26 March 2003

"Most businesses are keen to do the right thing when we begin to investigate allegations of privacy breaches by them," said Privacy Commissioner, Malcolm Crompton.

The Commissioner's comments came during the release of case notes that summarise his investigations into two privacy complaints involving people's financial information.

"In terms of privacy practices and compliance with the Privacy Act, it's clear that some businesses still have some work to do," Mr Crompton said.

"However, most organisations that we investigate seem keen to resolve privacy problems quickly, with many organisations deciding to put preventative measures in place to ensure that privacy problems don't re-occur.

"Even in cases where it seems that there has been no breach of the Act by organisations, they are keen to observe good privacy practices. Businesses understand that good privacy is good business and that they can not afford to breach the privacy of their customers in a competitive marketplace."

In the recently released case note 3, where it was alleged that a staff member of the financial institution had accessed personal information about the complainant's investment account and disclosed it to the staff member's family, the Commissioner found no breach of the Act.

The Commissioner arrived at his decision because the alleged privacy breach occurred before the commencement of the Privacy Amendment (Private Sector) Act 2000, which began on 21 December 2001. Had the situation occurred after 21 December 2001 it is likely that the Commissioner would have found that the company had breached the Act.

Even though no breach of the Act was found, the organisation undertook to change its practices by establishing an audit trail on the mainframe where personal information is stored so that staff access to customers' personal information would be recorded.

"I am encouraged by the response to this issue by the financial institution and expect other similar organisations to learn the lessons of this case, to address their information technology issues and therefore to avoid breaching their customers' privacy," said Mr Crompton.

In case note 4, it was alleged that the credit worthiness information of an individual was improperly disclosed to her former partner by a retail store that both people had credit accounts with. The Commissioner found that credit information about a person had been inappropriately disclosed to another. The matter was resolved to the satisfaction of the two parties with the retailer apologising to their customer and paying them $750 in compensation.

"All holders of personal information covered by the Act need to heed the lessons that stem from these two cases," said Mr Crompton.

"It's a requirement of the Act to ensure that only the appropriate people in an organisation have access to personal information and that personal information is only disclosed to those who have a right to see it.

"I look forward to working with organisations to help them get privacy right," he said.

Inappropriate disclosure of information is the number one issue the Office of the Privacy Commissioner receives calls and complaints about. Since 21 December 2001 the Office has received more that 4000 calls and 235 complaints about this problem.

The case notes are available @ http://www.privacy.gov.au/law/apply/determinations/.