30 June 2006

The Privacy Commissioner, Karen Curtis, has today released four case notes regarding personal information handled by an electrical goods retailer, a financial institution, a medical equipment supplier and a telecommunications provider.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public. Not all complaints are recorded in case notes so the published notes only illustrate the types of cases resolved by the Office rather than giving a comprehensive account of them.

Most cases chosen for inclusion in case notes involve interpretation of the Act or associated legislation in new circumstances, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate (s.27(1)(a)). As a result, the outcome in any particular case will reflect a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.

• In P v Electrical Goods Retailer [2006] PrivCmrA 15 the complainant alleged that an electrical goods retailer interfered with their privacy by improperly using and disclosing their personal information to an unrelated third party. Specifically, the complainant paid a deposit on a refrigerator but failed to pay the balance on receipt of the goods. On several occasions, the spouse of the sales representative who sold the refrigerator visited the residential address of the complainant to demand return of or payment for the refrigerator. As such, the complainant alleged that the sales representative improperly used their personal information and improperly disclosed it to the spouse of the sales representative.

  During the investigation, the Commissioner found that the use of the complainant's personal information for the purpose of attempting to recover the outstanding debt was directly related to the primary purpose of the collection of the information and that the complainant would reasonably expect a representative from the electrical goods retailer to contact them regarding the debt. However, the Commissioner found that the electrical goods retailer had breached NPP 2.1 by disclosing the complainant's personal information to the sales representative's spouse. The Commissioner found the electrical goods retailer to be the liable party under section 8(1)(a) of the Privacy Act even though the electrical goods retailer was not aware of the actions of its sales representative or their spouse.

  The parties agreed on a confidential settlement and the Commissioner closed the complaint.

• In Q v Financial Institution [2006] PrivCmrA 16 the complainant alleged that a financial institution failed to take reasonable steps to protect their personal information from unauthorised access or disclosure. The complainant requested that the financial institution remove the name of an additional cardholder and that cardholder's access rights to the complainant's credit account. While the additional cardholder's name and their general access to the account were removed, their internet access to the account remained active thus allowing them to view the complainant's transactions.

  With the consent of the complainant and in accordance with the Commissioner's queue referral policy, the complaint was referred to the financial institution for possible resolution. The financial institution resolved the matter directly with the complainant by providing an explanation of the incident, amending its practices and by agreeing to pay compensation to the complainant. In particular, the financial institution advised that the error occurred due a manual verification process which had since been changed so that there is now no delay in de-activating the internet account access.

• In R v Medical Equipment Supplier [2006] 17 the complainant alleged that a medical equipment supplier improperly listed a payment default on their consumer credit information file. Specifically, the complainant alleged that they hired and paid for certain medical equipment while also being provided additional equipment on a free trial basis. The medical equipment supplier listed the complainant's failure to pay for the additional equipment on their consumer credit information file held by a credit reporting agency.

  In considering the matter, the Commissioner found that the medical equipment supplier was deemed to be a credit provider by virtue of the Commissioner's Credit Provider Determination No. 2006-02 (Classes of credit providers).

  During the investigation of the complaint, the Commissioner observed that the payment default listed on the complainant's consumer credit information file appeared to correspond to unpaid rental fees for the two additional items. The receipt provided to the complainant on collection of these items did not indicate the monthly charge that would be incurred after the conclusion of the trial period for both items. There was also no indication of the specific nature of the credit that the individual was applying for. As the amount of credit purportedly extended to the complainant was not specified, the Commissioner found that there was no clear evidence that the complainant had entered into a loan agreement or understanding with the medical equipment supplier with regard to these items. As such, the debt owed in relation to the additional items could not be defined as credit under the Privacy Act and the default listing was considered inconsistent with section 18E(1)(b)(vi).

  In response, the medical equipment supplier removed the default listing from the complainant's consumer credit information file, developed a privacy policy for publication, limited the provision of credit and implemented a new rental agreement.

• In S v Telecommunications Provider [2006] 18 the complainant alleged that a telecommunications provider failed to comply with its obligations under the credit provisions of the Privacy Act and Credit Reporting Code of Conduct. The complainant was the guarantor for an account that a third party had with the telecommunications provider. The complainant alleged that the telecommunications provider failed to provide them with notice that the third party was overdue on the account and failed to take steps to recover the overdue payment from them in their capacity as guarantor before listing a default on their consumer credit information file.

  During the investigation, the Commissioner discovered that the telecommunications provider had attempted to take steps to recover the debt by notifying the third party but not the guarantor. As such, the Commissioner found that the telecommunications provider had not complied with its obligations under the Privacy Act and the Credit Reporting Code of Conduct.

  The complainant accepted the telecommunications provider's offer to provide the complainant with a letter of apology, an amount of compensation and to waive 50 per cent of the outstanding debt owed to it. Prior to the commencement of the investigation, the telecommunications provider also removed the default listing it had recorded on the complainant's consumer credit information file.