Disclaimer: The summaries below have been extracted from the 1999-2000 Annual Report of the Privacy Commissioner. They illustrate how the Privacy Commissioner has previously resolved privacy complaints and should not be relied on as legal advice.

• Movement Monitoring Officers in the Torres Strait - IPPs 1, 2, 4 and 11
• Use of contractors to verify benefit claims - IPPs 4 and 10
• Disclosure of personal information to treating doctor - IPP 11
• Doubtful 'clearout' listing
• Obtaining access to credit information by false pretences - ss. 18G, 18H, 18T, 49
• Deletion of default information from credit information file
• Limits on use by credit providers of personal information contained in credit reports

Movement Monitoring Officers in the Torres Strait- IPPs 1, 2, 4 and 11

This matter revolved around the Protected Zone in the Torres Strait and the actions of the Movement Monitoring Officers (MMOs) of the then Department of Immigration and Ethnic Affairs (DIEA), now the Department of Immigration and Multicultural Affairs (DIMA).

The complainant argued that:

• the department had breached the Privacy Actby collecting and recording personal information about every 'allowed inhabitant' who arrives in the Torres Strait Protected Zone;
• the MMOs did not comply with IPP 2 as no information was provided about usual disclosures of personal information collected, particularly to the Island Councils; and
• the information obtained under the pass system was disclosed in breach of IPP 11 as neither the Torres Strait Treaty nor the Migration Act requires or authorises the disclosure to the Councils.

In relation to IPP 1, visitors are advised that their passes are collected and taken to the Island Council Chairperson for endorsement to ensure the visit complies with the free movement provisions under the Treaty. Once the visit has been authorised, MMOs inform the visitors that their passes will be kept by DIMA. The Office concluded that the practice does not breach IPP 1 because the information on the passes is collected for a lawful purpose directly related to DIMA's functions (i.e. regulating movements to and from the Protected Zone) and the collection is directly related to that purpose.

In order to bring its practices into line with IPP 2, DIMA has issued new instructions for MMOs and a guide for the Island Councils. A section on privacy issues, including an IPP 2 notification, will be included in those guidelines. The issue of privacy is also discussed at MMO workshops, which have been held twice a year since 1997, and MMOs are aware of their obligations under the Privacy Act.

DIMA has also revised arrangements in relation to storage and security of personal information (IPP 4) to ensure that personal information is secure, passes through as few hands as possible, and has a central control point.

The complainant alleged that none of the exceptions to IPP 11 applied to the disclosure of personal information by the MMOs to the Island Councils and therefore that those disclosures are in breach of the Privacy Act. DIMA's new instructions for MMOs include a requirement for IPP 2 notification and inclusion of the IPP 2 notification in the MMO guidelines, so that IPP 11.1(a) is now satisfied. The complaint was closed on the basis that the agency had adequately dealt with it.

Use of contractors to verify benefit claims - IPPs 4 and 10

A federal agency released personal information to external researchers to assist them in verifying a claim for benefit. The information included a copy of a psychiatric report. The case raised two issues.

Firstly, IPP 10 allows use of personal information for a new purpose where (among other exceptions not relevant here) the individual's consent has been obtained or where the new purpose is directly related to the original purpose. In relation to the psychiatric report, neither of these exceptions applied and the department agreed it had breached the principle by providing the report to the researchers.

Secondly, IPP 4 provides that an agency in possession or control of personal information must ensure that, if it is necessary for the personal information to be given to a person in connection with the provision of a service to the agency, the agency does everything reasonably within its power to prevent unauthorised use or disclosure of the information. In this case there was no contractual arrangement between the department and the research organisation at the time the information was provided. The Office concluded that a contract with the research organisation, with adequate confidentiality provisions, was a measure reasonably within the power of the agency and that its release of the material was in breach of IPP 4.

A contract was immediately put in place. It stated that researchers must abide by the requirements of the Privacy Act and any policies issued by the Privacy Commissioner relating to the handling of personal information. Details were provided to all state offices, relevant officers in the National Office and the agency's Advocacy Sections. The list of contracted researchers was circulated to assessors and staff were advised that, if researchers are used, a contract must be entered into before they are provided with any personal information. Staff were also given access to the recommended contract clauses.

The investigation was closed on the grounds that the agency had adequately dealt with the complaint.

Disclosure of personal information to treating doctor - IPP 11

The complainant alleged that her personal information was disclosed by a federal government agency without her knowledge and consent in breach of IPP 11. The complainant had ceased employment with the agency in question but was still owed a substantial redundancy payment. As the agency was unable to locate the complainant to arrange payment of these funds, the agency decided to correspond with her treating doctor to ensure the relevant documentation was completed. The agency advised the Office that it unsuccessfully attempted to contact the complainant in writing to make arrangements for the redundancy payment.

The agency claimed that it had prior approval from the complainant to contact her doctor to collect and disclose her personal information. The agency sought to rely on this previous authority to disclose redundancy information to her doctor. The agency claimed that it was confronted with the dilemma of withholding a substantial amount of money from the complainant unless it was able to contact her treating doctor.

The agency acknowledged that it did not obtain the complainant's consent for this particular disclosure of her personal information to her treating doctor. However, there was evidence which indicated that in its dealings with other similar information contained on the complainant's file, the agency had acted in accordance with the Privacy Act. The agency agreed to send the complainant a written apology and an explanation concerning the privacy breach.

Doubtful 'clearout' listing

The complainant made a payment to a credit provider via an Australia Post outlet. The back of the tear-off portion at the bottom of the bill had a space for changes of address. The complainant filled this in and gave the tear-off portion with the cheque to Australia Post. Australia Post processed the payment but had no arrangement with the credit provider to pass on changes of address. Payment slips were delivered in bulk to the credit provider, who stored but did not examine them.

Strictly speaking, the credit provider had not breached the Privacy Act. It had tried to contact her at her last known address without success and had not been able to locate her at her new address, despite reasonable efforts to do so. In these circumstances, it had formed the opinion that the complainant had 'cleared out' of her old address and reported this to the credit reporting agency as a serious credit infringement.

The complaint was resolved by conciliation. The respondent accepted that the complainant had made a good faith effort to inform it of her change of address and agreed to request the removal of the listing from the credit reporting agency's database.

Obtaining access to credit information by false pretences - ss. 18G, 18H, 18T, 49

The complainant alleged that a credit reporting agency wrongfully disclosed credit information to an unauthorised person.

Section 18H of the Privacy Act states that, upon request, a credit reporting agency must take reasonable steps to provide an individual with access to their credit report. Section 18G obliges a credit reporting agency to ensure that a credit report is not disclosed to an unauthorised person.

It appeared that an unauthorised individual, purporting to be the complainant, obtained the latter's credit report from the credit reporting agency by matching the existing identifying details held by the agency. The request appeared genuine and the Office was of the opinion that the credit reporting agency had fulfilled its obligation under section 18G to ensure that the complainant's personal information was 'protected by such security safeguards as are reasonable in the circumstances, against loss, against unauthorised access, use, modification or disclosure, and against other misuse'.

Under section 18T, a person who obtains a copy of an individual's credit report by a false pretence is guilty of an offence and a penalty of $30,000 applies. As it appeared that an offence under this section might have been committed, the matter was referred to the Australian Federal Police (AFP) for investigation as provided under section 49. Subsequently, advice was received from the AFP that in its opinion, although the evidence of a breach of the Privacy Act by a third party appeared strong, the matter was out of time for prosecution under section 15B of the Crimes Act 1914, which provides that prosecution of an offence of this nature must be commenced within one year of the commission of the offence.

The Office consulted with the credit reporting agency as to what other practical security measures could be put in place if an individual puts it on notice that his or her credit information may be the target of unauthorised access.

Deletion of default information from credit information file

The complainant was overdue in relation to a loan repayment. The respondent reported the overdue amount to a credit reporting agency. The complainant subsequently repaid the overdue amount, however the complainant alleged that the respondent failed to notify the credit reporting agency of this fact.

The respondent acknowledged that it had failed to meet its obligations under the Privacy Act and the Credit Reporting Code of Conduct to notify the credit reporting agency when the complainant ceased to be overdue.

The credit provider agreed to apologise to the complainant, paid him $300 and introduced measures to ensure compliance with the requirements of the Privacy Act and the Credit Reporting Code of Conduct.

Limits on use by credit providers of personal information contained in credit reports

The complainant alleged that an employee of the respondent credit provider had unlawfully accessed her credit information file held by a credit reporting agency despite the fact that she had never applied for credit.

The Office contacted the respondent to determine why it had accessed the complainant's credit information file. The respondent confirmed that the complainant had never applied for credit and that the staff member in question had accessed her credit information file contrary to the requirements of the Privacy Act and the Credit Reporting Code of Conduct. The respondent acknowledged that the complainant's privacy had been breached and agreed to resolve the matter by paying the complainant $3000 and providing a written apology.