Case Citation:

N v Utility Provider [2006] PrivCmrA 13

Subject Heading:

Security of personal information.

Law:

Section 8(1)(a), National Privacy Principle 2.1, National Privacy Principle 4 in Schedule 3 of the Privacy Act 1988 (Cth).

Facts: 

The complainant alleged that a utility provider improperly disclosed and failed to secure their personal information against unauthorised access and disclosure.  

Specifically, the complainant alleged that their ex-partner, an employee of the utility provider, improperly accessed their accounts in order to ascertain information about their assets. The complainant alleged that once the ex-partner had obtained this information it was improperly disclosed it to a third party. The complainant further alleged that the utility provider advised that it could not ascertain whether the ex-partner had improperly accessed the account because it did not keep an audit trail recording staff access to customer records.

Issues:

Section 8(1)(a) of the Privacy Act provides that an act done or a practice engaged in by a person employed by an organisation in the performance of their duties of employment shall be treated as having been done or engaged in by the organisation.  

National Privacy Principle 2.1 provides that where an organisation collects personal information for one purpose, it may only use or disclose it for a new purpose in limited circumstances.  

National Privacy Principle 4.1 requires that an organisation must take reasonable steps to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure. 

The Privacy Commissioner conducted an investigation into this matter under section 40 of the Privacy Act. The first issue for the Commissioner was whether the utility provider''s employee had improperly accessed and disclosed the complainant''s personal information held in the utility provider''s customer records. The second issue for the Commissioner was if the utility provider did not have the capacity to track access to its records, whether it had failed to take reasonable steps to protect the complainants personal information.    

Outcome:

In responding to the Commissioner''s investigation, the utility provider interviewed its employee, who was the complainant''s ex-partner. It could not find evidence that the ex-partner had improperly disclosed the complainant''s personal information. It also suggested that the information could have come from other sources. However, the utility provider also confirmed that it did not have an audit trail in place and therefore could not say definitively that the improper access did not occur 

The complainant was unable to provide any substantive evidence to support the allegation that their information had been inappropriately disclosed by the utility provider.  

Taking account of all of the circumstances, the Commissioner decided that it was not possible to say definitively whether the complainant''s ex-partner had improperly disclosed the information.   

The Commissioner declined to deal further with the matter relating to the alleged disclosure under section 41(1)(a) on the grounds that there was insufficient evidence to conclude that the utility provider had breached the Privacy Act. 

In response to the security issue, the utility provider initially expressed the view that it had taken reasonable steps to protect the personal information in its customer records against misuse and loss, or from unauthorised access, modification or disclosure. It advised that it complied with the relevant Australian Standard and with its own procedures to ensure the security of personal information. It did note that it had commenced planning to replace its billing system with a new system that would be likely to include an audit trail as a mandatory requirement.  

In coming to a view about whether the steps taken to protect personal information were reasonable in the circumstances, the Commissioner noted that the utility provider held personal information of a large number of individuals and that the type of information required to establish accounts was extensive. The Commissioner''s view is that the information should be afforded a high level of protection, especially given the possible serious consequences for customers if there was unauthorised access to that information. 

Notwithstanding the utility provider''s intention to incorporate an audit trail into its new billing system in future, the Commissioner maintained the view that the absence of an audit trail in a large automated billing system which can identify access to customer accounts meant that the utility provider had not taken adequate steps to protect the complainant''s personal information against misuse and loss, and from unauthorised access, modification or disclosure.   

In response to the Commissioner''s view on the security issue, the utility provider agreed to implement a password security system as an interim solution. This solution was aimed at limiting the complainant''s ex-partner''s access to the complainant''s account information. The system would operate so that whenever the complainant rang to action their account the utility provider representative would be prompted by an on-screen message advising them to notify a team leader or another authorised person who would have access to the password to the complainant''s account.  This proposal was put to the complainant and in the absence of further comments the Commissioner then closed this aspect of the complaint under section 41(2)(a) of the Privacy Act on the grounds that it had been adequately dealt with by the utility provider.

OFFICE OF THE PRIVACY COMMISSIONER June 2006