Case Citation:B v Private Health Insurer [2002] PrivCmrA 2

Subject Heading: Disclosure of personal information in a sample "Membership Arrears Payment Notice" provided to employers.

Law: National Privacy Principle 2.1 - disclosure

Facts

Sensitive information had been collected from the complainant in his capacity as a member of the health insurance fund. The information was sensitive information because it related specifically to the complainant's medical status.

The respondent included the information on a form that was sent to a large number of employers as an example of the form an employee would receive if they fell into arrears with their contributions.

Issues

NPP 2.1 provides that personal information collected for one purpose may only be used or disclosed for another purpose if one of a number of exceptions applies. The only exceptions that could apply in this case are paragraphs 2.1(a) and 2.1(b).

NPP 2.1(a) provides that an organisation may disclose sensitive information for a secondary purpose if the secondary purpose is directly related to the primary purpose of collection and the individual would reasonably expect the organisation to disclose the information for the secondary purpose. While it could be argued that the purpose for the disclosure was directly related to the primary purpose of collection, this Office held that an individual would not reasonably expect his or her information to be disclosed in the way the complainant's was.

NPP 2.1(b) provides that an organisation may disclose personal information, including sensitive information, for a secondary purpose if the individual has consented to the disclosure. In this case the complainant had not consented to the disclosure.

The respondent appeared to have breached NPP 2.1.

NPP 4 covers data security and provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. The incident that gave rise to the complaint did not involve a security breach in the sense of a deliberately unauthorised disclosure. On the other hand, it was clear that the respondent did not effectively protect the complainant's sensitive information from unauthorised access. It is arguable that the incident involved a breach of NPP 4 as well as a breach of NPP 2.1.

NPP 10 covers the collection of personal information and provides that, with some exceptions, sensitive information must be collected with the consent of the individual. In this case the information had been collected directly from the complainant, with his consent, so there was no breach of NPP 10.

Outcome

The breach occurred when the complainant's 'Membership Arrears Payment Notice', which had been examined for quality assurance purposes, was mistakenly attached to a large number of letters to employers instead of the usual sample notice, which contains only dummy information.

The respondent revised and strengthened its checking procedures to reduce the risk of recurrence, as well as providing further training to its staff.

The respondent advised all the companies that had received the information to destroy the relevant correspondence.

The respondent took disciplinary action in relation to the staff member who had disclosed the information and reminded all staff that breaching customers' privacy may have disciplinary consequences.

The complainant was satisfied that these measures addressed his concerns. The investigation was closed under s.41(2)(a) of the Privacy Act, on the grounds that the respondent had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER DECEMBER 2002