Case Citation: 

Q v Financial Institution [2006] PrivCmrA 16

Subject Heading:

Security of personal information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth).

Facts:

The complainant was the principal cardholder of a credit account with the financial institution.  An additional cardholder''s name was attached to the credit account which allowed the additional cardholder to transact on the account and access information about the account. 

The complainant requested that the additional cardholder''s name and access to the credit account be removed. 

On the same day that the complainant requested that the additional card holder''s name be removed from the credit account, an application was received by the financial institution from the additional cardholder requesting that the credit account be linked to internet banking. 

The internet banking facility allowed an additional cardholder to view the current transaction history of the credit account. The internet access was approved by the financial institution. When the financial institution terminated the additional cardholder''s access to the credit account, their internet access to the account remained active.

Issues:

National Privacy Principle 4.1 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure. The issue for resolution was whether the financial institution had taken reasonable steps to protect the principal cardholder''s internet account from unauthorised access or disclosure.  

The complaint was referred to the financial institution in accordance with the Privacy Commissioner''s queue referral policy. Under the Commissioner''s queue referral policy, complaints are referred to the respondent organisation with the consent of the complainant to give the respondent another opportunity to consider the matter and possibly resolve the matter directly with the complainant.  

Outcome:

The financial institution reconsidered the complaint as requested and resolved the matter directly with the complainant by providing an explanation of the incident, amending its practices and agreed to a payment of compensation.  

The financial institution advised that the credit account was linked to internet banking whilst the additional cardholder status was still valid.  As the financial institution did not require the principal cardholder to give approval for internet access to be granted to the additional cardholder, the request was manually approved and sent to the operations centre of the financial institution for processing. The request to remove the additional cardholder took twenty four hours to process and as such, the existence of the internet linkage to the credit account was not apparent until the day after it was requested. The financial institution explained that although the complainant requested cancellation of the additional cardholder''s access, the manual verification process and the twenty four hour processing period meant that the internet linkage was not detected and actioned by the financial institution.  

The financial institution advised that the process for verifying and allowing access to credit accounts via internet banking had subsequently been completely automated so that when access is removed or the account is closed, the corresponding internet linkage is also amended or removed.  

The complainant claimed that they had suffered psychological harm as a result of their credit card transactions being available to the additional cardholder and requested compensation.  The complainant and financial institution resolved the matter, which concluded with a confidential settlement between the parties. The Commissioner then closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the financial institution had adequately dealt with the complaint. 

OFFICE OF THE PRIVACY COMMISSIONER June 2006