Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach

B v Australian Government Agency [2006] PrivCmrA 2

document icon pdf (23.53 KB)

Case Citation: B v Australian Government Agency [2006] PrivCmrA 2

Subject Heading: Failure to take reasonable steps to protect personal information.

Law:

Information Privacy Principle 4(a) and section 27(1)(a) in the Privacy Act 1988 (Cth)

Facts: The complainant, an employee of an Australian Government agency, became aware that records consisting of confidential emails and reports about their employment were held in a computer file that were not restricted from general access and could be viewed by other staff in the complainant's staff group.

The complainant approached the agency about this matter and a number of other matters arising from their employment. Whilst it did address the other issues, the agency did not engage with the complainant on the privacy issue, because it was concerned that it may have a negative impact on the health of the complainant .

Issues: Australian Government agencies must comply with Information Privacy Principle 4. Information Privacy Principle 4(a) requires that an agency take reasonable steps to protect personal information contained in a record from unauthorised access, use, modification or disclosure, and against other misuse. The issue before the Privacy Commissioner was whether the agency had complied with Information Privacy Principle 4(a) with regard to the protection of the complainant's information.

The agency's initial reservations in communicating openly with the complainant were dealt with by the Commissioner's intervention. The agency admitted that it had stored the complainant's personal information in breach of Information Privacy Principle 4(a), and it offered a number of measures by way of resolution.

Outcome: Under section 27(1)(a) of the Act the Commissioner can conciliate a matter in order to bring about its resolution. In this case the need for an extensive investigation was negated by the fact that the agency promptly admitted to breaching Information Privacy Principle IPP 4. The agency also offered a range of measures to the complainant to resolve the matter, including an apology for failing to protect the complainant's personal information, transferral of the information to a more secure location, and payment for the complainant to receive counselling as a result of the distress caused by the incident.

The complainant agreed to the measures offered by the agency and the Commissioner closed the file under section 41(2)(a) of the Privacy Act on the grounds that the agency adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER February 2006