29 June 2005

The Privacy Commissioner, Karen Curtis, has today released case notes 8 to 18 regarding personal information handled by credit providers, insurance providers, employment agencies, a telecommunications service provider, an internet service provider and federal government agencies.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation (s.27(1)(a)). As a result, the outcome in any particular case reflects a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.

• In K v Credit Provider [2005] PrivCmrA 8 the complainant alleged that there was an improper listing of a serious credit infringement on their consumer credit information file. The Commissioner's view was that the credit provider made an improper listing on the complainant's file. The credit provider removed the improper listing and as a result the Commissioner closed the complaint as having been adequately dealt with.
• In L v Insurer [2005] PrivCmrA 9 the complainant alleged that their personal information was inappropriately disclosed from one insurance company to another. As the insurance company was a member of the General Insurance Information Privacy Code, the Commissioner referred the complaint to Insurance Enquiries and Complaints Ltd (now known as the Insurance Ombudsman Service Limited).
• In M v Australian Government Agency [2005] PrivCmrA 10 the complainant alleged that there was an inappropriate disclosure of personal information to a new employer about an incomplete internal investigation. The Commissioner conciliated a resolution that included the agency making a formal written apology, and providing, the complainant, with an explanation of the findings of its investigation regarding the improper disclosure.
• In OPC v Banking Institution [2005] PrivCmrA 11 the Office conducted an own motion investigation (OMI) into the automated disclosure, by a banking institution, of personal information following the use of an incorrect facsimile number. Following the Office's OMI, the banking institution stopped using a facsimile-based service to receive customers' personal information, and introduced a secure on-line service and permanently decommissioned the fax number. The other organisation involved also confirmed that it blocked all faxes other than those from designated numbers.
• In N v Australian Government Agency [2005] PrivCmrA 12 the complainant alleged that their personal information was disclosed by an agency to a third party leading to defamation proceedings against the complainant. After the defamation action ceased, the Commissioner conciliated the complaint and the parties reached a confidential settlement to remedy the breach of the Privacy Act.
• In OPC v Employment Services Company [2005] PrivCmrA 13 the Office conducted an own motion investigation (OMI) into the improper collection of personal information on an employment service's application forms. As a result of the investigation, the employment services company agreed to not collect tax file number and credit card details, only sight passports rather than copy them, review their forms to remove references to unnecessary uses and disclosures and to use an opt-in method of consent for unrelated uses of individuals' personal information.
• In O v Australian Government Agency B [2005] PrivCmrA 14 the complainant alleged that confidential personal information provided to Australian Government Agency (B) was disclosed to Australian Government Agency (A), with whom the complainant was in dispute. The Commissioner formed the view that, given the circumstances of the incident and the subsequent action taken, that Agency B had responded adequately to the issues raised. The Commissioner chose not to investigate as the complaint had been adequately dealt with.
• In P v Telecommunications Service Provider [2005] PrivCmrA 15 the complainant alleged that their wireless access protocol number was published in the publicly available residential telephone directory listed beside the complainant's previously undisclosed residential address. The telecommunications service provider offered the complainant compensation and implemented new audit procedures to reduce the risk of unauthorised publication of silent number information. The complainant accepted the telecommunications service provider's offer.
• In Q v Credit Provider B [2005] PrivCmrA 16 it was alleged that credit provider B had re-listed an overdue account on an individual's consumer credit information file after it had been purged from their record. Following the Commissioner's investigation credit provider B acknowledged that it had made an error and that the listing should be removed. Credit provider B contacted the credit reporting agency and instructed the credit reporting agency to remove the listing immediately.
• In R v Internet Service Provider [2005] PrivCmrA 17 the complainant alleged that their internet service provider (ISP) had improperly disclosed their personal information and failed to take reasonable steps to protect personal information when a third party requested that the password to the account be reset. The Commissioner's view was that in this instance the ISP failed to take reasonable steps to protect the complainant's personal information from unauthorised access and disclosure, and improperly disclosed the complainant's personal information to a third party. The Commissioner conciliated the matter, which concluded with a confidential settlement between the parties.
• In S v Credit Provider [2005] PrivCmrA 18 the complainant alleged that a commercial credit default was listed on their consumer credit information file and an enquiry was listed without a loan application. Following an investigation by the Office, both the enquiry and the payment default were removed from the complainant's credit file. The Commissioner sought from the credit provider written evidence that its staff were provided with Privacy Act training. The credit provider also provided a written apology to the complainant.