Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Data accuracy | Use
 

R v Retailer [2007] PrivCmrA 20

document icon pdf (21.19 KB)


Case Citation: 

R v Retailer [2007] PrivCmrA 20

Subject Heading:

Accuracy and currency of personal information

Law:

National Privacy Principles 2.1, 3 and 4.2 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant was charged by police with an offence against a retailer but was not convicted.  Subsequently, the complainant's name was placed on a database of individuals suspected of committing offences against the retailer.  The database was a loss prevention database and was intended to record information related to actual or suspected fraudulent activity as a means of protecting the retailer's assets.

The complainant asked for access to the database, then requested that their personal information be removed from the database.  The retailer granted access to the personal information, but refused to remove it from their database.  The complainant considered the inclusion of their personal information inappropriate and complained to the Privacy Commissioner.

Issues:

National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of the collection unless an exception in National Privacy Principle 2.1(a) - (h) applies.

National Privacy Principle 3 provides that an organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

National Privacy Principle 4.2 provides that an organisation must take reasonable steps to destroy or de-identify personal information if it is no longer needed for any purpose under National Privacy Principle 2.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.

During the course of the investigation it became clear that the complainant's personal information was collected by the retailer well before 2001. 

Although the collection, accuracy, use and disclosure of the complainant's personal information were issues the Commissioner wished to address, this was not possible. Amendments to the Privacy Act affecting the collection of personal information by private sector organisations came into effect on 21 December 2001 and could not be applied retrospectively.

The retailer informed the Commissioner that the database record did exist prior to 21 December 2001, but had not been altered or accessed - aside from granting the complainant access - since its creation.  Consequently, it had not been used or disclosed since 21 December 2001 and this meant that the disclosure and accuracy provisions did not apply after 21 December either.

Nonetheless, the retailer accepted that the passing of time could affect how up-to-date personal information contained in the database was considered.  As part of an update of the retailer's loss prevention system, the retailer was already replacing the existing database system.  The retailer took the additional step of removing the complainant's record from their database records.

Satisfied that the retailer had responded adequately to the complaint, the Commissioner closed the matter under section 41(2)(a) of the Privacy Act.

OFFICE OF THE PRIVACY COMMISSIONER

June 2007