Australia: Through the looking glass – notes on privacy

Traps for the unwary

As the National Privacy Awareness Week 2011 drew to a close on 7 May 2011, the Australian Information Commissioner (formerly the Privacy Commissioner) released further case notes on investigations concerning privacy related complaints.

Case 1: Collection by CSP for a government agency

A government agency engaged a contract service provider (CSP) to conduct an investigation relating to allegations of inappropriate behaviour by the complainant in a meeting with a third party. The complainant claimed the CSP acted in an unlawful or unfair manner by obtaining personal information about him from the third party. He also alleged that the investigation was unfair as it was discriminatory. The CSP collected the information from the third party by correspondence and through an interview.

The Commissioner found that the CSP collected the information for a lawful purpose of investigating conduct. It was within the terms of the contract between the CSP and the government agency, and necessary for the purposes of the investigation. The collection of information was not unfair as it did not involve misleading or deceptive conduct by the CSP.

The Commissioner also found that the method of collection did not unreasonably intrude upon the complainant's personal affairs. The information they collected was up to date and relevant for the purposes of the investigation.

This case illustrates that privacy laws apply to CSPs of government agencies. Government agencies are bound by the Information Privacy Principles (IPP), and the Privacy Act requires them to contractually ensure that CSPs are also bound.

Case 2: Disclosure by insurer to insured's family member

The complainant's cousin was involved in a motor accident while driving the complainant's car. During the course of the claims investigations, the insurance company contacted a family member of the complainant who had similar initials to ask if they were the driver. The insurance company disclosed details about the complainant's name, their insurance policy and policy number to the family member.

The Commissioner found that under the National Privacy Principles (NPP), the insurance company was not permitted to disclose personal information about a person for a purpose other than the primary purpose of collection. The complainant's personal information should not have been disclosed to the family member who had no involvement with the claim or accident.

The insurance company apologised to the complainant for the disclosure. As there was no evidence for a claim for compensation, the Commissioner was satisfied the apology was sufficient.

Case 3: Refusal by charitable organisation to grant access to personal information

The complainant sought to access personal records held by a charitable organisation. The charitable organisation denied the request based on two of the listed exemptions in NPP 6.1, namely that disclosure would pose a threat to the life and health of the complainant and other individuals, and would unreasonably intrude on the privacy of the other individuals.

The Commissioner informed the charitable organisation that it would need to provide evidence as to how the records would pose a threat to the complainant's life and health, or if appropriate, allow an intermediary to access the records. A health professional nominated by the complainant was allowed first access to the records to assess the suitability of disclosure. After the health professional decided the records were suitable to be disclosed, the complainant was allowed access accompanied by the health professional.

The charitable organisation was compelled to release documents involving the person's dealings with staff of the organisation and other individuals, even where they were located in another person's files. To protect the privacy of the relevant staff and other individuals, the charitable organisation was entitled to redact parts of the file.

The complainant alleged that some documents were missing. However, the Commissioner was satisfied the charitable organisation had taken reasonable steps to provide access to the complainant's personal information. The charitable organisation had searched for the documents at its own "significant" costs, contacted an overseas office regarding them, and offered to conduct more searches at the complainant's expense.

This case illustrates that if you wish to rely on an NPP 6.1 exemption to deny a person access to their personal information, you need to have evidence that the exemption applies and consider the appropriateness of using an intermediary. It also gives an indication of the searches an organisation will be required to make to locate lost documents.

Case 4: Improper disclosure of employee's personal information by a charity

The complainant was an employee of a charity, and had approached one of the charity's publicly available services for assistance in a personal matter. The charity disclosed the complainant's application to the complainant's immediate supervisors.

Under the Privacy Act, an organisation cannot disclose or use personal information other than for the primary purpose of collection. An exemption exists for employee records, if the disclosure or use directly relates to a current or former employment relationship and the document is held in an employment record. When the Commissioner started to investigate the matter, the charity voluntarily admitted it misused the complainant's personal information.

The Commissioner attempted to conciliate the matter between the parties. The complainant sought compensation for health treatments and other costs incurred, and for injured feelings. The outcome was the parties settled the matter after the charity gave an apology, explanation and gave compensation to the complainant.

This case is a reminder that the exemption for employee information must relate directly to the employment relationship. Where the services you offer to the public can also be utilised by employees, it is important to ensure policies and procedures are put in place to prevent inadvertent disclosure of the employee's personal information.

Case 5: Disclosure of medical records connected with legal proceedings

A person commenced legal proceedings relating to their health against an insurance company. The person complained that the defendant's law firm breached the Privacy Act by accessing the person's medical records produced under subpoena, and by providing the records to another law firm when they later took on the defence case.

The Commissioner declined to investigate the complaint. NPP 2 allows an organisation to collect medical information if it is necessary for the establishment, exercise or defence of a legal or equitable claim. The disclosure of the information to the second law firm was also for the purposes of defending the legal claim. As such, there were no breaches of the Privacy Act .

Case 6: Listing a credit default by a credit provider

The complainant alleged that a default was improperly reported on their consumer credit file by the credit provider because they were never given a final notice of the outstanding debt.

In fact, the credit provider was assigned this particular debt from an original credit provider. The original credit provider had sent the complainant a notice which informed them of the assignment of debt, and a notice of demand stating that the default may be listed if the outstanding debt was not paid within 60 days.

The Commissioner considered that the credit provider, by virtue of the assignment, had assumed all the rights and responsibilities of the original credit provider. The Commissioner also found that the original credit provider had taken the appropriate steps to entitle them to list the default. As a result, the credit provider could also list the default. There was no interference with the complainant's privacy.

If you have any questions about the issues raised in these cases or their impact on your business, please contact:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.