Case Citation: R v Internet Service Provider [2005] PrivCmrA 17

Law:National Privacy Principles 2 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts: The complainant held an account with an Internet Service Provider. The Internet Service Provider reset the password for the account at the request of a third party purporting to be the complainant and without following, in full, its standard procedures. As a consequence, a third party accessed the account.

The complainant raised the matter with the Internet Service Provider alleging that the incident had caused significant personal difficulties for them. The Internet Service Provider disputed any breach of the National Privacy Principles.

Issues:National Privacy Principle 4 National Privacy Principle 4.1 states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

In this case, the Internet Service Provider had clear procedures for the processing of a request for a change of password whereby staff were required to ensure that the individual lodging the request correctly answered a series of specific security questions. Additional measures were to be taken where there was the possibility of improper access.

The Privacy Commissioner investigated the allegations and found that whilst the Internet Service Provider did have relevant security procedures in place, these procedures were not correctly or consistently followed. For this reason the Commissioner took the view that the Internet Service Provider failed to take reasonable steps to protect the personal information it held from misuse and loss and from unauthorised access, modification and disclosure as required by National Privacy Principle 4.1.

National Privacy Principle 2 National Privacy Principle 2.1 provides that where an organisation collects personal information for one purpose it can only use or disclose it for a secondary purpose in limited circumstances. In particular, National Privacy Principle 2.1 states that the organisation can use or disclose the information for a secondary purpose only if the secondary purpose is related to the primary purpose and the individual concerned would reasonably expect the organisation to use or disclose the information for the secondary purpose, or if the individual has consented to the disclosure [other exceptions apply].

The Commissioner investigated the allegations and reached the view that in resetting the password in the absence of the complainant's consent, the Internet Service Provider had disclosed information:

• in the complainant's account (which identified the complainant), for a purpose other than the primary purpose of collection; and
• that was not related to the primary purpose of collection or reasonably expected by the individual concerned.

The Commissioner was also of the view that no other exceptions to National Privacy Principle 2 applied.

Outcome: The Commissioner's view was that in this instance the Internet Service Provider failed to take reasonable steps to protect the complainant's personal information from unauthorised access and disclosure, and improperly disclosed the complainant's personal information to a third party. The Commissioner conciliated the matter, which concluded with a confidential settlement between the parties. The Commissioner then decided under section 41(2)(a) of the Act to cease investigation of the complaint on the grounds that the Internet Service Provider had dealt adequately with the matter.

OFFICE OF THE PRIVACY COMMISSIONER June 2005