Privacy case notes 12-17 for 2009

The Privacy Commissioner has released the following case notes:

In Own Motion Investigation v Financial Institution [2009] PrivCmrA 12 the Commissioner commenced an own motion investigation after being advised by an individual that a financial institution had been sending bank account statements to the previous occupant of the individual’s residential address for several years, despite these statements consistently being returned, marked ‘Return to sender. Address unknown’. The financial institution gave details to the Commissioner of its “Return to Sender” mail procedures. The Commissioner was satisfied that the financial institution had processes in place to meet its obligations under NPP 3 at the commencement of the investigation, and ceased the own motion investigation into the matter.

In J v Commonwealth Agency [2009] PrivCmrA 13 the complainant disputed his employer agency’s need to disclose information about an internal investigation involving him to a doctor assessing his workers compensation claim. The Commissioner was satisfied that the complainant would have been reasonably likely to know the information would be disclosed. The Commissioner also accepted that it is usual practice in workers compensation matters for an employer to provide the assessing doctor with all relevant information about the employee. The complaint was dismissed.

In K v Commonwealth Agency [2009] PrivCmrA 14 the complainant alleged that the disclosure of their spent conviction information by their employer agency in answer to a court subpoena was in breach of the Crimes Act. The Commissioner formed the view that the disclosure of the complainant’s spent conviction information by the agency met the requirements of section 85ZZH(c) because it was a disclosure to a court, and was therefore allowed under the Crimes Act.

In L v Health Service Provider [2009] PrivCmrA 15 the complainant alleged the payment default for health services did not relate to credit as defined by the Privacy Act and should not have been listed in his consumer credit information file. While the complainant had failed to pay for the medical procedure, the Commissioner considered the health service provider did not have a sufficient credit relationship with the complainant, and was not a credit provider in accordance with Determination No. 2006-2. The Commissioner formed the view that the health service provider had interfered with the complainant’s privacy by listing a payment default when it was not a credit provider in respect of the debt. In response to the complainant’s claim that the payment default prevented them from obtaining finance, the health service provider apologised, removed the payment default, and ceased its practice of reporting overdue accounts to a credit reporting agency. The complainant also accepted a confidential financial settlement.

In M v Financial Institution [2009] PrivCmrA 16 the complainant alleged the financial institution had improperly collected their personal information from a third party (a relative of the complainant’s former partner)and used it in making a decision about the complainant’s joint account, failing to ensure the personal information was accurate, complete and up-to-date. The financial institution argued that it did not collect information from the relative because it did not ask for the information. However, the Commissioner took the view that an organisation collects personal information if it gathers, acquires, or obtains information from any source and by any means (irrespective of whether the information was sought by the organisation). In addition, because the financial institution changed its accounts based on that information, the financial institution collected the information for inclusion in a record in accordance with section 16B of the Privacy Act.

Given the information was not provided by the account holders, was subject to change and had an effect on the complainant’s finances, the Commissioner took the view that the financial institution had not taken reasonable steps to check the accuracy of the personal information it collected from the third party. Therefore, the financial institution had failed to comply with NPP 3. The financial institution offered the complainant financial compensation. The complainant accepted the offer.

In N v Commonwealth Agency [2009] PrivCmrA 17 the complainant claimed that their employer agency improperly disclosed their personal information to a contractor hired to investigaste his complaints without his consent. The Commissioner was satisfied that the agency’s collection of personal information in the personnel and related files was for the purpose of administering the complainant’s employment. As the contractor was engaged to investigate complaints about the complainant’s working conditions, the Commissioner considered the use to be directly related to the administration of the complainant’s employment. Therefore, the Commissioner was of the view that the agency’s use of the complainant’s personal information was permissible under IPP 10.1(e), and as such, the issue of consent was not considered.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.