Disclaimer: The summaries below have been extracted from the 1998-1999 Annual Report of the Privacy Commissioner. They illustrate how the Privacy Commissioner has previously resolved privacy complaints and should not be relied on as legal advice.

• Access to documents stored on work computer - IPP 11
• Vexatious complaint as means of pursuing personal grievance
• Disclosure of financial information to supervisor and health information to a foreign government agency - IPP 11
• Alleged disclosure by employing agency
• Disclosure of consumer credit information to an employer - s. 18N
• Unlawful access to a credit reporting agency - s. 18L
• Unauthorised use of consumer credit information by an employee of a credit provider
• Improper reporting of an overdue account - s. 18E(8)(c)
• Consumer or commercial credit?
• Inaccurate default listing

Access to documents stored on work computer - IPP 11

The complainant was a full-time employee of a government agency and engaged in part-time work with another government agency while also a party to a legal action involving considerable time and energy. Documents relating to the legal action were composed and stored by the complainant on her work computer. Documents relating to her part-time work were also stored on the same computer.

Her employer queried her absences from work and the complainant then lodged a workers' compensation claim. The claim was passed to Comcare for assessment and, at Comcare's request, the agency provided copies of documents held on the work computer. These contained intimate information concerning the complainant's health, the birth of her child, and information about third parties related to her part-time job.

The case raised a number of legal issues:

• whether Comcare was legally entitled to request the information held on her work computer;
• whether the Privacy Act permitted her employer to disclose those documents to Comcare; and
• whether her employer had a right to access the non-work-related documents on her work computer and, in particular, whether those documents were covered by legal professional privilege.

In relation to (i) and (ii), the request by Comcare for a copy of documents held on the computer was valid and made in accordance with the relevant legislation, the Safety, Rehabilitation and Compensation Act 1988. That Act requires the employer to comply with such a request and the disclosure to Comcare was therefore permissible under IPP 11.1(d).

In relation to (iii), where a person composes and stores personal information on a computer owned by a third party, in this case the employer, the owner has the right of access to the machine and the information stored on it. Legal professional privilege does not apply as the information relating to the legal cases of others was stored on the employer's computer and no claim for privilege had been made prior to the disclosure.

The Privacy Commissioner concluded that there had been no breach of the complainant's privacy.

Vexatious complaint as means of pursuing personal grievance

The complainant alleged that, in order to harass him, his former partner had accessed his taxation records as well as those of his current partner and other friends. The complainant also alleged that his former partner had conducted an audit on his friends' business without advising the agency of any potential conflict of interest.

Relevant privacy issues are unauthorised access to the complainant's records, security of record keeping; and unauthorised use of personal information.

Investigation by the agency and checking of computer audit trails showed that the former partner had not accessed the complainant's records. The audit trails also showed there was no access to the records of the complainant's current partner or those of his friends. The former partner had conducted the audit of the friends' business at their request though without official authorisation.

The complainant appeared to be trying to use the Privacy Act to harass his former partner. There was no breach of privacy and the complaint was dismissed as vexatious. In relation to the audit of the friends' business, however, the agency counselled the former partner about propriety and conflict of interest issues.

Disclosure of financial information to supervisor and health information to a foreign government agency - IPP 11

The complainant was employed by one Commonwealth agency ('the employing agency') and was required to travel overseas to arrange for the taking of evidence in a smuggling case mounted on behalf of another agency ('the client agency').

As the complainant could not himself appear in the foreign court, a private law firm was engaged to appear for the employing agency. The client agency had provided the complainant with traveller's cheques for use overseas and, on the complainant's return from overseas, questioned the way he had used them. As part of its inquiry, the client agency disclosed personal information about the complainant to the employing agency. The complainant subsequently lodged a stress-related compensation claim and the foreign law firm was advised that he would not be involved further in the case due to ill-health.

The privacy issues raised were:

• whether the Privacy Act permits the client agency to disclose to the employing agency personal information relating to the enquiry into the use of the traveller's cheques; and
• whether the employing agency was permitted to disclose information relating to the complainant's health to the law firm engaged to appear on its behalf.

In relation to both issues, IPP 11.1(a) permits the disclosure of personal information where the individual concerned is reasonably likely to be aware that the disclosure would be made. The enquiry into the propriety of the handling of the traveller's cheques was disclosed to the employing agency in order to account for the use of the traveller's cheques and was regarded as a routine accountability measure that the complainant should have been aware might be taken. The notification to the law firm of the fact that the complainant would not be engaged further on the case due to ill-health did not involve the provision of any medical or further personal information and was seen as a usual professional courtesy.

Alleged disclosure by employing agency

The complainant was concerned about a possible disclosure of personal information from her employer to Telstra. She had received a promotional letter from Telstra that was addressed to her at her place of work and stated her position at work.

The Office contacted Telstra and was advised that all of Telstra's name and address information for mail-outs came from a national list broker. The list broker was contacted and advised that the information was obtained from the complainant during a conference she had attended. The conference organiser had provided the information to the list broker.

The list broker offered to remove the complainant's name from its database. The complainant accepted this offer. The complainant was advised, however, that Telstra, the list broker and the conference organiser were not subject to the Privacy Act in relation to such disclosures and that her complaint did not fall within the scope of the Act. Accordingly, the Privacy Commissioner did not formally investigate the complaint.

Disclosure of consumer credit information to an employer - s. 18N

The complainant was concerned that a credit provider had disclosed credit information to his employer without his knowledge or consent. The complainant had fallen behind on his loan repayments. An employee of the credit provider attempted to contact him at work to discuss the matter. The complainant's employer answered the telephone and asked why the credit provider wished to speak to him. The credit provider's employee informed the employer that the complainant had fallen behind on his loan repayments. As a consequence, the complainant was disciplined by his employer for his failure to adequately manage his financial affairs.

Section 18N of the Privacy Act limits the circumstances in which credit providers are permitted to disclose consumer credit information about individuals. The credit provider acknowledged that in this case information about the complainant's credit status had been unlawfully disclosed. The credit provider apologised to the complainant, paid him $1,800 by way of compensation and undertook to ensure that all staff are made aware of the proper procedures for the disclosure of credit information.

Unlawful access to a credit reporting agency - s. 18L

The complainant was concerned that a credit provider had accessed his credit information file held by a credit reporting agency even though he had never applied for credit with that credit provider.

The complainant's wife had applied for credit with that credit provider. The application form sought information about the complainant as well as his wife, who was actually making the application. The complainant had agreed to supply his personal information to the credit provider in that context but at no stage was he interested in applying for credit nor was he notified that his personal information would be disclosed to a credit reporting agency for the purpose of processing his wife's credit application.

Section 18L of the Privacy Act sets out the circumstances in which credit providers are permitted to access and use consumer credit reports. None of the permitted circumstances applied in this case. The credit provider agreed that it had breached s.18L, took steps to delete the record of the enquiry from the complainant's credit information file and sent him a written apology.

Unauthorised use of consumer credit information by an employee of a credit provider

The complainant alleged that his ex-spouse, an employee of a credit provider, had accessed and disclosed his consumer credit information without his knowledge or consent. The complainant and his ex-spouse were going through divorce proceedings in the courts. It was alleged that the ex-spouse had provided her solicitor with information about the complainant's financial position by accessing his credit information held by the credit provider.

The credit provider could not provide conclusive evidence to suggest that the ex-spouse had accessed and disclosed the complainant's account records. However, on the balance of probability it appeared that the complainant's account information had been used by the credit provider's employee contrary to the provisions of the Privacy Act. No formal determination was made but the credit provider agreed to settle this matter by sending the complainant a written apology and paying him $1000.

Improper reporting of an overdue account - s. 18E(8)(c)

The complainant alleged that his account was not overdue at the time the credit provider reported him as overdue to a credit reporting agency.

The complainant had an eighteen-month mobile telephone contract. After the eighteen months had expired the complainant decided to terminate the contract but the credit provider continued to charge him monthly access fees. The complainant contacted the credit provider and informed them that he had terminated the contract and that he would not pay the monthly fees outstanding. The credit provider then informed the credit reporting agency that the account was overdue.

Before a credit provider can notify a credit reporting agency that a payment is overdue, it must have fulfilled the relevant requirements of s.18E(8)(c) of the Privacy Act, which requires the credit provider to notify the individual that his or her consumer credit information may be disclosed to a credit reporting agency. Additionally, paragraph 2.7 of the Credit Reporting Code of Conduct (issued by the Privacy Commissioner under s.18A of the Privacy Act) requires that sixty days must have elapsed since the day on which the payment was due and payable, and that the credit provider must have written to the individual at his or her last known address advising of the overdue payment and requesting payment.

The credit provider acknowledged that its actions in reporting the overdue account did not comply with the requirements of the Privacy Act. The credit provider agreed to remove the overdue listing and sent the complainant a written apology.

Consumer or commercial credit?

The complainant alleged that the respondent bank disclosed details of loans secured over a number of properties to other parties who had an interest in the properties.

Properties held by the complainant and the other parties were in dispute between them when the bank threatened to foreclose on the loans. During the dispute, information about the loans was obtained by the brother of the complainant and used in legal actions related to the properties. The complainant alleged that the disclosure had breached the Privacy Act.

The issue was whether the loan was for consumer or commercial purposes: the Privacy Act covers only consumer, not commercial, credit information. Documentation showed the complainant used the properties for commercial purposes and offered them as collateral for commercial loans. There was no breach of the Act.

Inaccurate default listing

The complainant applied for a loan with a credit provider and was subsequently sent a letter stating that his application was unsuccessful due to a credit report held by a credit reporting agency which indicated that a default had been listed against the complainant by a bank. The default related to an amount of $5,240. The complainant denied that he had ever dealt with the bank. The complainant then contacted the bank and, after extensive efforts, obtained a letter stating that he was not, and never had been, a customer of the bank. The credit reporting agency conducted an investigation and, as it appeared the listing had been made incorrectly, removed the listing. The complainant then requested compensation from the credit reference agency for time and cost of telephone calls to the bank. The credit reporting agency refused to accommodate the complainant's request for compensation. The complainant then complained to the Privacy Commissioner.

The Office of the Privacy Commissioner approached the bank and advised that the complainant had requested $65 in compensation for loss of productive time and the cost of telephone calls. The bank was unable to determine why the listing had originally been made. It also confirmed that the listing had been removed. It stated that, as a gesture of goodwill, it would compensate the complainant for the amount requested.