Case Citation: 

U v Banking Institution [2006] PrivCmrA 20

Subject Heading:

Requirement to take reasonable steps to update and secure personal information.

Law:

National Privacy Principles 3 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant and their spouse entered into a loan with the respondent, a banking institution. As part of the arrangement to repay the loan they asked to receive separate statements concerning the account. Later, while the loan was still current, the couple moved house.  The respondent sent a statement to the complainant''s spouse at the new address, and a statement to the complainant at their previous address. The complainant contacted the respondent and requested that it update its records to delete the previous address from their records. The complainant believed that the respondent had actioned this request.

Later another statement addressed to the complainant was sent by the respondent to the previous address. At the same time a statement addressed to the complainant''s spouse was sent to the new address. On several occasions both the complainant and their spouse telephoned the respondent requesting that the complainant''s address be updated.

Some months later the respondent sent default notices relating to the loan to the complainant''s previous address. Visible through the transparent plastic window of the envelope was the word ''default''. 

The complainant made a complaint to the respondent regarding the mail being incorrectly addressed, claiming they had suffered embarrassment as a result of the word ''default'' being visible to third parties.  The respondent acknowledged that the complainant and their spouse had been in contact with the respondent several times in an attempt to update the complainant''s address. However, the respondent could not explain why the address had not been updated. The respondent gave a verbal apology and later sent a written apology to the complainant. The complainant wrote to the Privacy Commissioner dissatisfied with the handling of their complaint.   

Issues:

National Privacy Principle 3 provides that an organisation must take reasonable steps to make sure that the personal information it collects uses or discloses is accurate, complete and up-to-date. 

The first issue for the Commissioner to consider was whether the respondent had taken reasonable steps to ensure that the address details of the complainant were accurate, complete and up-to-date. 

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure. 

The second issue for the Commissioner to consider was whether the respondent had taken reasonable steps to protect the complainant''s personal information.

Outcome:

The Commissioner investigated the complaint under section 40(1) of the Privacy Act.  

In relation to the first issue, the respondent''s electronic records revealed that the request for the complainant''s change of address was recorded in the narrative associated with the loan account. However, it appeared that the request was not actioned. The Commissioner could not be certain why this was not actioned, but believed it to be the result of human error. Given the repeated requests made by the complainant, and subsequently by the complainant''s spouse on behalf of the complainant, for the complainant''s address to be updated, the Commissioner formed the view that the respondent had breached National Privacy Principle 3.

In relation to the second issue, the Commissioner accepted the respondent''s assertion that its external mailing house had incorrectly folded the default letter, resulting in the word ''default'' being visible through the envelope window. The respondent advised that it had contacted the mailing house to prevent this error from recurring. The Commissioner was satisfied that the error was an isolated one and that the steps taken by the respondent to ensure the security of personal information were reasonable in the circumstances. The Commissioner formed the view that the respondent had not breached National Privacy Principle 4.1.

The complainant sought compensation for administrative costs and other expenses associated with the complaint. The respondent agreed to pay an amount in full and final settlement of the complaint, which the complainant accepted.  The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act, on the grounds that the respondent had adequately dealt with the complaint.  

OFFICE OF THE PRIVACY COMMISSIONER August 2006