30 August 2006

The Privacy Commissioner, Karen Curtis, today released four case notes relating to personal information handled by a law firm, banking institution, health service provider and a credit provider:

• T v Law Firm [2006] PrivCmrA 19, involved a law firm that was handling two separate insurance-related cases relating to the one person (the complainant). The complainant alleged that the law firm had disclosed information about the complainant that it had obtained from the client for the first case to the client for the second case, to support the latter's unrelated case against the complainant.

  During the investigation by the Commissioner, the law firm admitted that it had used the information in this regard, but stated that it believed it was authorised to do so under the Privacy Act, as they suspected the complainant was engaged in an unlawful activity.

  However, the Commissioner took the view that the use of the information in this instance was not a necessary part of an investigation of the complainant's suspected unlawful activity and, as such, the law firm had breached NPP 2 by using and disclosing the complainant's personal information. The complainant received an apology from the law firm together with an amount of compensation.

• In U v Banking Institution [2006] PrivCmrA 20, the complainant and their spouse had entered into a loan with a banking institution. After moving addresses, the couple contacted the institution to update their details. However, the banking institution sent the next statement addressed to one of them (the complainant) at their old address. The complainant and their spouse telephoned the banking institution on several occasions, alerting them to their updated contact details. Despite this, some months later the banking institution sent loan default notices to the old address, with the word 'default' visible through the plastic window of the envelope.

  The complainant complained to the banking institution about the incorrect address and the embarrassment they claimed had resulted from the word 'default' being visible to third parties, and received both a verbal and written apology. Dissatisfied with the handling of their complaint, the complainant wrote to the Privacy Commissioner. The Commissioner found that a failure by the banking institution to update the contact details was a breach of NPP 3.

  Regarding the word 'default', the Commissioner accepted the banking institution's assertion that its external mailing house had incorrectly folded the letter and that this would not recur.

• In V v Health Service Provider [2006] PrivCmrA 21, a parent complained to a health service provider on behalf of their teenage child at the provider's loss of the child's medical records. The provider had twice conducted a search of its files, but concluded that the record had likely been misfiled. The provider apologised and advised that it had attempted to reconstruct the record using electronic or other sources. Dissatisfied with the provider's action, the parent took the matter to the Privacy Commissioner.

  The Commissioner investigated to establish whether the provider had breached NPP 4.1, which requires an organisation to take reasonable steps to protect personal information it holds from loss. The Commissioner concluded that the provider's file management policy was reasonable and that the loss of the file was the result of human error, not of a systematic procedural problem. The Commissioner also noted that the provider had made a significant effort to locate the record and then to reconstruct the record. As a result, the Commissioner formed the view that the provider had adequately dealt with the complaint.

• In W v Credit Provider [2006] PrivCmrA 22, a credit provider had listed a 'serious credit infringement' on the complainant's consumer credit information file in relation to a loan. In accordance with its then record retention policy for a serious credit infringement, the credit reporting agency removed the listing after five years. However, the complainant subsequently discovered that the credit provider had re-listed the infringement on the file.

  The complainant was dissatisfied with the response they had received from the credit provider after complaining about the matter and lodged a complaint with the Privacy Commissioner. The credit provider asserted that, at the time of the second listing, the previous listing did not appear on the complainant's file. However, evidence disproved this. The respondent also suggested that the second listing was for a different reason: the first had been for a failure by the complainant to comply with their credit obligations; the second was due to possible fraud.

  The Commissioner took the view that any subsequent refusal to fulfil credit obligations after the first listing formed part of the same infringement and that no evidence had been provided supporting the claim that the second listing was made due to the complainant having committed fraud. For these reasons, the Commissioner found that the credit provider had breached section 18E(1)(b)(x) of the Privacy Act, which allows credit providers to only make one serious credit infringement listing in relation to the same infringement.

  The credit provider advised the Commissioner that it had changed its procedures for listing infringements. The Commissioner was satisfied with these actions and, as the complainant did not substantiate their claim for compensation, the Commissioner closed the complaint.

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public.

Most cases chosen for inclusion in case notes involve interpretation of the Privacy Act or associated legislation in new circumstances, illustrate systemic issues, or illustrate the application of the law to a particular industry.

The case notes offer a synopsis of the various issues and considerations involved in a particular complaint and its resolution; they are not intended to be a comprehensive account.

The Privacy Act makes it a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate (s.27(1)(a)). As a result, the outcome in any particular case will reflect a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both the complainant and respondent. Please visit the Complaint Case Notes and Complaint Determinations page for more details.