- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
L v Commonwealth Agency  PrivCmrA 10
Case Citation:L v Commonwealth Agency  PrivCmrA 10
Subject Heading: Accuracy, security and disclosure of personal information
The complainant's ex-wife had submitted an application, to an agency, which impacted on the complainant. The application included inaccurate personal information relating to the complainant, including an incorrect mailing address and other facts. The complainant was unaware that his ex-wife had made an application to the agency until approximately one year later, since the agency had been sending information to the complainant at an incorrect mailing address.
The complainant and his ex-wife were also involved in court proceedings. To support her case at these proceedings, the ex-wife used the complainant's personal information, including the amount he owed to the agency, which had previously been disclosed to her by the agency. Further, the agency's letter to the ex-wife containing this information had been addressed only "To Whom It May Concern".
The complainant also raised concerns relating to the security of his personal information held by the agency. The complainant had asked for a password to be used to identify him when contacting the agency. However, on numerous occasions when he called the agency, he was not asked for his password.
IPP 8 requires that an agency check the accuracy of the personal information it holds in records and in doing so take into account the purpose for which the personal information will be used. Therefore, the issue for the Commissioner was whether or not the agency's use of the incorrect address and other facts was in breach of IPP 8. The agency's usual process in relation to the type of application submitted by the complainant's ex-wife involved minimal investigation. The agency was unable to indicate whether or not any checks had been made to verify the accuracy of the complainant's mailing address before use. Consequently, the Commissioner found the agency in breach of IPP 8 in respect to the incorrect mailing address.
However, the Commissioner did not find the agency in breach of IPP 8 in respect to the other incorrect facts. By virtue of the agency's legislation it is not required to conduct any inquiries or investigations into matters concerning the eligibility of an application and may act on the basis of the information contained in the application. Therefore, the Commissioner was unable to conclude that there was a breach of IPP 8 in this circumstance, in light of the agency's legislation.
IPP 11 places limits on an agency's ability to disclose personal information to a third party. In this case, the agency was entitled to disclose the complainant's personal information to his ex-wife. As such, the Commissioner did not find the agency in breach of IPP 11. However, the agency admitted the letter should not have been addressed "To Whom It May Concern". The agency provided the complainant's personal information directly to his ex-wife. Even if it had been addressed correctly, this would not have prevented the complainant's ex-wife from presenting it to the court or any other third party.
IPP 4 requires an agency to take reasonable security precautions to ensure that personal information contained in records it holds is protected against loss, unauthorised access, use, modification or disclosure. The complainant had been provided with a password to be used to identify him when contacting the agency. However, its computer systems did not prompt the agency employee receiving the call that a password had been provided to the complainant. Accordingly, the Commissioner found the agency in breach of IPP 4 since it was unable to implement its own security initiatives.
As a result of the investigation, the agency upgraded its computer systems to enable passwords to be used in practice. The front menu screen that an agency employee views when responding to a call from an individual now informs the agency employee that a password has been provided and that it needs to be asked for, before personal information is disclosed to the caller. The agency also paid the complainant $250 compensation for the use of an incorrect mailing address.
The investigation was closed under s.41(2)(a) of the Privacy Act, on the grounds that the agency had adequately dealt with the matter.
OFFICE OF THE PRIVACY COMMISSIONER SEPTEMBER 2003