25 February 2005

The Federal Privacy Commissioner, Karen Curtis, has today released case notes 1 to 7 regarding excessive charges for access to records, a disputed credit file listing, inappropriate disclosure of personal information and a failure to appropriately secure documents when in transit.

In A v Insurer [2005] PrivCmrA 1, the complainant asked an Insurer for copies of all his personal information that it held. After assessing the documents the Insurer quoted an access charge of approximately $600 to cover its costs for retrieving and copying approximately 500 pages of documents. The complainant paid the charge and the Insurer provided the quoted documents, but withheld certain documents. The complainant alleged that the Insurer failed to provide reasons for denying access to the withheld documents.

The Commissioner decided that:

• after taking into account the opinion of the external medical consultant, the Insurer could not rely on National Privacy Principle 6.1(b) to deny the complainant access to certain documents;
• that the Insurer was entitled to rely on National Privacy Principle 6.1(e) in relation to the medical reports it had obtained to assist it in preparation of anticipated legal proceedings;
• that the access charge was not excessive; and
• that the Insurer had breached National Privacy Principle 6.7 by not providing reasons for denying access to certain documents.

The Insurer accepted the Commissioner's decision.

In B v Credit Provider [2005] PrivCmrA 2, the complainant received a demand in January 2003 for payment of outstanding telephone service charges covering a 12 month period up to September 1996. The complainant claimed an invoice had been paid in April 1996 and disputed owing further amounts.

In March 2003 the respondent listed a payment default in the amount of the debt on the complainant's consumer credit information file, held by a credit reporting agency.

Following an investigation by the Commissioner, the credit reporting agency advised the respondent about the prohibition against listing statute barred debts, and the payment default listing was removed from the complainant's consumer credit information file.

In C v Commonwealth Agency [2005] PrivCmrA 3, the complainant and his wife were employees of the respondent. The complainant's wife was the applicant in proceedings against the respondent in the Administrative Appeals Tribunal for compensation in relation to a health and safety issue. During proceedings the complainant's wife submitted to the Tribunal that she was not able to afford certain medical expenses. In reply, the respondent obtained information about the complainant's income from its payroll department which it submitted to the Tribunal as evidence of the applicant's financial standing.

The complainant argued that the respondent was not permitted to disclose his personal information to the respondent's legal counsel in relation to a matter which did not concern the complainant.

The Commissioner decided under section 41(1)(a) of the Act not to investigate the matter further on the grounds that the disclosure of personal information was authorised by law and therefore did not breach National Privacy Principle 2.1.

In D v Health Service Provider; E v Health Service Provider; F v Health Service Provider; G v Health Service Provider [2005] PrivCmrA 4, the Commissioner has published four case notes on four finalised complaints addressing a common issue, namely excessive charges for providing access.

D v Health Service Provider

• In this case, the complainant sought access to her medical records retained by a health service provider. The health provider proposed to charge the complainant $275 for access to the records. Following an investigation by the Commissioner, the respondent advised that the cost of providing access would be reduced to $85 to more accurately reflect the cost of preparing the documents.

E v Health Service Provider

• In this case, the complainant sought access to his medical records in the form of photocopies. The health service provider advised that the complete file would be available upon payment of $335.50. Following an investigation by the Commissioner, the health service provider reduced the cost of access to $155.50 in accordance with their revised access policy.

F v Health Service Provider

• In this case, the complainant sought access to his personal information and was advised that he would receive access to his records upon payment of a standard $25 access fee (which was later reduced to $15 because he was a student). The Commissioner was of the view that flat fees for granting access will be considered to be excessive in cases where the particular costs associated with providing access to an individual do not justify the flat fee. However the Commissioner was satisfied that the charge imposed for access in this instance ($15) was commensurate with the costs incurred by the health service provider in providing access and were therefore not excessive.

G v Health Service Provider

• The complainant sought to have his medical information transferred directly to his legal representatives and provided the medical practitioner with the requisite consent. The health service provider advised that access would only be provided directly to the complainant at the cost of $66. Following an investigation by the Commissioner, the health service provider agreed to consider amending its privacy policy to reflect the flexible rates for photocopying and forwarded the 32 pages of personal information sought by the complainant to his legal representatives for the cost of $32 and did not require that the complainant attend a consultation.

In H v Commonwealth Agency [2005] PrivCmrA 5, the complainant, a customer of a Commonwealth government agency, made a privacy complaint to that Commonwealth government agency about an officer of the agency improperly browsing her personal information. An investigation was conducted by the agency and as a result of the investigation the officer's employment with the agency was terminated.

The former officer was questioned by a current employee of the agency about the nature of his relationship with the complainant after work hours and offsite. The former officer provided the complainant's first name only. The complainant alleged that this questioning was a further breach of her privacy.

Following an investigation, although discussion of work related matters outside the workplace is regulated by the Act in many circumstances, the Commissioner was of the opinion that based on the information supplied by the complainant the agency had dealt appropriately with the issue by terminating the officer's employment and offering the complainant a written apology.

On the matter of the other allegation the Commissioner was of the opinion that the information was sought by the current employee as a matter of curiosity and in their personal capacity as an individual and that the questioning did not relate to her work duties or to the functions of the agency.

Consequently, the acts of the current employee who raised questions about the complainant and her relationship with the former officer were not considered acts undertaken in the performance of her employment with the respondent agency. Accordingly, the Commissioner found that this act was not attributable to the agency and declined to investigate this aspect of the complaint.

In I v Commonwealth Agency [2005] PrivCmrA 6, the complainant alleged that a federal court had disclosed the complainant's name and address to a third party. Following an investigation, the Commissioner decided that there was no jurisdiction to further investigate the allegation because the alleged disclosure involved information that was recorded in a court order and the alleged disclosure occurred in the course of the judicial functions and activities of the agency therefore it was not an act done, or practice engaged in, in respect of an administrative matter.

In J v Superannuation Provider [2005] PrivCmrA 7, the complainant alleged that records relating to his superannuation disability claim were found on a public thoroughfare. The records included reports about covert surveillance undertaken by the superannuation provider as part of the claim assessment.

The Commissioner found there was a breach of National Privacy Principle 4.1 and then moved to conciliate a resolution of the matter. The parties agreed to resolution that included a formal written apology and a payment of compensation of $3500 for loss or damage including legal expenses and hurt and embarrassment. The superannuation provider also advised the Commissioner that it had changed its distribution policy to require that in future all couriered documents be signed for personally.

The Commissioner found the superannuation provider had not breached National Privacy Principle 2.1 by collecting the information. The Commissioner found the superannuation provider had breached National Privacy Principle 6.5 by not taking reasonable steps to correct the information but decided not to investigate this aspect of the complaint further on the grounds that the superannuation provider had dealt adequately with the matter.

The Federal Privacy Commissioner publishes case notes of finalised complaints that she considers would be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation (s.27(1)(a)). As a result, the outcome in any particular case reflects a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.