Case Citation: 

X v Transport Company [2007] PrivCmrA 26

Subject Heading:

Inadequate protection and improper disclosure of personal information

Law:

National Privacy Principles 2.1, 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Section 6 of the Privacy Act

Facts:

The complainant was employed by a recruitment agency that supplied contract labour hire to a transport company.  The complainant was subsequently contracted to work for that transport company.  Permanent positions became available with the transport company, and as part of the application the complainant was required to undertake a medical assessment.  The complainant did not pass the medical assessment, but was told this would not prevent permanent employment.

It became generally known amongst the employees of the transport company that an applicant had not passed their medical assessment.  Some believed that the person who had not passed the medical assessment was the complainant.

The complainant alleged that the transport company failed to secure the results of their medical assessment and that when questioned about the results of the medical assessment, a manager had disclosed to the employees that one employee had failed their medical assessment.

Issues:

National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception in National Privacy Principle 2.1(a)-(h) applies.

National Privacy Principle 4.1 requires that an organisation take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Section 6 of the Privacy Act defines personal information as ''information or an opinion ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.' 

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.

It was found that the transport company advised the employees that someone had failed the medical assessment.  However, the company did not disclose who had failed the assessment, or for what reasons.  In this circumstance, the Commissioner needed to determine whether the transport company disclosed personal information as defined in section 6. 

For the identity of an individual to be reasonably ascertained from information there must be some likelihood that other individuals are in a position to identify the person who is the subject of the information.  It is not sufficient that those individuals might identify the subject of the information. 

In this case, the Commissioner was not satisfied that the information disclosed by the transport company was sufficient to make it likely that the workers could identify the complainant as the individual who had not passed the medical assessment.  On the balance of probabilities, the Commissioner was satisfied that the transport company did not breach National Privacy Principle 2.1 as personal information was not disclosed.

The complainant and the transport company provided contradictory accounts of events.  The Commissioner noted these accounts and also considered the processes the transport company had in place for securing personal information.  Given there was no evidence before the Commissioner other than the complainant's allegations to add strength to the complainant's claims, the Commissioner found that she was unable to determine whether the transport company had complied with National Privacy Principle 4.1.  

As no interference with privacy had occurred, the Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act.  However, the Commissioner also advised the transport company to adopt additional security measures to minimise the possibility that any such incidents may occur in the future. 

OFFICE OF THE PRIVACY COMMISSIONERDecember 2007