Case Citation:

I v Retail Company [2006] PrivCmrA 8

Subject Heading:

Collection of sensitive information by a retail company for the purpose of loss prevention and the security of personal information and destruction of old records.

Law:

Section 16C(1), National Privacy Principle 10.1 and National Privacy Principle 4.1 and National Privacy Principle 4.2 in the Privacy Act 1988 (Cth)

Facts:

The complainant was accused of theft by a retail company. The complainant later became aware that information about the incident, including the fact that they had been charged, had been collected and recorded on a database maintained by the retail company. The database contained records of actual or suspected fraudulent activity, collected as a means of protecting the retail company''s assets.

The complainant wrote to the retail company some years after the incident claiming that as the information collected was sensitive information, it should only have been collected with their consent. The complainant also raised concerns about the security of the information recorded on the database, the period for which it would be retained, and requested that the information be destroyed.

Issues:

National Privacy Principle 10.1 prevents the collection of sensitive information by organisations unless an exception in National Privacy Principle 10.1(a)-(e) applies. Sensitive information is defined in section 6 of the Privacy Act to include ''information or an opinion'' about an individual''s criminal record.

However, section 16C(1) of the Privacy Act states that National Privacy Principle 10 only applies in relation to the collection of information after the date of the commencement of the National Privacy Principles on 21 December 2001.

National Privacy Principle 4.1 requires organisations to take reasonable steps to protect the information it holds from misuse and loss and from unauthorised access, modification or disclosure. National Privacy Principle 4.2 requires that organisations take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed. National Privacy Principle 4.1 and National Privacy Principle 4.2 apply to personal information regardless of when it was collected.

Outcome:

The Commissioner investigated the matter and took the view that information stating that the complainant had been accused and charged with theft constituted ''information or an opinion'' about an individual''s criminal record and fell within the definition of sensitive information in the Privacy Act. The Commissioner noted however that the collection of this information occurred prior to the introduction of the National Privacy Principles on 21 December 2001, and therefore the collection of the complainant''s information in this instance was not subject to National Privacy Principle 10.

The Commissioner also considered whether the retail company had adequate measures in place to protect information contained on the database. The retail company reported that the database was only accessible to a small number of people within the company, that the database was password protected and that passwords were routinely changed as a security measure. The Commissioner was satisfied that the security measures in place to protect personal information in the database were consistent with National Privacy Principle 4.1.

The Commissioner also considered whether the length of time the respondent would retain the information about the complainant was consistent with National Privacy Principles 4.2. The retail company advised that it intended to upgrade the existing database, and was implementing a new policy in relation to the retention of the information in the database. It proposed that with some exceptions, all such information would be permanently deleted from the existing database, and subsequently the upgraded database, after a retention period of five years. Additionally, the retail company stated that it had deleted the complainant''s information from the existing database in order to comply with its new policy. The Commissioner closed the complaint under section 41(2)(a) on the grounds that the retail company had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER April 2006