Case Citation: 

D v Insurance Company [2007] PrivCmrA 6

Subject Heading:  

Improper disclosure of personal information; failure to take reasonable steps to ensure the personal information collected or disclosed was accurate, complete and up to date; failure to take reasonable steps to secure personal information from unauthorised access and disclosure.

Law:  

National Privacy Principle 2.1, National Privacy Principle 3 and National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988(Cth).

Facts:

The complainant had an account with an insurance company and without their knowledge, their personal information was visible for two years on the accounts of a third party, whose accounts had been managed by a relative.  The third party's relative advised the insurance company and asked them to attempt to remove the complainant's information.  The insurance company refused to action the request on the basis that the individual was not the actual account holder as the personal information related to their relative. 

When the matter came to the complainant's attention they contacted the insurance company regarding the disclosure of their personal information on the third party's accounts.  The complainant was also concerned about the accuracy and security of that information and the general privacy practices of the insurance company.  In response, the insurance company amended its records so that the complainant's personal information was no longer visible on the third party's accounts.  The insurance company also apologised for the inconvenience caused and for the length of time it took to resolve the issue, and offered the complainant an ex gratia payment of $750. 

The complainant was dissatisfied with this proposed resolution claiming that the insurance company had not taken steps to ensure that their personal information would not be similarly disclosed in future.  The complainant wanted the insurance company to amend its business practices to ensure that personal account information remained secure, accurate, and up to date.  Additionally, the complainant was dissatisfied with the payment offered by the insurance company.  

Issues:

National Privacy Principle 2.1 provides that personal information collected for a primary purpose may only be used or disclosed for a secondary purpose if one of a number of exceptions in National Privacy Principle 2.1(a)-(h) apply.

National Privacy Principle 3 provides that an organisation must take reasonable steps to ensure that the personal information it collects uses or discloses is accurate, complete and up to date. 

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner treated the complainant's letter as a complaint under section 36 of the Privacy Act and conducted preliminary enquiries under section 42 of the Privacy Act.  The Commissioner also referred the complaint to the insurance company in order for it to further consider the issues raised by the complainant before the commencement of a formal investigation.

Subsequent to the referral of the complaint the insurance company advised the complainant that staff members involved had been counselled and that a notice had been circulated to all call centres and branches reminding staff of their obligations under the Privacy Act.  The insurance company also noted that it requested account holders to notify it of any changes or errors in their personal information and advised that it would consider suggestions made by the complainant to further ensure this information was up to date, accurate and complete.  The insurance company also offered an apology to the complainant and an ex gratia payment of $1250 in full settlement of the case.   The complainant accepted the apology and payment of $1250.

The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the complaint had been adequately dealt with by the respondent. 

OFFICE OF THE PRIVACY COMMISSIONER

April 2007