Case Citation:

Own Motion Investigation v Bankruptcy Trustee Firm [2007]PrivCmrA 5

Subject Heading:

Inadequate protection and improper disclosure of personal information.

Law:

Sections 6(1) and 16B and National Privacy Principles 2.1(a) and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth).

Facts:

A member of the public advised the Privacy Commissioner that a bankruptcy trustee firm was publishing on its website a wide range of personal information belonging to the bankrupts whose estates the firm was administering.  The Commissioner reviewed the website and confirmed that a range of bankruptcy information about individuals was viewable on the trustee firm's website including financial details and the trustee firm's opinion regarding whether individuals had breached the requirements of the Bankruptcy Act.

Issues:

The Commissioner conducted an ''own motion investigation' under section 40(2) of the Privacy Act which allows the Commissioner to investigate an act or practice if the Commissioner thinks it desirable for that act or practice to be investigated.

When investigating the matter, the Commissioner took into account the following definitions and principles from the Privacy Act:

Section 6(1) of the Act defines personal information as: 

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

National Privacy Principle 2 regulates the use and disclosure of personal information by organisations that are subject to the legislation.  Under this principle, organisations may only use or disclose information that identifies an individual where the use or disclosure is:

• for the primary purpose for which the information was collected; or
• related to the primary purpose of collection and within the reasonable expectations of the individual (National Privacy Principle 2.1(a)); or
• consented to by the individual (National Privacy Principle 2.1(b)); or
• where another exception applies.

National Privacy Principle 2 and National Privacy Principle 4 only apply to information that is held by an organisation in a record (section 16B(2)).  The definition of record in section 6 of the Act excludes generally available publications (such as phone books, newspapers and, in some cases, information published on the internet).

The Commissioner also noted that when declaring bankruptcy, bankrupts are required to lodge certain information with the Insolvency and Trustee Service of Australia (ITSA), an Australian Government agency, which is responsible for maintaining the National Personal Insolvency Index (NPII), a publicly available register of bankruptcies.  Some, but not all, of the information available on the trustee firm's website was information that was already publicly available from the NPII.

Outcome:

During the course of the investigation, the trustee firm argued that the information it published on its website was publicly available information taken from the publicly available sections of the bankrupt's Statement of Affairs and from the NPII.  The trustee firm also argued that the opinion of the trustee in relation to the bankrupt's affairs (in particular, the trustee's opinion about whether the bankrupt had broken the law) did not constitute the personal information of the bankrupt.

The Commissioner noted that any information that identifies an individual (including an opinion) is considered personal information under the Privacy Act (section 6).  As such, the Commissioner did not accept the argument that the trustee's opinion in relation to a bankrupt's affairs was not personal information.

The Commissioner did not dispute that much of the information published on the firm's website was already available to the public through other means.  The Commissioner noted that whilst this may have some impact on an individual's expectations regarding how the trustee firm handled their information it did not exempt the records held by the trustee firm from the application of the Privacy Act.

The Commissioner concluded that the trustee firm collected personal information in order to investigate bankrupts' affairs in relation to bankruptcy.  The trustee firm also collected personal information in order to provide a report (where appropriate) to the creditors regarding the status of the bankrupt's affairs and their ability to offer a dividend to creditors.  It appeared that the trustee firm included the bankruptcy information on its website as a means of providing this information to relevant creditors, not for the purpose of producing a generally available publication.

The Commissioner concluded that the disclosure of bankrupts' personal information to creditors for the purpose of administering the bankruptcy would be permitted under National Privacy Principle 2.  This did not include the disclosure of the trustee's opinion regarding whether an offence had been committed as this information was not required to be disclosed to the creditors.  However, the Commissioner held the view that disclosure of individuals' bankruptcy information to parties who were not involved with the bankruptcy (that is general internet users) was secondary to the purpose of collection.  It was not clear that this secondary purpose was related to the primary purpose of collection, nor was it clear that the disclosure for this purpose would be reasonably expected by the individuals whose information had been disclosed. 

The Commissioner also noted that, whilst some of the information on the website was already available to the public on the NPII maintained by ITSA, gaining access to this information from ITSA was not unconstrained as it involved making an application for a specific record and the payment of fees.  The Commissioner compared this to gaining access to the information via the trustee firm's website, which allowed any internet user to browse hundreds of bankrupts' files.  The Commissioner formed the view that individuals would not reasonably expect this unrestricted disclosure of their bankruptcy information.

In the Commissioner's view, the publication of individuals' bankruptcy details on the trustee firm's website constituted an interference with the privacy of those individuals due to a failure to comply with the requirements of National Privacy Principle 2.1.

The Commissioner also considered National Privacy Principle 4.1, which requires organisations to take reasonable steps to secure information held from unauthorised disclosure, use, access or modification.  The Commissioner accepted that the trustee firm was using the internet as the means for communicating with creditors the status of the bankrupt estates being administered. However, the Commissioner formed the view that the disclosure of information to general internet users in this process was incidental to this primary transaction.  By failing to take steps to limit the access to, and disclosure of, the information on the website the Commissioner was of the view that the trustee firm had also interfered with the privacy of the bankrupts listed on the website by failing to comply with National Privacy Principle 4.1.

Resolution

The Commissioner recommended that the trustee firm take steps to prevent general internet users from browsing the bankruptcy files, for example by securing the information using password protection.  The Commissioner also recommended that the trustee's opinion on whether bankrupts had breached the Bankruptcy Act be removed from the file made available to creditors.

The trustee firm agreed to these recommendations and, once satisfied that they had been implemented, the Commissioner closed the own motion investigation on the basis that the trustee firm had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER

April 2007