Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach | Use

F v Australian Government Agency [2008] PrivCmrA 6

document icon pdf (20.34 KB)

Case Citation:

F v Australian Government Agency [2008] PrivCmrA 6

Subject Heading:

Failure to keep personal information secure

Law:

Information Privacy Principles 4 and 10 in Part III Division 2 of the Privacy Act 1988 (Cth)

Facts:

The complainant, a former employee of a government agency, complained that their personal record held by the agency had been accessed by a current employee of the agency. The employee, for reasons unrelated to their employment, used the records to locate where the complainant was living.

The complainant stated this caused them to fear for their safety, and resulted in the complainant having to change their name and place of residence.

The complainant raised the matter with the agency and sought compensation. Although the agency acknowledged that an unauthorised access to the complainant's personal record had occurred, it rejected the complainant's claim for monetary compensation

The complainant, dissatisfied with the response from the agency, wrote to the Privacy Commissioner.

Issues:

Information Privacy Principle 4(a) obliges an agency to protect the personal information it holds with such safeguards as are reasonable in the circumstances.

Information Privacy Principle 10 requires agencies to use personal information only for the purpose for which it was collected unless one or more of certain exceptions apply.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act.

The agency advised that it had investigated the matter internally, and found that there had been an unauthorised access by an employee to the complainant's personal record.

Given the inadequacy of the steps taken to prevent unauthorised access, the Commissioner took the view that the agency had not taken reasonable steps in the particular circumstances to protect the complainant's personal information in accordance with Information Privacy Principle 4(a).

Further, the Commissioner formed the view that the complainant's personal information had been used for a purpose for which none of the exceptions in Information Privacy Principle 10 applied.

The agency advised that it had since applied additional protection to the complainant's personal record, and had terminated the employment of the individual who was identified as being responsible for the unauthorised access to, and use of, the complainant's personal record. The agency however did not consider that the complainant had provided sufficient evidence to substantiate the complainant's claims for monetary compensation.

The Commissioner conciliated the matter under section 27(1)(a) of the Privacy Act and an agreement between the parties was reached. The complainant accepteda confidential settlement for costs associated with the complainant's change of name and place of residence.

The Commissioner then closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the agency had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER May 2008