Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Collection

N v Private Insurer [2004] PrivCmrA 1

document icon pdf (47.1 KB)

Case Citation:N v Private Insurer [2004] PrivCmrA 1

Subject Heading: Unnecessary collection of personal information during claims process and broad privacy collection form

Law: National Privacy Principles 1.1 and 1.3 - collection

Facts: The Private Insurer required the (insured) complainant to sign a form that outlined its policy for the collection and disclosure of information for the purpose of assessing the claim. However, the complainant alleged that the form was too broad, in that it:

allowed for the collection of personal information from third parties that was not necessary for the determination of the claim;
allowed for the disclosure of personal information to types of organisations that were not made known to the individual;
was open-ended, with only one form required to be signed for the collection of information from any and all third parties.

Issues:

Issue One

National Privacy Principle 1.1 requires that "an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities".

The form stated, "I authorise any medical attendant consulted by me or any hospital attended by me, to divulge to [Private Insurer] or any legal tribunal, any health or other information acquired with regard to myself."

Additionally, the Authority for the release of personal information on the form did not limit the scope of the information to be provided by third parties to that which would be relevant to the claim and did not limit the period within which the insurer would collect the information.

The above statements were not limited to personal information which would be relevant to the claim in question, and hence did not comply with National Privacy Principle 1.1.

Issue Two

National Privacy Principle 1.3(d) requires that the individual be made aware of "the organisations (or the types of organisations) to which the organisation usually discloses information of that kind?".

The form stated that "I understand that [Private Insurer] may be required to submit all documentation to a Mediator, Solicitor, Complaints Resolution Tribunal or Court or to any other person necessary for claims determination purposes including the Trustees of any Superannuation Plan".

It was questionable whether or not "to any other person necessary for claims determination purposes" adequately identified the type of organisation.

Issue Three

The complainant contended that the Private Insurer should be requesting specific consent forms to be signed by the individual authorising release of their personal information each time the Private Insurer needed to approach a third party to collect personal information. Whilst this approach would make the Private Insurer more accountable in its practices and provide for a more transparent approach to its business, there is no obligation under the National Privacy Principles to adopt this in practice. This is closely related to the "bundled consent" issue that has been raised elsewhere by the Commissioner.

Under the National Privacy Principles, consent is needed to collect personal information where the information is sensitive information (which includes health information). However, consent is not required to collect sensitive information where the collection is "necessary for the establishment, exercise or defence of a legal or equitable claim" (National Privacy Principle 10.1(e)), as reflected in this case.

Outcome:

Issue One: The Private Insurer altered its form to comply with National Privacy Principle 1.1. It now states, "I hereby authorise and direct any medical attendant or other health professional consulted by me or any hospital attended by me, and any of the persons or organisations listed below, to provide to [Private Insurer], any health or other information about me which is necessary to properly assess my entitlement under this Policy or Plan?"

The form now also specifies that the authority for the release of personal information is valid only whilst the entitlement to a claim is assessed.

Issue Two: The Private Insurer removed the reference to submitting documentation to a Mediator, Solicitor, Complaints Resolution Tribunal or Court or to any other person necessary for claims determination purposes including the Trustees of any Superannuation Plan. Consent is not needed to make disclosures for primary purposes or secondary purposes where the secondary purpose is related to the primary purpose of collection and the individual would reasonably expect the organisation to disclose the information for that secondary purpose (NPP 2.1(a)). Consent is also not needed where the disclosure is required or authorised by or under law (NPP 2.1(g)).

Issue Three: No remedial action required.

The investigation was closed under s.41(2)(a) of the Privacy Act, on the grounds that the Private Insurer had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER JANUARY 2004