The Privacy Commissioner, Karen Curtis, has today released five case notes regarding personal information handled by tenancy database companies, health service providers and a utility provider.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve interpretation of the Act or associated legislation in new circumstances, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate (s.27(1)(a)). As a result, the outcome in any particular case will reflect a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.

• In K v Tenancy Database Company [2006] PrivCmrA 10 the complainant alleged the tenancy database company had included a default listing made by a real estate agent with whom the complainant had no dealings on its tenancy database.

  The Commissioner found that the tenancy database company had not taken reasonable steps to ensure that the information listed by the real estate agent was up-to-date and as a result had breached the Privacy Act. The tenancy database company removed the listing and the complaint was closed on the grounds that the tenancy database company had adequately dealt with the matter.

• In L v Health Service Provider [2006] PrivCmrA 11 a complainant's request for access to their personal information was denied on the grounds that the health service provider had prepared the report for an insurance company for a fee. The health service provider therefore claimed it was not the owner of the report and was not obliged to provide access.

  The Commissioner found that unless an exception to National Privacy Principle 6 applied the right to access personal information applied regardless of whether the documents had been written by the organisation or by another entity.

  Following consultation with the insurance company the health service provider agreed to provide access to the personal information.

• In M v Health Service Provider [2006] PrivCmrA 12 the complainant alleged that a health service provider had disclosed details of medical tests for sexually transmitted diseases, undertaken by the health service provider, to the complainant's partner. The complainant claimed that they had suffered serious hurt and embarrassment resulting from the disclosure.

  The health service provider acknowledged and apologised for the disclosure, stating that a new employee who understood that the results of tests should not be disclosed, did not realise that the types of tests undertaken should also not be disclosed.

  The complainant felt that an apology was not an adequate resolution to the complaint and sought compensation for loss and emotional distress and embarrassment. The health service provider agreed to the Commissioner conciliating a settlement, an amount was agreed to by the parties and the investigation was closed.

• In N v Utility Provider [2006] PrivCmrA 13 the complainant alleged that a utility provider improperly disclosed their personal information and also failed to secure their personal information against unauthorised access and disclosure. Specifically, the complainant alleged that their ex-partner, an employee of the utility provider, improperly accessed the complainant's accounts in order to ascertain information about the complainant's assets.

  The Commissioner found that it was not possible to say definitively whether the complainant's ex-partner had improperly disclosed the information and declined to deal further with the matter relating to the alleged disclosure. However, with regard to the security issue the Commissioner found that the utility provider had not taken adequate steps to protect the complainant's personal information against misuse and loss, and from unauthorised access, modification or disclosure.

  In response to the Commissioner's finding the utility provider agreed to implement an interim solution, this was put to the complainant, and in the absence of further comments the Commissioner then closed the complaint.

• In O v Tenancy Database Company[2006] PrivCmrA 14 the complainant claimed that an inaccurate listing had been listed on a tenancy database. The information was removed but a short time later the listing was amended, the complainant also claimed that this new listing was incorrect and complained to the Privacy Commissioner.

  The Commissioner found that the generic listing categories used by the tenancy database company meant that the record could not be considered complete and was in breach of the Privacy Act. However, the category listing 'rental arrears during tenancy' was accurate, complete and up-to-date and the Commissioner found that there was no obligation on the tenancy database company to remove the listing.