Case Citation:E v Financial Institution [2003] PrivCmrA 3

Subject Heading: Adequacy of audit trail in relation to access to personal information

Law: National Privacy Principle 2.1; National Privacy Principle 4.1

Facts

The complainant alleged that in mid 2001 a staff member of the financial institution had accessed personal information about the complainant?s investment account and disclosed it to the staff member's family.

The financial institution had an audit function on its computer system that recorded all transactions made on an individual's account but did not record accesses to account information that did not involve a transaction. The financial institution was not, therefore, able to establish whether the staff member had gained access to information about the complainant.

Issues

National Privacy Principles 2.1 provides that an organisation that has collected personal information for a particular purpose may use or disclose it for a secondary purpose only under specified circumstances. The alleged disclosure by the staff member would not have been covered by any of the exceptions to NPP 2.1.

NPP 4.1 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure. In this instance, the organisation had a reliable record of any transactions that modified or deleted the information held. However, since the audit trail did not record instances of access to customer information, it could provide only limited assurance that the information was protected from unauthorised access, misuse or disclosure. If an organisation cannot monitor staff access to personal information held in customer accounts, it also runs an increased risk of breaching NPP 2.1.

Outcome

The alleged unauthorised access occurred prior to the introduction of the National Privacy Principles on 21 December 2001. Consequently, by virtue of s.16C(1A), NPP 2.1 did not apply to the organisation at the time of the alleged disclosure. Since the particular disclosure constituted the substance of the complainant's concern, the Commissioner discontinued his investigation under section 41(1)(a) of the Act on the grounds that the financial institution had not breached the NPPs.

While the events at the heart of the complaint occurred before the commencement of the NPPs, the investigation was not finalised until the second half of 2002. From 21 December 2001, NPP 4 had applied to the organisation and to all the personal information it held, whether it was collected before or after 21 December 2001. While making no finding in relation to NPP 4, the Commissioner put the view to the financial institution that, with current information technology, it is feasible to monitor access to personal information held in computer systems and may be reasonable to do so in an environment where sensitive information, such as financial information, can be accessed by many employees throughout an organisation.

The financial institution agreed to establish an enquiry audit trail on the mainframe computer where customer information is stored so that staff accesses to customers' personal information would be recorded regardless of whether a transaction is made on the account. The enhanced audit trail could be used in the investigation of any subsequent alleged disclosure or misuse of personal information.

OFFICE OF THE PRIVACY COMMISSIONER MARCH 2003