Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach | Disclosure

E v Retail Organisation [2007] PrivCmrA 7

document icon pdf (21.93 KB)

Case Citation:

E v Retail Organisation [2007] PrivCmrA 7

Subject Heading:

Improper disclosure of personal information; failure to take reasonable steps to protect personal information from misuse and from unauthorised access, modification or disclosure.

Law:

National Privacy Principle 2 (Use and disclosure)

National Privacy Principle 4 (Data security)

Section 16B

Facts:

The complainant returned a faulty personal computer to the respondent for servicing. The respondent offered to replace the computer and assured the complainant that their personal information would be erased from the faulty computer's hard drive.

The complainant subsequently received a telephone call from a third party who had purchased a personal computer of the same model and brand. The third party had discovered a significant amount of the complainant's personal information stored on the computer's hard drive.

The complainant contacted the respondent. The respondent immediately organised a replacement computer for the third party and took the computer back to the company headquarters to erase the data. The respondent offered to reimburse the complainant for their time taken off work to deal with the matter, as well as an unconditional apology. The complainant rejected the respondent's offer and lodged a complaint with the Privacy Commissioner.

Issues:

NPP 2 sets out the general rule that an organisation must only use or disclose personal information for the primary purpose of collection. Use and disclosure for a secondary purpose is not allowed except where such use or disclosure falls within the exceptions listed in NPP 2.1.

NPP 4.1 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure.

Protecting the security of personal information consists of maintaining computer and network security by adopting measures to protect computer systems and networks used for storing, processing and transmitting personal information, from unauthorised access, modification and disclosure. In addition to computer systems and networks NPP 4.1 also applies to personal information stored with individual computer hard-drives.

The Privacy Commissioner opened a formal investigation into the complaint. The respondent did not contest the complainant's allegation, that the respondent had failed to erase their personal information stored on the hard drive of the faulty personal computer and had thereby improperly disclosed their personal information to a third party. However, the respondent submitted to the Privacy Commissioner that the data stored on the resold hard drive did not constitute a ''record' as defined in section 6 of the Act, and that the data also did not satisfy section 16B in the Act, because the respondent, in their opinion, had not intentionally collected the complainant's personal information. The respondent argued that the Privacy Commissioner should exercise her powers under section 41(1)(a) to summarily dismiss the complaint as being outside her jurisdiction.

Section 16B provides:

This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to the collection of personal information by an organisation only if the information is collected for inclusion in a record or a generally available publication.
This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to personal information that has been collected by an organisation only if the information is held by the organisation in a record.

The Privacy Commissioner considered the respondent's argument and decided that the data stored on the resold personal computer satisfied the definition of a ''record' in section 6 of the Act, and was considered to be personal information stored in a record as required by section 16B(2) of the Act. If an organisation is deemed by section 16B(2) of the Act to have collected an individual's personal information and stored that information in a record, the intention of the organisation in so doing is not relevant for the purposes of that section. Consequently, the Privacy Commissioner decided to continue to investigate the matter.

Outcome:

The respondent proposed that the matter proceed directly to conciliation. The complainant agreed to participate. Following a period of conciliation by the Privacy Commissioner, the complainant accepted a revised offer by way of settlement of the matter, and the parties executed a Deed of Release, the terms of which are confidential. The Privacy Commissioner therefore closed the complaint under section 41(2)(a), on the grounds that the respondent had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER

April 2007