Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Data security / breach | Disclosure
 

M v Commonwealth Agency [2008] PrivCmrA 13

document icon pdf (22.36 KB)


Case Citation:

M v Commonwealth Agency [2008] PrivCmrA 13

Subject Heading:

Unauthorised access and improper disclosure of personal information.

Law:

Information Privacy Principles 4 and 11 in Part III Division 2 of the Privacy Act 1988 (Cth).

Facts:

During ongoing communications with the agency, the complainant began to suspect that an employee of the agency might be improperly disclosing their personal information to unauthorised third parties. The complainant raised their concerns with the respondent agency on several occasions, however the complainant felt that the agency had disregarded them.

Later, the complainant advised the agency that they were planning to start a retail business. A short time later, a friend invited the complainant to a party and whilst there, inquired if the complainant was planning to start a business. The complainant believed that their friend was working for the respondent agency at that time.

The complainant felt that the respondent agency had not taken adequate steps to protect their personal information from unauthorised access or disclosure, and made a complaint to the Privacy Commissioner.

Issues:

Information Privacy Principle 4(a) obliges an agency to protect the personal information it holds in a record with such security safeguards as are reasonable in the circumstances to protect against loss, unauthorised access, use, modification or disclosure and against other misuse.

Information Privacy Principle 11 prohibits an agency from disclosing personal information to third parties unless certain circumstances exist, such as where an individual has consented to the disclosure or where the disclosure is required or authorised under law.

Outcome:

The Commissioner conducted preliminary enquiries into the matter under section 42 of the Privacy Act in order to establish whether to investigate the matter.

The respondent agency examined its records and advised the Commissioner that the only information recorded about the complainant''s intention to start a retail business was recorded a year after the complainant had alleged the information was disclosed.

Furthermore, the employee of the agency that the complainant alleged had inappropriately accessed and then disclosed their personal information had resigned from the agency the previous year.

The agency also had in place audit trails for the records it held. It examined the audit trail relating to the personal information it held about the complainant and advised the Commissioner there was no indication that the complainant''s friend, or any other employee of the agency, had accessed the complainant''s record inappropriately.

The complainant was unable to provide further information that demonstrated that the respondent agency had held in a record information about the complainant''s intention to start a retail business, at or around the time of the alleged disclosure. Neither was the complainant able to substantiate their claim that an employee of the agency had accessed their personal information inappropriately.

In the absence of any evidence to the contrary, the Commissioner considered that it was unlikely that the source of the alleged disclosures was the personal information that the agency held about the complainant.

The Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONER

June 2008