Case Citation: 

I  v Insurance Company [2007] PrivCmrA 11

Subject Heading:

Unauthorised access and use of personal information

Law:

National Privacy Principle 4 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant and their then spouse held a joint account with an insurance company.  Following the complainant's divorce, the complainant sought to have their name removed from the joint account. 

This removal did not happen, which allowed the complainant's former spouse access to information including the complainant's new home address.  The complainant submitted a complaint to the Privacy Commissioner.  

Issues:

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner investigated the complaint under section 40(1) of the Privacy Act 1988 (Cth).

The insurer conducted an internal search and found that although a new membership was set up for the complainant at their request, the existing computer system allowed a hidden link to still exist between the new membership and the former joint membership.  The insurer stated that this was a symptom of an ''archaic' computer system.

The Commissioner formed the view that by failing to fully upgrade their computer system to eliminate inappropriately linked files, the insurer had failed to taken reasonable steps to properly protect the complainant's personal information.  This meant that the insurer had breached National Privacy Principle 4.1.

The insurer apologised, took steps to rectify their system, offered a substantial sum of compensation and provided the complainant with three years worth of free services.  Satisfied that the insurer had adequately dealt with the complaint and that the complainant had accepted the offer, the Commissioner closed the matter under section 41(2)(a) of the Privacy Act.

OFFICE OF THE PRIVACY COMMISSIONER

June 2007