Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach

Own Motion Investigation v Retailer [2009] PrivCmrA 25

document icon pdf (93.36 KB)

Case Citation:

Own Motion Investigation v Retailer [2009] PrivCmrA 25

Subject Heading:

Security of personal information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

An individual found a scrapbook in a shopping centre car park and forwarded it to the Privacy Commissioner. The scrapbook contained an account of grievances and humorous incidents compiled by staff at a call centre of a retailer. Many of the accounts contained the personal information of customers of the retailer.

Issues:

NPP 4 requires that an organisation take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Commissioner commenced an own motion investigation under section 40(2) of the Privacy Act.

The retailer advised the Commissioner that it was not aware of the existence of the scrapbook until the Commissioner commenced the investigation. The retailer conducted an internal investigation into the origins of the scrapbook. The retailer stated that the existence of the scrapbook and its subsequent loss was an anomaly that did not reflect how seriously it takes its customers' privacy or the procedures and systems it had in place to protect customers' personal information.

The retailer advised the Commissioner that it already had a number of steps in place to ensure that customers' personal information was protected from misuse and loss and from unauthorised access, modification or disclosure. These steps included induction and ongoing privacy training for its employees, with particular focus on the use of, and access to, customers' personal information. The retailer also had a quality control team which regularly monitored the handling of customer calls to ensure that staff were respecting customer privacy and meeting the call centre's expectations around customer service. The retailer advised that staff only had access to the personal information they need to perform their employment duties.

The retailer advised that after its investigation it took the following steps to protect against a similar incident:

All the employees responsible for the compiling of the scrapbook were counselled about the proper use of customers' personal information and the issues raised by the discovery of the scrapbook.
These employees received a written warning advising that if they misused customers' personal information again their employment would be terminated.
The retailer implemented additional privacy training with all customer service staff which emphasised how to correctly handle customers' personal information.
The retailer reviewed its training materials and expanded the section dealing with the misuse of customers' personal information, including using the scrapbook incident as an example of how customers' personal information should not be used by call centre personnel.

The Commissioner was satisfied that the retailer had processes in place to meet its obligations under NPP 4.1 at the commencement of the investigation and that it took appropriate steps once it became aware of the incident. The Commissioner therefore ceased the own motion investigation into the matter.