Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data accuracy

M v Body Corporate [2010] PrivCmrA 15

document icon pdf (145.33 KB)

Case Citation:

M v Body Corporate [2010] PrivCmrA 15

Subject Heading:

Accuracy and security of personal information

Law:

National Privacy Principles 3 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth).

The following case was decided by the Privacy Commissioner prior to 1 November 2010. On 1 November 2010 all the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.

Facts:

The complainant belonged to a body corporate and had listed their post office box as their mailing address.

They began receiving correspondence from the body corporate at their residential address rather than their post office box.

The complainant advised the body corporate of the error and it updated the complainant's postal address. Not satisfied with this action, they complained to the Commissioner.

Issues:

NPP 3 provides that an organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Commissioner conducted preliminary inquiries into the complaint under section 42 of the Privacy Act.

The body corporate advised that it had sent an address update form to the complainant. The complainant completed the form, confirming their post office box as their mailing address and updated their residential address. A staff member at the body corporate made an error by updating the complainant's residential address as the mailing address.

The Commissioner assessed whether the body corporate had reasonable steps in place to ensure data quality under NPP 3. The body corporate had policies in place that set out the steps staff should take when amending client details. The body corporate also conducted regular staff training on these (and other) procedures. The practice of regularly sending its clients forms to update their details was a relevant step by the body corporate.

Although addressing the mail to the residential address was a use of inaccurate information under NPP 3, the Commissioner concluded that it was a one-off error which did not suggest that the body corporate had not taken reasonable steps to protect the individual's personal information. Therefore, given the steps it had in place, the Commissioner found that the body corporate had met its obligation under NPP 3.

The Commissioner also found that the body corporate's general security procedures and training met its obligation under NPP 4.1.

The Commissioner declined to investigate the complaint under section 41(1)(a) of the Privacy Act on the grounds that the body corporate had not interfered with the complainant's privacy.

Office of the Australian Information Commissioner
December 2010