Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data accuracy | Data security / breach

L v Commonwealth Agency [2003] PrivCmrA 10

document icon pdf (69.24 KB)

Case Citation:L v Commonwealth Agency [2003] PrivCmrA 10

Subject Heading: Accuracy, security and disclosure of personal information

Law:Information Privacy Principles 4, 8 and 11

Facts:

The complainant's ex-wife had submitted an application, to an agency, which impacted on the complainant. The application included inaccurate personal information relating to the complainant, including an incorrect mailing address and other facts. The complainant was unaware that his ex-wife had made an application to the agency until approximately one year later, since the agency had been sending information to the complainant at an incorrect mailing address.

The complainant and his ex-wife were also involved in court proceedings. To support her case at these proceedings, the ex-wife used the complainant's personal information, including the amount he owed to the agency, which had previously been disclosed to her by the agency. Further, the agency's letter to the ex-wife containing this information had been addressed only "To Whom It May Concern".

The complainant also raised concerns relating to the security of his personal information held by the agency. The complainant had asked for a password to be used to identify him when contacting the agency. However, on numerous occasions when he called the agency, he was not asked for his password.

Issues:

Information Privacy Principle 8

IPP 8 requires that an agency check the accuracy of the personal information it holds in records and in doing so take into account the purpose for which the personal information will be used. Therefore, the issue for the Commissioner was whether or not the agency's use of the incorrect address and other facts was in breach of IPP 8. The agency's usual process in relation to the type of application submitted by the complainant's ex-wife involved minimal investigation. The agency was unable to indicate whether or not any checks had been made to verify the accuracy of the complainant's mailing address before use. Consequently, the Commissioner found the agency in breach of IPP 8 in respect to the incorrect mailing address.

However, the Commissioner did not find the agency in breach of IPP 8 in respect to the other incorrect facts. By virtue of the agency's legislation it is not required to conduct any inquiries or investigations into matters concerning the eligibility of an application and may act on the basis of the information contained in the application. Therefore, the Commissioner was unable to conclude that there was a breach of IPP 8 in this circumstance, in light of the agency's legislation.

Information Privacy Principle 11

IPP 11 places limits on an agency's ability to disclose personal information to a third party. In this case, the agency was entitled to disclose the complainant's personal information to his ex-wife. As such, the Commissioner did not find the agency in breach of IPP 11. However, the agency admitted the letter should not have been addressed "To Whom It May Concern". The agency provided the complainant's personal information directly to his ex-wife. Even if it had been addressed correctly, this would not have prevented the complainant's ex-wife from presenting it to the court or any other third party.

Information Privacy Principle 4

IPP 4 requires an agency to take reasonable security precautions to ensure that personal information contained in records it holds is protected against loss, unauthorised access, use, modification or disclosure. The complainant had been provided with a password to be used to identify him when contacting the agency. However, its computer systems did not prompt the agency employee receiving the call that a password had been provided to the complainant. Accordingly, the Commissioner found the agency in breach of IPP 4 since it was unable to implement its own security initiatives.

Outcome:

As a result of the investigation, the agency upgraded its computer systems to enable passwords to be used in practice. The front menu screen that an agency employee views when responding to a call from an individual now informs the agency employee that a password has been provided and that it needs to be asked for, before personal information is disclosed to the caller. The agency also paid the complainant $250 compensation for the use of an incorrect mailing address.

The investigation was closed under s.41(2)(a) of the Privacy Act, on the grounds that the agency had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER SEPTEMBER 2003