Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach | Notice

G v Counselling Service [2009] PrivCmrA 9

document icon pdf (82.53 KB)

Case Citation:

G v Counselling Service [2009] PrivCmrA 9

Subject Heading:

Failure to provide adequate notice when collecting personal information, disclosure of personal information and security of personal information

Law:

National Privacy Principles 1.3, 2.1 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant attended several sessions with a counselling service where they discussed with the counsellor some concerns they had about their workplace. Several days later the complainant attended a workplace meeting. The matters that were discussed at that meeting led the complainant to believe that their employer had been told of the concerns they had earlier raised with the counsellor.

The complainant again attended a counselling session but was advised by the counsellor that the notes of their earlier session had been lost.

The complainant complained that the counselling service had disclosed the content of their counselling sessions to their employer, that it did not inform the complainant that it would make such a disclosure, and that it had failed to keep the notes of the counselling sessions safe and secure.

Issues:

National Privacy Principle 1.3 provides that at or before the time (or if that is not practicable, as soon as practicable after) an organisation collects an individual's personal information, it must take reasonable steps to ensure an individual is aware of a number of factors, including the purposes for which the information is collected.

National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection unless an exception in National Privacy Principle 2.1(a)-(h) applies.

National Privacy Principle 4.1 states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act. The Commissioner examined the alleged disclosure of personal information, the security practices of the counselling service, and any notice it provides to its clients about the management of clients' information.

The Commissioner found that the counselling service kept a written record of each client and the nature of their counselling sessions. The service also kept a record of any administrative or other action taken by the counsellors in relation to their clients.

The counselling service denied disclosing any information about the complainant. There was nothing in the complainant's client record to indicate that the information it contained might have been disclosed to their employer, or to any other person. Additionally, the complainant's workplace was found to be unaware of the content of the complainant's counselling sessions. Accordingly, the Commissioner formed the view that the complainant's information had not been disclosed.

The Commissioner also examined the information security practices of the counselling service. The service described its file management practices to the Commissioner. It also advised that during business hours it stored client files in locked cabinets in a separate storage room with restricted access. After hours, the room was protected by additional security code locks.

The service agreed that a single page of written notes from one of the complainant's counselling sessions was not in their client file. It had tried to find those notes by searching all other client and administrative files but the page was not located. The complainant's counsellor later reconstructed the notes and placed them in the complainant's client file so that there was a more complete record of the counselling sessions.

The Commissioner considered the service's practices and formed the view that, although it had misplaced one page of the complainant's notes, it had reasonable steps in place to protect client information as required by NPP 4.1.

In addition, the Commissioner considered the notice provided by the counselling service to its clients about its management of client information.

Although the content of the notice met the requirements of NPP 1.3, the Commissioner suggested that the counselling service could achieve best privacy practice by adding to the notice more detailed information about how clients could access their personal information.

The Commissioner closed the complaint under section 41(1)(a) of the Privacy Act on the grounds that the counselling service had not interfered with the complainant's privacy.

OFFICE OF THE PRIVACY COMMISSIONER

August 2009