Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Notice | Disclosure

F v Insurance Company [2007] PrivCmrA 8

document icon pdf (25.86 KB)

Case Citation:

F v Insurance Company [2007] PrivCmrA 8

Subject Heading:

Collection and disclosure of personal information by an insurance company

Law:

National Privacy Principles 1.3, 1.5 and 2 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant lodged a compensation claim against a deceased person's insurance policy. The complainant had been in a de facto relationship with the deceased but was not the insured party.

The complainant lodged a compensation claim on a form in which they recorded their own personal information and that of the deceased. The claim form also included a Statutory Declaration in which the complainant declared the contents of the form to be true and correct. The declaration stated that it allowed the insurance company to collect any records or information which may affect the claim. The declaration also included a statement in which the complainant authorised the insurance company to obtain information and documents from a number of specified parties, including the employer or accountant of the deceased person, with respect to the particular claim. The complainant returned the signed claim form to the insurance company.

In progressing the claim, the insurance company considered it necessary to contact the deceased's accountant or business manager. The insurance company telephoned the business formerly owned by the deceased and spoke to an employee of the business. During the telephone conversation, the insurance company allegedly questioned the employee as to the nature of the relationship between the complainant and the deceased. The insurance company also allegedly disclosed the fact that the complainant was claiming compensation in relation to the deceased's death, to the employee.

The complainant claimed that, as a result of the alleged improper disclosure of their personal information to third parties in the community, they subsequently experienced familial and financial difficulties.

Issues:

National Privacy Principle 1.3 requires that, at or before an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of a number of matters, including the purposes for which the information is collected and the organisations or types of organisations to which the organisation usually discloses information of that kind.

National Privacy Principle 1.5 also requires that, if an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is, or has been, made aware of the matters listed in National Privacy Principle 1.3, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

National Privacy Principle 2 provides that an organisation must not use or disclose personal information about an individual for a secondary purpose other than the primary purpose, unless the exceptions listed in National Privacy Principle 2.1 apply. One of these exceptions is where the use or disclosure is for a related purpose and the individual concerned would reasonably expect the organisation to use or disclose the information for the secondary purpose.

The issues for consideration in this case were whether the complainant had been made aware of the purpose for which their personal information would be collected and whether the insurance company could rely on any exception in National Privacy Principle 2.1 for the disclosure of personal information about the complainant.

Outcome:

Collection

The Commissioner investigated the complaint under section 40(1) of the Privacy Act. The Commissioner expressed the view that the declaration in the claim form, containing the specific authorisation (which stated that the insurance company was permitted to contact the listed parties), did not provide sufficient advice to the complainant that information regarding their personal relationship with the deceased would be collected from the employee.

The Commissioner considered that the source from which the information was collected, in conjunction with the type of information collected, fell beyond the scope of the declaration and authorisation provided to the complainant on the claim form.

Consequently, the Commissioner formed the view that the insurance company did not comply with the requirements in National Privacy Principle 1.3 when it provided the complainant with the claim form.

The Commissioner also formed the view that the insurance company did not comply with National Privacy Principle 1.5 when it collected the complainant's personal information from the employee, because it failed to ensure that the complainant had been made aware of the purpose for the collection of the information.

Disclosure

The Commissioner accepted that the complainant's personal information was collected for the primary purpose of processing the compensation claim and that the disclosure was related to the primary purpose of collection. The Commissioner assessed whether the insurance company could rely on the exceptions listed in National Privacy Principle 2.1 when disclosing the complainant's personal information.

The Commissioner noted that the complainant had not given consent and that the insurance company did not provide the complainant with any notice that their personal information would be disclosed to the business formerly owned by the deceased. The Commissioner was also of the opinion that the declaration included on the claim form did not give any indication that the complainant's personal information would be disclosed to the employee.

The Commissioner formed the view that the disclosure was not within the complainant's reasonable expectations and that the insurance company could not rely on any other exception in National Privacy Principle 2 in disclosing the personal information about the complainant.

The Commissioner successfully conciliated the matter, concluding the matter with an agreed resolution. The Commissioner subsequently closed the complaint under section 41(2)(a) of the Privacy Act, on the grounds that the insurance company had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER

June 2007