Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Credit and finance | Data security / breach

OPC v Banking Institution [2005] PrivCmrA 11

document icon pdf (20.21 KB)

Case Citation: OPC v Banking Institution [2005] PrivCmrA 11

Subject Heading: Automated disclosure of personal information following use of incorrect facsimile number.

Law: Section 40(2) of the Privacy Act 1988 (Cth) and National Privacy Principles 2 and 4 in Schedule 3 of the Privacy Act.

Facts: The banking institution published an internal newsletter advising its staff of a new facsimile number for a particular department within the banking institution. On occasion, staff miskeyed the number when they intended to send customers' personal information to that department. Consequently, the personal information was not received by the department but rather by another organisation, with a similar facsimile number, whose business involved the collection and forwarding of automated information updates to its customers. The organisation did not normally accept facsimiles from unauthorised update providers. However, in at least two instances it received and automatically forwarded the personal information from the banking institution through its computer-generated fax update service to its customers.

Issues: None of the individuals whose information was disclosed brought a complaint before the Commissioner, but the Commissioner decided to commence an own motion investigation under section 40(2) of the Privacy Act on the grounds that this problem had happened before and therefore may point to the existence of a systemic problem.

The Commissioner asked the banking institution why this problem had reoccurred. The banking institution advised that following the first incident the facsimile number had been decommissioned. When the banking institution moved location the number was subsequently returned to the pool of unused numbers and reactivated.

Outcome: To ensure that the problem would not recur, the banking institution stopped using a facsimile-based service and introduced a secure on-line service and permanently decommissioned the fax number. The other organisation also confirmed that it blocked all faxes other than those from designated numbers. Consequently, the Commissioner closed the matter on the grounds that it had been adequately dealt with.

OFFICE OF THE PRIVACY COMMISSIONER June 2005