The Privacy Commissioner, Karen Curtis, has today released five case notes regarding personal information handled by a money transfer service, a taxation accountant, a chartered accountant, a retail company, and a utility company and industry group.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate (s.27(1)(a)). As a result, the outcome in any particular case will reflect a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.

• In E v Money Transfer Service [2006] PrivCmrA 5 the complainant alleged that in the course of making an electronic transfer to their family in a foreign country the money transfer service had improperly transferred information overseas and to a foreign regulatory body.

  The Commissioner found that the complainant had been informed of the reasons their money transfer had been halted and for what purpose they needed to provide further information. The Commissioner was of the view that the complainant's consent to the transfer could be implied from the complainant's actions, and for this reason, the transfer did not breach the Privacy Act.

• In F and G v Taxation Accountant [2006] PrivCmrA 6 the complainants alleged that the taxation accountant had improperly disclosed their Tax File Numbers to a debt collector and solicitor for the purpose of pursuing a debt.

  The Commissioner's view was that the disclosure of the Tax File Numbers was inconsistent with the Tax File Number Guidelines. The taxation accountant agreed to the complainants' request for an apology and compensation for costs associated with obtaining new group certificates.

• In H v Chartered Accountant [2006] PrivCmrA 7 the complainant alleged that the chartered accountant had improperly disclosed their Tax File Number to over one hundred fellow employees.

  The chartered accountant apologised to the complainant for any inconvenience caused by the incident. However, the complainant believed that the chartered accountant was not doing enough to address the issues and complained to the Privacy Commissioner. In consultation with the Commissioner the chartered accountant agreed to take a number of steps to resolve the matter including writing to the complainant and all affected employees apologising for the disclosure of their Tax File Numbers and advising them of the process to obtain a new Tax File Number, reminding the chartered accountant's staff of their obligations under the Tax File Number Guidelines, and instituting Guidelines for the handling of outgoing mail to help prevent such an occurrence happening in the future.

• In I v Retail Company [2006] PrivCmrA 8 the complainant alleged that the retail company had collected sensitive information about the individual's criminal record without their consent and raised concerns about the security of the information which had been recorded on a database and the period for which the information had been retained.

  The complainant's information had been collected by the retail company prior to the commencement of the National Privacy Principles on 21 December 2001 and therefore was not subject to the Privacy Act. However regardless of when information is collected, an organisation is required to take steps to ensure the security of the information and to destroy or permanently de-identify personal information if it is no longer needed. The Commissioner was satisfied that appropriate security measures were in place and that a proposed upgrade of the database and changes to the organisation's retention policy would satisfy these requirements.

• In J v Utility Company and Industry Group [2006] PrivCmrA 9 the complainant, who was a member of an industry group and a sole trader, alleged that their industry group had improperly disclosed and collected personal information from their utility company and that the utility company had improperly disclosed the information to the industry group. While business information is not usually covered by the Privacy Act, in this case, as the complainant was a sole trader, the information was found to identify the complainant.

  The industry group's disclosure and subsequent collection of personal information was considered necessary for the purpose of providing advice to its members and that this would be within the expectations of its members. The industry group was therefore found not to be in breach of the Privacy Act.

  The Commissioner's view was that the disclosure by the utility company was inconsistent with the National Privacy Principles. However, the complaint was closed after attempts at conciliation failed as the complainant was seeking a remedy that was not within the Commissioner's powers to pursue.