Disclaimer: The summaries below have been extracted from the 2001-2002 Annual Report of the Privacy Commissioner. They illustrate how the Privacy Commissioner has previously resolved privacy complaints and should not be relied on as legal advice.

• Disclosure of personal information - NPP 2
• Collection of unnecessary information - NPP 1
• Disclosure of personal information necessary for the enforcement of a law - IPPs 11.1 and 11.2
• Collection of personal information from a third party
• Disclosure of personal information - IPP 11
• Listing of a payment default
• Inaccurate listing of information - s. 18J
• Listing as a "clearout"
• Use of a Tax File Number - TFN

Disclosure of personal information - NPP 2

A medical benefits fund sent a circular by email to the employers of its contributing members. The circular included a sample of a notice that the employers might receive from the fund requesting payments for employees whose contributions had fallen behind. The problem was the sample form contained the actual sensitive information (rather than dummy information) about the complainant's fund membership and was therefore improperly disclosed by the fund.

The complainant's information was used on the sample form due to a member of the fund's staff making an error in checking the contents of the sample form, which led to the sensitive information about an actual individual being disclosed to numerous employers on the sample form. Following the Office's investigation and intervention, the fund:

• took disciplinary action against the staff member
• reinforced its commitment to protecting individuals' privacy by improving its processes to ensure checking of member details before release
• provided further training to staff and
• informed staff that a breach of privacy may result in disciplinary action.

The complainant was satisfied with these measures.

Collection of unnecessary information - NPP 1

A woman asked her telecommunications carrier to change her account name into her married name. The carrier requested that she provide a hard copy of her marriage certificate as proof of change of name and advised that it would retain a copy on file and would only return it if the complainant ceased to be one of its customers. The complainant offered to take her certificate to one of the carrier's outlets to be sighted because she did not think the carrier ought to retain a copy on file. The carrier nominated an outlet that was very inconvenient to the complainant and the complainant then lodged a complaint with the Office.

The Office conducted enquiries with the carrier about the justification for retaining a copy of the certificate. The carrier agreed to accept from the complainant a statutory declaration made by a third party that he or she had sighted the complainant's certificate. The complainant was happy with this outcome and the Office closed the complaint on the basis that the carrier had adequately dealt with the matter.

Disclosure of personal information necessary for the enforcement of a law - IPP 11.1 and 11.2

A federal public servant who was a subject of investigations arising from an alleged breach of the Public Service Act 1999 (Cth) lodged a complaint that during the course of that investigation personal information about him was disclosed by one federal government agency to another federal government agency.

The IPPs state that the personal information of individuals can only be disclosed in accordance with IPP 11. The complainant alleged that the disclosing agency improperly disclosed his personal information in breach of IPP 11. The agency claimed that the personal information was disclosed in accordance with IPP 11.1(e), which requires that the disclosure is reasonably necessary for the enforcement of the criminal law or a law imposing a pecuniary penalty, or for the purpose of protecting the public revenue.

The Office found that the agency had not breached the Privacy Act when the complainant's personal information was disclosed. The disclosure of the personal information was allowed under IPP 11.1(e) as the disclosure was directly linked to enforcing the Public Service Act, a law imposing a pecuniary penalty.

The complainant argued that at the time of the disclosure he had not been charged with an offence. The exemption in IPP 11.1(e) is not reliant on charges having been laid at the time the information is disclosed but only requires that the disclosure is reasonably necessary for the enforcement of a law imposing a pecuniary penalty. In many situations it would be impractical for charges to be laid, for example, when a matter was still at investigation stage.

The complainant alleged that the agency had also failed to note the disclosure on his record. Such a note is required under IPP 11.2 when the disclosure is made for the purpose of enforcement of the criminal law or a law imposing a pecuniary penalty, or for the purpose of protecting the public revenue.

The Office found that a breach of IPP 11.2 had occurred and the agency had failed to make a note of the disclosure of the record. However, this breach was adequately dealt with by the agency. The agency satisfied the Office that it takes steps to ensure staff are informed of their privacy obligations through publications and training, seminars and conferences. In addition, privacy obligations are the subject of publications on the intranet and raised in briefings published to all employees. The agency also spoke with the staff member involved.

Collection of personal information from a third party

A client of an agency agreed in advance to participate in a phone survey conducted by a contractor on behalf of an agency that collected information about his health and wellbeing. When the contractor rang the client, he was not at home. The contractor then contacted the client's carer, namely his daughter, using her telephone number from the agency's record. His daughter then answered the survey questions on his behalf without his consent. The client lodged a complaint that his privacy had been breached by the disclosure of his personal information, e.g. contact details, by the agency to the contractor. The complainant was also concerned about the fact that his daughter's responses to the survey questions were not always accurate because they related to very personal matters about which the daughter would not have been aware, and this information was then passed back to the agency.

The Office made enquiries with the agency and found that the information provided to the contractor was done in accordance with the outsourcing provisions in s. 12 of the Privacy Act. The agency acknowledged that the contractor should not have contacted the complainant's daughter without his consent. The agency reviewed its procedures and consulted with the agency's Human Research Ethics Committee in an effort to ensure that the next survey would comply with the Privacy Act.

Disclosure of personal information - IPP 11

Two farmers, a husband and wife, applied for financial assistance under an applicable government scheme and were having difficulties obtaining information about their eligibility for assistance. They lodged a complaint that inappropriate disclosures of their information had been made in relation to their application. The complainants approached their local federal member for assistance in their application who made enquiries with the relevant Minister. Enquiries were made to the department and the Minister's Chief of Staff then provided information about the progress of the complainant's applications to a pre-selected candidate in the seat. The candidate then contacted the complainants directly to let them know what was happening with their application. The complainants advised their local federal member that the Minister's office had disclosed their personal financial information to the candidate. That federal member lodged a complaint on their behalf about the improper disclosure of personal information by the Minister's staff to the candidate.

The Minister advised that there had been more than 30,000 applications for assistance under tight deadlines from the scheme, and that his office was frequently consulted about the progress of applications by Members of Parliament and candidates. The Minister acknowledged that an error occurred when several enquiries from different sources were being followed up at the same time. Information about the claim was inadvertently disclosed by the Chief of Staff to the candidate when it should have been provided to the constituent's member who had queried the progress of the application on their behalf. The Minister and his Chief of Staff acknowledged the error and expressed their regret for any embarrassment caused in a letter of apology to the complainants. The Minister also counselled his staff about the importance of preserving the privacy of individuals and asked the Privacy Officer of the Department to provide training for the staff of his office.

Listing of a payment default

A father went guarantor on a loan to his son for a motor vehicle. The lender lodged a payment default on the father's file as guarantor and also his son's file. The father and son believed all payments had been made and lodged a complaint that the payment default had been incorrectly listed. When the respondent was contacted for information, it was able to prove that it had met the requirements of the Privacy Act when listing the payment default on both files. The respondent's records showed that a cheque had been dishonoured, therefore that amount was still overdue plus interest. The complainant was informed of this and still contested the listing. The complainant submitted his financial statements to show that no cheques had been dishonoured. This was brought to the attention of the respondent. Through investigation it was determined that the cheque had been presented to Australia Post to hand on to the respondent. Australia Post lost the cheque and failed to inform the complainant or the respondent. Thus, the complainant believed the respondent had been paid, and the respondent believed it had not been paid. When it was discovered that Australia Post was the source of the problem, it was agreed that the complainant pay the amount due (not including the accrued interest), since that amount had never been deducted from his account as the cheque had been lost by Australia Post. In return, the respondent agreed to remove the default listings on both files in their entirety and to close the loan account.

Inaccurate listing of information - s. 18J

The complainant had 19 aliases cross-referenced to his individual consumer credit information file by a credit reporting agency based on information the credit reporting agency had received from a credit provider. The main issue in contention was thus the accuracy of the complainant's individual consumer credit information file under s. 18J of the Privacy Act. Through the cross-referencing of the 19 files to the complainant's individual consumer credit information file, the credit reporting agency was implying that the complainant was committing fraud, through obtaining credit under pseudonyms. Through investigation with third parties it was discovered that another individual had recently been released from prison on fraud charges with a similar name to that of the complainant. The aliases that had been cross-referenced to the complainant's individual consumer credit information file in fact belonged to the individual recently released from prison. As a result the cross-referencing was removed from the complainant's individual consumer credit information file and transferred to the other individual's newly created "real" individual consumer credit information file. The investigation was closed on the basis that the respondent had adequately dealt with the matter.

Listing as a "clearout"

The complainant had a motor vehicle loan with a credit provider who reported her to a credit reporting agency as being a clearout: meaning that the complainant had allegedly failed to advise the credit provider of her new address and that this indicated an intention on her part to no longer honour her obligations in relation to the loan. The complaint alleged that the credit provider had improperly reported this to a credit reporting agency because she remained in contact with the credit provider at all times. After investigation, the credit provider agreed it had made a mistake in reporting the complainant as being a "clearout" and the entry was removed. The credit provider gave undertakings to provide further staff training in the requirements that must be met before information of this type may be reported to a credit reporting agency. The credit provider formally apologised to the complainant for any inconvenience or embarrassment she may have suffered due to the clearout listing. The credit provider also paid the complainant $5000 in compensation for humiliation and embarrassment suffered.

Use of a Tax File Number - TFN

The complainant alleged that his Tax File Number (TFN) was inappropriately used by and disclosed to Australia Post by the Child Support Agency (CSA). The complainant was concerned that the CSA payment advice slip presented to Australia Post Offices for payment listed his TFN four times. The TFN listed on the bar code together with his name, was retained by Australia Post once payment was completed. The complainant suggested that the CSA should use case numbers instead of TFNs on correspondence as a method of identifying individuals.

The TFN Guidelines, in particular Guideline 2, state that a TFN is not to be used or disclosed to establish or confirm the identity of an individual for any purpose not authorised by taxation, assistance agency or superannuation law.

The CSA explained that the provision of the payment facility through Australia Post outlets is covered by the Taxation Administration Act 1953 (Cth) and the Income Tax Assessment Act 1936 (Cth). The CSA is performing this function through an agency arrangement with the Australian Taxation Office (ATO) in relation to a taxation law and facilitating its administration.

After investigation the Office accepted the ATO's contention that the use of TFNs in this way is authorised by taxation law. The investigation ceased under s. 41(1)(a) on grounds that the CSA had breached neither the Privacy Act nor the Tax File Number Guidelines.

The Office noted that the payer has payment options other than Australia Post. Because the electronic reading strip may not always be operative on a pay slip, it is necessary to print the TFN on the payment slip. However, in future, the child support payer may retain the tear off payment slip rather than Australia Post, thus improving privacy protection.

Regarding the use of case numbers instead of TFNs, the CSA explained that the TFN is unique to the individual, whereas case numbers are common to children and parents from the relationship. Parents who share care of children or have children from more than one relationship will have numerous case numbers.