Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach

Y v Ticketing Company [2007] PrivCmrA 27

document icon pdf (20.09 KB)

Case Citation:

Y v Ticketing Company [2007] PrivCmrA 27

Subject Heading:

Security of personal credit card information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant purchased tickets to an event through the ticketing company using a credit card. The complainant was concerned that the ticketing receipt displayed their full credit card details, including their name, full credit card number, type of card and expiry date.

The complainant felt that this compromised the security of their information as any person gaining custody of this receipt would subsequently be provided with sufficient information to complete a credit card transaction charged to their credit card account.

Issues:

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act. The ticketing company stated that the information was for purposes of identification and to minimise the incidence of fraud. It held that this is a common practice across a number of industries.

The ticketing company also informed the Commissioner that it used a merchant EFTPOS facility provided by a banking institution and it was this facility that printed full credit card details on the receipt.

The Commissioner reached the view that the ticketing company had not interfered with the privacy of the individual as it appeared that the company was fulfilling its obligations under National Privacy Principle 4.1 by providing customer credit receipts directly to the credit card holder only, and that steps were taken to secure the merchant copy of the receipt held by the ticketing company.

The Commissioner reached the view that the primary responsibility for the printed content of the receipt from the merchant EFTPOS facility itself, rests with the merchant EFTPOS facility provider, which was in this instance, a banking institution.

The Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONERDecember 2007