pdf (35.55 KB)

Case Citation:

M v Financial Institution [2009] PrivCmrA 16

Subject Heading:

Improper collection of personal information and accuracy of personal information

Law:

Section 16B and National Privacy Principles 1.4 and 3 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant and their partner held a joint bank account. After a family dispute, the partner advised the financial institution of the dispute and amended the signature authority on the joint account.

A number of weeks later, a relative of the partner contacted the financial institution to amend another account and provided further information about the family dispute. After the contact, a staff member at the financial institution further modified the joint account to block all withdrawals not signed by both parties. The financial institution contacted the complainant about the modification days after it was made.

The complainant alleged the financial institution had improperly collected their personal information from a third party and failed to ensure the personal information was accurate, complete and up-to-date.

Issues:

Section 16B of the Privacy Act says that the Privacy Act, with exclusion of some parts, applies to the collection of personal information by an organisation only if the information is collected for inclusion in a record or generally available publication.

NPP 1.4 states that if it is reasonable and practicable, an organisation must collect personal information about an individual only from that individual.

NPP 3 states that an organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.

The financial institution argued that it did not collect information from the relative because it did not ask for the information. However, the Commissioner took the view that an organisation collects personal information if it gathers, acquires, or obtains information from any source and by any means (irrespective of whether the information was sought by the organisation). In addition, because the financial institution changed its accounts based on that information, the financial institution collected the information for inclusion in a record in accordance with section 16B of the Privacy Act.

The Commissioner also took the view that it was reasonable and practicable to collect the complainant's personal information from the complainant. Consequently, the financial institution had interfered with the complainant's privacy by collecting their personal information from a third party in this case.

The Commissioner considered a range of factors in determining whether the financial institution had taken reasonable steps to ensure the accuracy of the information it collected, including how reliable it was likely to be, who it was collected from, and what it would be used for.

Given the information was not provided by the account holders, was subject to change and had an effect on the complainant's finances, the Commissioner took the view that the financial institution had not taken reasonable steps to check the accuracy of the personal information it collected from the third party. Therefore, the financial institution had failed to comply with NPP 3.

The financial institution offered the complainant financial compensation. The complainant accepted the offer.

The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the basis that the financial institution had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER

November 2009