Case Citation:K v Financial Institution [2003] PrivCmrA 9

Subject Heading: Improper disclosure of an account statement to a third party

Law: National Privacy Principles 3 and 2.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts

The complainants, a married couple, held a joint account with the respondent who erroneously linked the account's number to an account held by a different family member who had the same name as one of the complainants. Due to the incorrect linking of the accounts, the respondent sent a statement for the complainants' account to the other family member.

As a result, the person was made aware of the complainants' financial position and requested that the complainants provide a guarantee in relation to some financial dealings. The complainants agreed to their family member's request as they felt to do otherwise would have created a significant strain on their relationship with them.

The complainants sought $1,000 in compensation to cover actual costs associated with guarantee and for the continuing anxiety arising from the potential need to provide financial support.

Issues

National Privacy Principle 3 requires organisations to take reasonable steps to make sure that the personal information they collect, use or disclose is accurate, complete and up-to-date.

National Privacy Principle 2.1 limits the use or disclosure of personal information to the primary purpose for which it was collected unless one of a range of exceptions applies. The exceptions include secondary uses or disclosures: that are related to the primary purpose and would be reasonably expected by the individual concerned; to which the individual has consented; that are required or authorised by law. In this case it did not appear that any of the exceptions applied.

The erroneous linking of the two accounts and the subsequent disclosure of personal information to the family member were potential breaches of these two principles.

The respondent investigated the complainants' concerns as soon as they were raised and found that the events as described had occurred. The respondent was as a result of its investigation taking steps to rectify the situation, including apologising to the complainants and providing additional training to staff.

The complainants decided towards the end of the respondent's investigation to also complain to the Privacy Commissioner and seek compensation. The Commissioner decided he had sufficient information to proceed without a more detailed investigation and put the facts and the complainants' proposed resolution to the institution.

Outcome

The respondent acknowledged its error in linking the accounts and that this resulted in the disclosure of the complainants' information and agreed to the claim for $1,000 in compensation.

The Commissioner closed the complaint on the ground that the respondent had dealt adequately with the matter (s.41(2)(a))

OFFICE OF THE PRIVACY COMMISSIONER June 2003