Case Citation:N v Internet Service Provider [2004] PrivCmrA 10

Subject Heading: Disclosure of personal information as a result of failure to provide adequate security over personal information / declined to investigate on the basis that complainant did not complain to the respondent before making the complaint to the Commissioner.

Law:National Privacy Principle 2; National Privacy Principle 4; section 40(1A) of the Privacy Act 1988 (Cth)

Facts: The complainant separated from his wife and shortly afterwards left Australia to deal with business commitments overseas. He alleged that while he was out of the country his estranged wife contacted his internet service provider and accessed his internet account.

The complainant had recently changed the password on the account to ensure that unauthorised individuals would not be able to have access. Although the account was protected by a password the complainant alleged that his estranged wife was able after several attempts to obtain access to his account and the details on the account, for example about credit cards, were changed.

The complainant alleged that this meant: his account information was available to his estranged wife and her partner; he was denied access to personal and business emails; and that the email account was used to send defamatory messages.

The complainant had not advised that he had written to the internet service provider about the issue(s) he had raised or why it would not be appropriate for him to do so.

Issues: National Privacy Principle 2 provides that an organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless one or more of certain exceptions apply.

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

The complaint focused upon whether the internet service provider had taken reasonable steps to provide protection over the personal information it held and it if had improperly disclosed the complainant's personal information.

Outcome: Section 40(1A) of the Act does not allow the Commissioner to investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner under section 36. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.

The Commissioner also has a discretion under section 41(2)(b) of the Act not to investigate a complaint that has been made to the respondent if it has not had an adequate opportunity to deal with the complaint. The Commissioner takes the view that it is reasonable to allow a respondent a period of thirty days within which to deal with the complaint.

In this case the Commissioner declined to investigate the complaint under section 40(1A) of the Act. The complainant was advised to complain directly to the internet service provider in the first instance and if the organisation had not responded within thirty days the Commissioner would be pleased to reconsider the complaint.

To date, the complainant has not returned this matter to the Commissioner for reconsideration; this suggests that the complaint was resolved directly with the internet service provider.

OFFICE OF THE PRIVACY COMMISSIONER June 2004