Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Media Statement: Privacy Commissioner publishes case notes 1 - 4 for 2006

1 March 2006

The Privacy Commissioner, Karen Curtis, has today released four case notes regarding personal information handled by a credit provider, a banking institution, insurance company and an Australian Government agency.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate (s.27(1)(a)). As a result, the outcome in any particular case will reflect a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.

In A v Credit Provider [2006] PrivCmrA 1 the complainant alleged that there was an improper default listing on their consumer credit information file, as they had not received the required notice prior to the default being listed.

The Commissioner's view was that while some level of overdue notice had been provided, the information included in the notice was inaccurate and did not serve to notify the complainant of the default status of the account. The credit provider removed the improper listing and also came to a confidential settlement with the complainant.
In B v Australian Government Agency [2006] PrivCmrA 2 the complainant alleged that the agency had not taken reasonable steps to protect personal information held in a computer file.

As the agency promptly admitted to breaching Information Privacy Principle 4(a) the matter was able to be resolved quickly. The agency offered the complainant an apology, transferred the information to a more secure place and paid for the complainant's counselling as a result of distress caused by the incident.
In C v Insurance Company [2006] PrivCmrA 3 the complainant alleged that access to information collected about them by the insurance company was not provided to them during the course of an investigation.

The insurance company claimed that by providing access to certain documents they would be compromising the privacy of other individuals and would also reveal sensitive commercial information. During preliminary enquiries into the matter, the Commissioner viewed documents that the complainant had as yet not received. The Commissioner decided that, in this case, the insurance company could withhold some information either because disclosure would have an unreasonable impact on the privacy of third parties or because it was sensitive commercial information. However the Commissioner considered that information in some of the documents should be disclosed and advised the insurance company to mask portions of the document that related to third parties or that contained sensitive commercial information before providing them to the complainant.

The insurance company agreed to provide access to the documents with portions masked.
In D v Banking Institution [2006] PrivCmrA 4 the complainant alleged that the banking institution was gathering unnecessary marital status information for the purposes of opening a deposit account. The banking institution advised the complainant that it was unable to open the account without entering information into the 'marital status' field on its computer system. It offered a 'workaround' as system changes could not occur quickly.

The Commissioner's view was that the collection of marital status information for the purposes of opening a deposit account was unnecessary and in consultation with the Commissioner the banking institution agreed that it would change its computer system so that when individuals applied for a deposit account, they would no longer be required to disclose their marital status if they did not wish to. Further the banking institution agreed to report to the Commissioner on the progress of the implementation program and would also raise the matter with its industry body as it appeared to be an industry-wide practice.