Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Disclosure

D v Commonwealth Agency [2010] PrivCmrA 5

document icon pdf (323.53 KB)

Case Citation:

D v Commonwealth Agency [2010] PrivCmrA 5

Subject Heading:

Disclosure of personal information and failure to take reasonable steps to protect personal information

Law:

Information Privacy Principles 4 and 11 in Part III Division 2 of the Privacy Act 1988 (Cth)

Facts:

The complainant was a person of interest in a compliance activity undertaken by an Australian Government agency. Part of the compliance activity required the complainant to answer questions posed by agency officers and to complete forms. The complainant alleged that the agency had not appropriately secured their personal information given the questioning took place in the presence of journalists.

The agency also subsequently sent background information about the complainant to the journalists.

Issues:

IPP 4 requires that an agency take reasonable steps to protect personal information contained in a record from unauthorised access, use, modification or disclosure, and against other misuse.

IPP 11 prohibits agencies from disclosing personal information to anyone other than the individual concerned, unless an exception applies.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act.

The Commissioner found there was a high risk that the journalists would overhear the complainant's personal information in course of the agency's questioning and that there was some risk of the journalists viewing the complainant's documentation.

The Commissioner considered that a high level of security was necessary given the serious consequences to the individual of third parties accessing the information being asked of the complainant. Consequently, the Commissioner took the view that the agency did not have adequate safeguards in place to protect the complainant's personal information against unauthorised access and therefore had not complied with IPP 4(a).

At the time the agency disclosed the background information to the journalists, it considered the information did not identify the complainant and was not ‘personal information'. However, during the investigation, the agency conceded it had disclosed the complainant's personal information in breach of IPP 11.

The Commissioner exercised the powers of conciliation under section 27(1)(a) of the Privacy Act to attempt to resolve the matter.

The agency formally apologised and paid compensation to the complainant. It also made significant changes to how personal information is protected in similar compliance activities and undertook additional privacy training of its compliance officers.

Satisfied that the matter had been adequately dealt with by the agency, the Privacy Commissioner closed the matter under section 41(2)(a) of the Privacy Act.