Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Notice | Collection
 

I v Contracted Service Provider to Commonwealth Agency [2008] PrivCmrA 9

document icon pdf (26.33 KB)


Case Citation:

I v Contracted Service Provider to Commonwealth Agency [2008] PrivCmrA 9

Subject Heading:

Unnecessary collection of personal information and failure to provide adequate notice when collecting personal information

Law:

Information Privacy Principle 1 and 2 in Part III Division 2 of the Privacy Act 1988 (Cth)

Facts:

The complainant provided their personal information to the respondent organisation (a contracted service provider to an Australian Government agency) as a condition of entry onto premises managed by the organisation. The complainant''s personal information was then entered in a computer database. The complainant alleged that they were not informed of the purpose for which their personal information was collected, or under what authority or law, nor the purposes for which the information would be used or disclosed.

The complainant felt that the organisation had interfered with their privacy and complained to the organisation and the agency to which it was contracted. Dissatisfied with the responses, the complainant made a complaint to the Privacy Commissioner.

Issues:

Section 95B of the Privacy Act requires an agency to take contractual measures to ensure that an organisation contracted to provide a service does not act or engage in a practice that would breach the Information Privacy Principles if done by the agency. In particular, the agency must ensure that the Commonwealth contract does not authorise the organisation to do or engage in such an act or practice.

Information Privacy Principle 1 regulates the way in which agencies collect person information. It provides that agencies may only collect personal information:

  • for a lawful purpose that is directly related to their functions or activities; and
  • if collecting the information is necessary for or directly related to that purpose.

Information Privacy Principle 1 also states that agencies must not collect personal information by unlawful or unfair means.

Information Privacy Principle 2 requires an agency to take reasonable steps to inform an individual of certain matters when collecting their personal information, or as soon as is practicable after the collection of the personal information. These matters are:

  • the purpose for which it is collecting the information;
  • whether that collection is required or authorised by or under law; and
  • to whom that agency usually discloses that sort of information.

Outcome:

The Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act.

The respondent organisation advised the Commissioner that it records the personal information of visitors to the facility in an electronic database that is held on behalf of the agency to which it is contracted. The organisation collects this information for security purposes and to fulfil the agency''s obligations as specified in that agency''s governing legislation. The organisation claimed that it collects this information in an appropriate and lawful manner.

The organisation also advised the Commissioner that the complainant was provided with notice through a copy of the Conditions of Entry and a Visitor Application form, a form that all visitors are required to sign. The Visitor Application form requires an individual to acknowledge that they have read and understood the conditions detailed in the Conditions of Entry, and agree to participate in the visit in accordance with these conditions.

The Commissioner agreed that one of the organisation''s lawful functions was to maintain the security of the premises, and in the circumstances the collection of personal information from visitors to the premises was integral to that purpose.

However, the Commissioner formed the view that the organisation did not provide visitors with adequate notice as to the purpose for which their information was collected, or to whom the information might be disclosed. The Commissioner formed the view that the organisation had breached Information Privacy Principle 2 by failing to take reasonable steps to provide the complainant with adequate notice when visiting its premises.

In order to resolve this matter, the organisation added a notice to its Visitor Application form that advised individuals of the purpose of the collection. The purpose of collecting their personal information would be to improve the care of the organisation''s clients, or to investigate any incidents involving visitors to the premises.

The notice also advised individuals that their personal information would be treated confidentially and used and disclosed only in accordance with the contracting agency''s governing legislation and the Privacy Act. The organisation also agreed to display this notice on its premises in the visitor''s area in several languages.

Section 41(2)(a) of the Privacy Act gives the Commissioner a discretion not to investigate, or not to investigate further, an act or practice about which a complaint has been made if the Commissioner is satisfied that the respondent has dealt adequately with the matters that gave rise to the complaint.

In this case, the Commissioner closed the complaint under section 41(2)(a) of the Privacy Act as she was satisfied that the respondent agency had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER

June 2008