoped to invest in that industry. It was important to his business and his reputation that there was no criticism of his personal life. The complainant was paying maintenance for the support of a child and had arranged that the Child Support Agency (CSA) would not contact his employer to arrange for deductions of maintenance payments from his wages. He was able to do this as he had made other arrangements to meet his maintenance obligations to the child's carer parent.

Despite these arrangements, the CSA contacted his employer to confirm his employment details.

After the individual had complained to the CSA, an undertaking was entered into by the CSA not to contact the employer in relation to these maintenance payments. Subsequent contact was made by the agency with the employer in contravention of this undertaking, resulting in the release of information about the complainant's personal circumstances to the employer.

This complaint raise two potential breaches of the Privacy Act. Firstly, there was a possible breach of IPP 8 in that information was used without first checking that it was up to date and accurate (i.e. information relating to the complainant's obligations to pay maintenance). Secondly, information about the complainant was disclosed in possible breach of IPP 11.

The agency acknowledged the breach of the undertaking, and paid compensation of $2,000.

Bank discloses personal credit information to wrong individual - s.18N

The complainant alleged that his credit provider disclosed personal credit worthiness information to his father via a telephone conversation. The credit provider revealed to the father that his son had a delinquent personal loan account. The son, however, no longer resided at that address. Section 18N of the Privacy Act does not permit a credit provider to disclose credit information to a third party except in certain circumstances. The father was not a party to the loan agreement and therefore did not have a right to receive this information.

The bank accepted that this was an unauthorised release of the individual's information, and $2,000 in compensation was offered by the bank for any humiliation and embarrassment suffered by the complainant. The bank also recognised the need to confirm the identity of the relevant individual, by checking the full name, and/or the date of birth, before disclosing personal credit worthiness information.

Disclosure of personal credit information to ex-spouse - s.18N

The complainant had a loan account with a credit provider who was also the employer of his ex-spouse. The complainant alleged that his personal credit worthiness information was disclosed to his ex-spouse when the credit provider refused to make an employment termination payment to the ex-spouse until all outstanding debts owed by the complainant had been paid.

The disclosure of the complainant's debt information to his ex-spouse was unauthorised under s.18N of the Privacy Act. The credit provider issued the complainant with a formal apology and paid him $2,500 compensation.

Unauthorised access by a credit provider of personal credit worthiness information - s.18E

The credit provider, in assessing an application for an individual, had wrongly accessed the complainant's consumer credit information held by a credit reporting agency. The individual and the complainant shared identical first name and surname as well as date of birth. This resulted in a credit application enquiry being incorrectly reported by the credit provider on the complainant's consumer credit information file. The recorded credit enquiry had the potential of affecting the complainant's credit standing and ability to obtain credit from a credit provider.

The credit provider admitted that there was an error, and that it had incorrectly placed the relevant credit application enquiry on the complainant's personal credit information file in breach of s.18E of the Privacy Act. The credit provider issued the complainant with a formal apology and took corrective action to remove the offending record.

Telecommunications provider lists commercial credit default on a consumer credit information file - s.18E

The complainant alleged that an account which was opened with a telecommunications provider for commercial purposes was listed as overdue on the complainant's consumer credit information file held by a credit reporting agency. Although banks, building societies and finance companies are clearly credit providers, many ordinary businesses are also deemed to be credit providers. For example, a telecommunications provider (as in this complaint) can be a credit provider where it allows customers to pay their telephone bill at the end of a three month period. In this situation, the customer is being given three months credit by the phone company.

Investigation of the complaint revealed that the account was primarily used for business purposes which meant that it was a commercial account. Consequently, any resulting default on the account could only be listed on the commercial file and could not be listed on the consumer credit information file. Such a listing would be in breach of s.18E of the Privacy Act, which lists the permitted contents of a credit information file held by a credit reporting agency.

The credit provider accepted that this was an inappropriate listing of the overdue account with the credit reporting agency. There was evidence to support the complainant's contention that they had been denied credit as a result of the inappropriate listing. In this regard, the credit provider removed the offending default listing, issued a formal apology, and paid $3,500 in compensation for any financial loss, hurt or embarrassment suffered by the complainant.

Listing of credit default by public utility - s.18E(8)(c)

The complainant alleged that a public utility had listed a credit default against his consumer credit information file held by a credit reporting agency. The public utility did not notify the individual that they would be listed with a credit reporting agency.

The public utility was considered to be a credit provider for the purposes of the Privacy Act because it allowed its customers to pay their accounts at the end of three months, thus extending credit to the customers. The public utility failed to notify the complainant that it intended to list him with a credit reporting agency, as is required by s.18E(8)(c) of the Privacy Act, before it advised the agency that he was in default on his account. The public utility responded to the complaint by removing the default listing and apologising to the complainant.