Case Citation: A v Insurer [2005] PrivCmrA 1

Subject Heading: Denial of access to documents on various grounds, failure to provide reasons for denying access and excessive charges for providing access.

Law:National Privacy Principles 6.1(b), 6.1(c), 6.1(e), 6.4 and 6.7 of the Privacy Act 1988 (Cth).

Facts: The complainant asked an Insurer for copies of all his personal information that it held. After assessing the documents the Insurer quoted an access charge of approximately $600 to cover its costs for retrieving and copying approximately 500 pages of documents. The complainant paid the charge and the Insurer provided the quoted documents, but withheld certain documents. The complainant alleged that the Insurer failed to provide reasons for denying access to the withheld documents.

After a complaint was made to the Commissioner that the Insurer had withheld the documents without reason, the Insurer provided the complainant with reasons for denying access. The Insurer stated that it had failed inadvertently to include its reasons in its initial letter to the complainant. The complainant then alleged that the exemptions the Insurer relied on to deny access were not applicable. The complainant also alleged that the access charge was excessive despite the fact that he had earlier paid the charge.

Issues: National Privacy Principle 6.1 gives an individual a general right to access their personal information held by private sector organisations with some exceptions. These include where providing access: would pose a serious threat to the life or health of any individual (6.1(b)); would have an unreasonable impact upon the privacy of other individuals (6.1(c)); the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings (6.1(e)); and providing access would be unlawful (6.1(g)).

National Privacy Principle 6.1(b) The Insurer sought to deny access to certain medical reports on the grounds that providing access would pose a serious threat to the complainant. The Commissioner examined the documents and formed the view that this was not likely to be the case. This view was confirmed by an external medical consultant appointed by the Commissioner to assess the documents and to provide an opinion about whether providing access would pose a serious threat to the life or health of the complainant in this circumstance. The external medical consultant concluded that, with a relatively high degree of confidence, in the context of 6.1(b), the release of the documents to the complainant would not pose a serious threat to the complainant's health or life. The Commissioner decided, taking into account all the information available, that the exception could not be relied upon to deny access on this basis.

National Privacy Principle 6.1(c) The Insurer argued that because certain documents included opinions and names of third parties that releasing the documents to the complainant would have an unreasonable impact on the privacy of those third parties.

The Commissioner examined the documents in question and concluded that, given the substance of the information, providing the complainant with access to all of the documents would have an unreasonable impact on the privacy of those third parties. However, the Commissioner considered that in one report it would be feasible for the Insurer to delete the relatively small number of references to other individuals because those references were footnotes to the main report. Therefore, the Commissioner concluded that the Insurer could not rely on this exception to deny access to the full report as it could remove references to third parties.

National Privacy Principle 6.1(e) The Insurer sought to deny access to medical reports that it alleged it had obtained from medical professionals in order to obtain legal advice in respect of legal proceedings that it anticipated might be brought by the complainant. Legal proceedings were not underway but the Insurer advised that it anticipated legal proceedings because the complainant had previously pursued a similar matter in court.

The Commissioner accepted that the reports were prepared for the dominant purpose of obtaining legal assistance and for use as expert evidence in connection with legal proceedings and were therefore protected by legal professional privilege. Where documents are protected by legal professional privilege they are not accessible by discovery. The Commissioner also took the view that legal proceedings had been sufficiently prospective to conclude that they could be anticipated at the time.

For the above reasons the Commissioner concluded that the Insurer was entitled to withhold access to certain documents under National Privacy Principle 6.1(e).

National Privacy Principle 6.4 - access charges National Privacy Principle 6.4 says than if an organisation charges for providing access to personal information, those charges must not be excessive and must not apply to lodging a request for access.

The Insurer had sent the complainant an itemised list of the costs involved in processing the access request, which included the projected labour time for locating and collating documents and reviewing the file, labour time for photocopying the documents, postage and copying costs. The Insurer also advised the Commissioner that the actual costs were greater than the projected costs quoted to the complainant. The question for the Commissioner was whether the charges for labour time and photocopying costs were excessive. After considering costs itemised by the Insurer and the overall circumstances of the case, the Commissioner took the view that the fee for access was not excessive in this case.

National Privacy Principle 6.7 - Failure to provide reasons for denial of access National Privacy Principle 6.7 requires that an organisation provide reasons for denial of access to personal information. The Insurer advised that it had failed inadvertently to provide reasons for denying access to certain documents, but subsequently provided the complainant with those reasons after a complaint had been made to the Commissioner.

Outcome:National Privacy Principle 6.1(b) Taking into account the opinion of the external medical consultant, the Commissioner concluded that the Insurer could not rely on National Privacy Principle 6.1(b) to deny the complainant access to certain documents. The Insurer accepted this view and the Commissioner, with the agreement of the Insurer, provided the reports to the complainant. The Commissioner then ceased further investigation of this aspect of the matter under section 41(2)(a) of the Privacy Act on the grounds that the Insurer had adequately dealt with this aspect of the complaint.

National Privacy Principle 6.1(c) The Commissioner's view was that the report in question could be modified to protect the privacy of the third parties. The Insurer agreed to provide access on this basis. The Commissioner sent amended copies of the report (that had been denied on the above grounds) to the complainant and decided subsequently to cease further investigation of this aspect of the matter under section 41(2)(a) of the Privacy Act on the grounds that the Insurer had adequately dealt with this aspect of the complaint.

National Privacy Principle 6.1(e) The Commissioner decided that the Insurer was entitled to rely on National Privacy Principle 6.1(e) in relation to the medical reports it had obtained to assist it in preparation of anticipated legal proceedings. Therefore, the Commissioner decided under section 41(1)(a) of the Privacy Act not to investigate this aspect of the complaint further on the basis that the circumstances described by the complainant did not constitute a breach of the Privacy Act.

National Privacy Principle 6.4 - access charges The Commissioner concluded that the access charge was not excessive and declined to further investigate this matter under section 41(1)(a) of the Privacy Act on the basis that the circumstances described by the complainant did not constitute a breach of the Privacy Act.

National Privacy Principle 6.7 - failure to provide reasons for denying access The Commissioner took the view that the Insurer had breached National Privacy Principle 6.7 by not providing reasons for denying access to certain documents. Given that the Insurer later provided a detailed list of reasons for denying access to the documents, the Commissioner declined to further investigate this matter under section 41(2)(a) of the Privacy Act on the basis that it had adequately dealt with this aspect of the complaint.

OFFICE OF THE PRIVACY COMMISSIONER February 2005