Contents
The following guide sets out a number of privacy complaints and investigations undertaken by the Privacy Commissioner over the past five years, along with lessons for Commonwealth agencies.
The summaries of these investigations and what they mean for agencies are set out below under the following
subject headings.
1. Collection of personal information p 2
The case summary provided under this heading illustrates the need for agencies to ensure that contractors who
collect personal information on behalf of the agency comply with the collection principles and notification
requirements of the Privacy Act 1988.
2. Data security p 3
The cases listed under this heading illustrate the need to take reasonable steps to protect personal information
from loss, interference, unauthorised access, use and disclosure. The cases relate to the need to adequately
protect information against hacking attempts, to take appropriate precautions when sending personal information,
and to ensure appropriate data access arrangements are in place.
2.1 Hackers p 3
2.2 Data access arrangements p 5
2.3 Sending personal information p 6
3. Administrative decision making, investigations and legal proceedings p 9
The cases under this subject heading illustrate the privacy precautions that should be taken during investigation
processes, and the circumstances in which disclosures of personal information may be made in the course of
administrative decision making processes or legal proceedings.
4. Employees and Employment related uses and disclosures of personal information p 11
The cases set out in this section illustrate the need to adequately protect employee records from unauthorised
access; the need to ensure spent convictions are not taken into account; the need to ensure the accuracy of
personal information when investigating employee conduct; and the ability to disclose relevant employee personal
information to third parties in certain circumstances.
5. Partners and Families p 14
The cases in this section illustrate that accepting information from, or disclosing personal information to, partners,
spouses or other family members can cause significant distress, and in some instances, may lead to physical
harm.
6. Ministers, Members of Parliament and the Media p 16
The cases in this section illustrate that where an individual makes a public complaint or a complaint to a Minister
or Member of Parliament about an agency, that agency may respond appropriately, including, where necessary,
by disclosing relevant personal information about the complainant.
7. Denying access to personal information p 18
The case summary provided under this heading illustrates that in appropriate cases, access to personal
information may be refused.
[COMMGOV: 12499538_1] 2
1. Collection of personal information
The following case illustrates the need for agencies to ensure that contractors who collect personal information on behalf of the agency comply with the collection principles
and notification requirements of the Privacy Act.
Case Reference Facts Determination Lessons learnt
I v Contracted Service
Provider to
Commonwealth Agency
[2008] PrivCmrA 9
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
I provided their personal information to
a contracted services provider (CSP)
to an agency as a condition of entry to
the premises managed by the CSP.
The CSP entered the personal
information in a computer database. I
complained that they did not know the
purpose for which the information was
collected, how it would be used or the
authority or law under which it was
collected.
The Commissioner determined that,
while the organisation was required to
maintain security and the data collection
was for this purpose, insufficient notice
regarding the purpose of the collection
had been provided, in breach of IPP 2.
The CSP added an appropriate notice to
its visitor application form and displayed
a notice in the visitor’s area in several
languages. The Commissioner decided
not to investigate further when satisfied
that the respondent has dealt
adequately with the matters giving rise
to the complaint.
When providing notice that data is
being collected, an agency and its
contractors must comply with the
requirements of APP2 (from 12
March 2014, APP5).
[COMMGOV: 12499538_1] 3
2. Data Security
The following cases provide examples of data security issues and mishaps. These cases illustrate the need to take reasonable steps to protect personal information from loss,
interference, unauthorised access, use and disclosure. The cases relate to the need to adequately protect information against hacking attempts, to take appropriate
precautions when sending personal information, and to ensure appropriate data access arrangements are in place.
Further information about the risks to the security of personal information that departments and agencies should consider, and the reasonable steps that it might be
appropriate for an agency to take to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure are provided in the OAIC's
Guide to information security available at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-information-security.
2.1 Hackers
Case Reference Facts Determination Lessons learnt
AAPT and
Melbourne IT (OMI,
October 2013)
Own Motion
Investigations (OMIs)
are available at:
http://www.oaic.gov.au
/privacy/applyingprivacy-
law/privacyomi-
reports/
Data, belonging to AAPT and held on
a server managed by a webhosting
business unit of Melbourne IT, was
accessed and downloaded by hacker
group Anonymous. Melbourne IT
identified the incident after becoming
aware of other attacks on their servers,
and notified AAPT three days after the
data transfers were completed. AAPT
immediately disconnected from the
Melbourne IT network and took steps
to avoid further compromise of data.
The stolen data, which was
subsequently published by
Anonymous, included personal
information used for billing and phone
number transfers, some of which was
no longer in use at the time of the
incident.
The Commissioner determined that, as
AAPT had the right or power to deal with
the information, AAPT was the body
which ‘held’ the information for the
purposes of NPP 4.1 and was as such
responsible for it. AAPT had not
contractually obliged Melbourne IT to
update software to the latest and most
secure version, assess security liabilities
and take other steps to ensure the data
was secure. AAPT also appeared to be
unaware of the software being used to
protect the data. The Commissioner
therefore held that AAPT had failed to
take reasonable steps to protect the
information held by it, under NPP 4.1.
AAPT also failed to take reasonable
steps to implement their data retention
policy requiring the deletion of unused
information, contravening NPP 4.2. As
Anonymous, an outside entity, published
the data, AAPT was not responsible for
the disclosure of personal information
under NPP 2.1.
Similar requirements to those in NPPs
4.1 and 4.2 apply to Commonwealth
agencies (under Information Privacy
Principle 4) and from March 2014, will
apply to public and private sector
entities to which the Act applies under
Australian Privacy Principle 11. The
Commissioner's findings are, therefore,
relevant to Commonwealth agencies
now and in the future.
Agencies need to take reasonable steps
to ensure that data held by contractors
and third parties on their behalf is
secure, either through ensuring the
contractor/third party maintains software
and takes other steps to address
vulnerabilities or by doing so
themselves. This responsibility is in
addition to securing and addressing
vulnerabilities in their own systems.
Subject to Commonwealth record
keeping requirements under the
Archives Act 1983, personal information
which is no longer in use or required
should be destroyed or permanently deidentified.
Agencies need to develop and
maintain systems to accomplish this,
[COMMGOV: 12499538_1] 4
Case Reference Facts Determination Lessons learnt
including liaising with the National
Archives of Australia and establishing
appropriate records authorities.
In the event of a data security breach,
agencies should take immediate action
to remedy the vulnerability, audit their
systems and put in place adequate
protections and new policies if
necessary.
DELL Australia and
Epsilon
(OMI, June 2012)
Own Motion
Investigations (OMIs)
are available at:
http://www.oaic.gov.au
/privacy/applyingprivacy-
law/privacyomi-
reports/
Epsilon provided email marketing
services to DELL and held DELL
customer information for this purpose.
After an Epsilon employee's computer
was infected with malware, an
unauthorised person used the malware
to obtain employee login credentials
and conduct a series of attacks which
obtained personal information about
the customers of several companies
including Dell Australia. Upon
becoming aware of the breach, Epsilon
discovered and disabled the
compromised login and initiated
additional virus scans. Epsilon also
immediately notified customers, law
enforcement bodies and the public,
added information to protect the public
from attacks using the stolen data to its
website and engaged in a full forensic
investigation.
The Commissioner held that Epsilon had
taken reasonable steps, under NPP 4.1,
to secure the data, including security
training, a comprehensive annually
reviewed security policy as well as
audits and information security
programs which conform to industry
standards. Dell, in the contractual
agreement with Epsilon, had taken
reasonable steps to ensure the security
of personal information it holds from
misuse.
A successful attack on personal
information will not breach NPP 4 where
the Commissioner is satisfied that
reasonable steps have been taken to
secure the information. Appropriate
contractual provisions, security training,
policies and compliance with industry
standards are indicative of reasonable
steps.
[COMMGOV: 12499538_1] 5
Case Reference Facts Determination Lessons learnt
Sony PlayStation
Network / Qriocity
(OMI, September
2011)
Own Motion
Investigations (OMIs)
are available at:
http://www.oaic.gov.au
/privacy/applyingprivacy-
law/privacyomi-
reports/
A sophisticated hacking attack on
Sony Network Entertainment Europe
(SNEE) obtained large amounts of
personal information, including names,
addresses and credit card details
relating to Playstation Network
subscribers. SNEE operated the
Network for customers globally,
including in Australia. After becoming
aware of the incident, SNEE and
related companies in Europe, the USA
and Japan commenced an
investigation, temporarily shut down
the Network platform and implemented
new security measures. Customers
were informed of the breach seven
days after it occurred.
The Commissioner determined that, as
SNEE Australia did not hold customer
data, it could not be responsible for any
privacy breach. The Commissioner also
held that, as physical, network and
communication security measures,
encryption of credit card information and
the use of IT security standards based
on international standards were in place
to secure the data by SNEE, appropriate
steps had been taken to protect the
data.
The Commissioner expressed concern
about the time taken to notify customers
of the breach, as immediate notification
of compromised financial details can
limit harm to customers.
Encryption of particularly sensitive
information, such as credit card details,
and implementation of international
security standards are indicative of
reasonable steps having been taken to
protect personal information.
When deciding when to disclose a
breach, agencies and organisations
should consider the harm that could be
caused by delay. In particular, if a data
security breach is likely to cause
significant individual harm, as is the
case for credit card information,
individuals whose information has been
compromised should be notified in a
timely manner.
2.2 Data access arrangements
Internal….
Case Reference Facts Determination Lessons learnt
Vodafone Hutchison
Australia
(OMI, February
2011)
Own Motion
Investigations (OMIs)
are available at:
http://www.oaic.gov.au
/privacy/applyingprivacy-
law/privacyomi-
reports/
A Vodafone store access login was
used to show a customer, with their
consent, the personal information
Vodafone held in its customer
management system about them. No
other customer information was
disclosed. The login to the network
was via store IDs, rather than
individual staff IDs, and personal
identity information was accessible by
staff across Australia.
The Commissioner held that, as the only
disclosure was providing the customer
with the personal information held about
them in the Vodafone system, there was
no unauthorised disclosure under NPP
2.1. However, Vodafone’s information
protections were held to be insufficient
to meet obligations under NPP4.1, as
key information such as passport
numbers could be found by anyone with
access to the system, and store-wide
rather than individual employee login
IDs reduced the ability of Vodafone to
develop an audit trail to track
unauthorised access.
Giving an individual access to
information an agency holds about them
will not amount to an unauthorised
disclosure.
Sensitive information such as passport
numbers should not be accessible by
large numbers of employees, and data
access systems should allow
identification of the user who accesses
the data so as to provide an effective
audit trail. Failure to do so may breach
the personal information protection
requirements of NPP4/IPP4/APP11.
[COMMGOV: 12499538_1] 6
External….
Case Reference Facts Determination Lessons learnt
Own Motion
Investigation v
Information
Technology
Company
[2010] PrivCmrA 16
available at:
http://www.oaic.gov.au
/privacy/privacyarchive/
privacy-casenotes-
archive/
A telecommunications company
permitted individuals to access
information about their mobile account,
including the credit balance and
transaction details of the last payment,
by calling a 1800 number and keying in
the mobile number. No restrictions
prevented persons other than the
owner of the phone from accessing
this information, providing that they
knew the mobile number in question.
Mobile phone numbers are easily
accessible by many parties. As mobile
phones are personal rather than
residence-based, they can be linked to
particular individuals. Given this, the
absence of additional verification
requirements would allow many people
to access mobile account information for
an individual. While the system at the
time of investigation did not comply with
the requirement to protect personal
information (NPP 4.1), this was rectified
by changes which provided additional
authentication methods. As the issues
had been addressed, the Commissioner
ceased his investigation.
Agencies should have appropriate
authentication systems in place to
ensure that the person given access to
personal information is the person the
information is about.
2.3 Sending personal information
Case Reference Facts Determination Lessons learnt
Telstra Corporation
Limited (Telstra)
(OMI, July 2011)
Own Motion
Investigations (OMIs)
are available at:
http://www.oaic.gov.au
/privacy/applyingprivacy-
law/privacyomi-
reports/
Telstra accidentally sent 60,300
incorrectly addressed letters due to a
mailing list error. These letters
contained names and phone numbers
of customers, including some silent
phone numbers. Upon discovering the
error, Telstra immediately stopped the
mail out, investigated the problem and
notified affected customers, prioritising
those with silent phone numbers.
Telstra had:
an agreement with the mail house
that included privacy and
confidentiality obligations;
conducted a privacy impact
assessment at the commencement
of the mailout activities;
The Commissioner held that the
information in question was personal
information under s 6 of the Privacy Act,
as it included the names of the individuals
affected. As the mailout disclosed
personal information, including the names
and phone numbers of customers and
their association with Telstra, to third
parties, the Commissioner held that
Telstra had breached NPP 2.1, which
regulates the disclosure of personal
information. Taking into account the steps
Telstra had taken to prevent or minimise
the risk of privacy breaches in relation to
its mail outs, the Commissioner
determined that NPP 4.1, which requires
reasonable steps to be taken to protect
personal information, was not breached
The fact that a disclosure of personal
information is accidental will not
prevent an organisation or agency
from being in breach of its obligations
in relation to disclosure of personal
information.
However, where accidental disclosure
occurs, but reasonable steps have
been taken to minimise the risk of that
disclosure occurring, there may be no
failure to take reasonable steps to
protect that information under NPP 4.1
(or IPP4 or APP11).
[COMMGOV: 12499538_1] 7
Case Reference Facts Determination Lessons learnt
a number of approval steps before
mailouts took place; and
quality control procedures for
creating mailing lists.
as the incident had been caused by
human error rather than systemic failure.
The investigation concluded as Telstra
had taken adequate measures to remedy
the problem.
Own Motion
Investigation v
Airline
[2010] PrivCmrA 12
available at:
http://www.oaic.gov.au
/privacy/privacyarchive/
privacy-casenotes-
archive/
The Commissioner received a
complaint from an individual who had
booked a flight online, but received an
email from the airline containing
another traveller's personal
information, including the traveller and
their companion's names and
addresses, financial information, and
flight details. The airline acknowledged
that the disclosure occurred and that
they were not compliant with NPP2.
The airline investigated the matter and
found that the wrong details were
populated due to an overload of its
server. The airline introduced new
protections to improve IT security
including new servers, regular
"flushing" of the database logs and a
new hourly testing procedure.
The Commissioner found that the airline's
system was not sufficient to comply with
the requirements of NPP4.1 at the time of
the incident, but that the steps the airline
had taken since the complaint was made
were reasonable in accordance with NPP
4.1. NPP 4.1 provides that an
organisation must take reasonable steps
to protect the personal information it holds
from misuse and loss and from
unauthorised access, modification and
disclosure. Similar requirements apply to
Commonwealth agencies under IPP4, and
from March 2014, will apply to public and
private sector entities under APP11.
Agencies handling large volumes of
personal information need to ensure
that they have taken reasonable steps
to protect the personal information they
hold from misuse, interference, loss,
unauthorised access, modification or
disclosure.
Own Motion
Investigation v
Financial Institution
[2009] PrivCmrA 12
available at:
http://www.oaic.gov.au
/privacy/privacyarchive/
privacy-casenotes-
archive/
A financial institution sent bank
account statements addressed to a
previous occupant to an address
despite the statements being
consistently sent back marked ‘return
to sender. Address unknown’.
The Commissioner was informed upon
investigation that the financial institution
had created a process specifically to deal
with such mail, first checking for other
issues then attempting to contact the
customer. If no contact is made, a stop is
put on the account. The investigation
ceased as the Commissioner was
satisfied that the financial institution was
meeting NPP 3 requirements to ensure
the accuracy of personal information.
Agencies need to have appropriate
processes for the updating of personal
information in a timely manner,
including having procedures for
dealing with returned mail.
[COMMGOV: 12499538_1] 8
Case Reference Facts Determination Lessons learnt
S v Health Services
Provider
[2008] PrivCmrA 19
available at:
http://www.oaic.gov.au
/privacy/privacyarchive/
privacy-casenotes-
archive/
S received a medical service from the
health services provider, and provided
X-rays to the provider for that purpose.
When S requested the return of the Xrays,
the original films and copies of
medical records were forwarded to
their nominated health service provider
by general post. The service provider
later checked to confirm the recipient
had received the originals and medical
record copies.
The Commissioner noted that whether an
organisation has taken reasonable steps
under NPP 4.1 to protect personal
information will depend on the
circumstances, including the sensitivity of
the information. As the loss S would suffer
by loss of the X-rays was significant, the
information was sensitive and the cost of
sending the records more securely was
not a significant burden, it was held that
the provider had not taken reasonable
steps to protect the information.
General post (rather than registered
post or courier services) may not be
sufficiently secure for sending sensitive
personal information.
To determine whether the measures
your agency is taking to secure
information, consider:
the sensitivity of the information
the expense and viability of more
secure methods of storing or
transmitting it.
[COMMGOV: 12499538_1] 9
3. Administrative decision making, legal proceedings and investigations
The following cases illustrate the privacy precautions that should be taken during investigation processes, and the circumstances in which disclosures of personal information
may be made in the course of administrative decision making processes or legal proceedings.
Case Reference Facts Determination Lessons learnt
D v Commonwealth
Agency
[2010] PrivCmrA 5
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
D was a person of interest in relation
to compliance activities being
undertaken by an agency. D had to
answer questions posed by agency
officers and complete forms. D alleged
that the agency had not appropriately
secured their personal information as
the questioning took place in a public
space where journalists were present
and could overhear. The agency also
sent background information about D
to journalists.
The Commissioner took the view that
the agency did not have adequate
safeguards in place to protect D's
personal information against
unauthorised access, and that the
agency had not, therefore, complied
with IPP4, as there was a high risk that
the journalists would overhear D's
questioning, and there was some risk of
the journalists viewing the documents D
was asked to complete. The
Commissioner exercised their
conciliation powers, and the agency
apologised and provided compensation
to D. The agency also changed the
methods for protecting personal
information in similar activities and
provided additional privacy training to
compliance officers.
Compliance activities such as asking
questions and completing forms
should not be carried out in public.
Agencies should take care when
releasing information about an
ongoing investigation to ensure that
the information is not personal
information or could not be used to
identify an individual.
C v Commonwealth
Agency
[2009] PrivCmrA 3
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
C claimed that the disclosure of
personal information to a tribunal for
the purpose of reviewing a benefits
claim was unnecessary. The agency
claimed it was required to provide the
information.
The Commissioner held that the agency
was asked to provide information under
the relevant legislation, and only
provided those documents it believed
relevant to the matter. As the
information provided was relevant to the
matter in question, the Commissioner
held that the disclosure was legitimate
and in response to a proper notice from
the tribunal under IPP 11.1(d).
An individual can expect that when
they request an appeal of a decision
by a tribunal or similar body, an
agency will provide all relevant
information to that body.
However, when providing information
in response to a notice requesting
relevant information, an agency
should carefully consider whether the
information to be provided is relevant
to the matter.
[COMMGOV: 12499538_1] 10
Case Reference Facts Determination Lessons learnt
V v Commonwealth
Agency
[2008] PrivCmrA 22
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
V provided a letter and gave an
interview supporting an application for
a service by their partner to a
government agency. The agency was
later informed that the statements
made by V in the interview and letter
were inaccurate.
The agency investigated whether the
statements were false or misleading
by verifying the information with third
parties, including V’s employer, and
asking V to attend a second meeting.
V claimed that they were not informed
of the purpose of the second meeting,
and that their personal information had
been improperly collected and
disclosed during the investigation.
The Commissioner held that:
the agency was required to
investigate breaches of legislation;
and
the disclosure of the investigation
to V’s employer was necessary for
that purpose and authorised by IPP
11.1(e).
As the agency advised that V was
informed before the second meeting
what the purpose of the meeting was,
and was offered the opportunity not to
participate, the Commissioner was
satisfied that V was sufficiently aware of
the purpose of the information collection
and that the collection was not unfair or
unlawful. As enforcing the governing
legislation is a core function of the
agency, the information was collected
for a lawful purpose directly related to its
functions under IPP 1.1.
Where an agency is required to
investigate potential breaches of the
criminal law, they may disclose
information that is reasonably
necessary for the investigation to
third parties.
Collection of information through a
meeting or interview is less likely to
be unfair where the complainant is
provided with the opportunity not to
attend the meeting.
O v Commonwealth
Agency
[2008] PrivCmrA 15
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
O disclosed their occupation to the
agency during a decision being made
between O and a third party,
requesting that the agency not
disclose that information to anyone
without sufficient justification. As part
of the decision-making process, the
information was disclosed by the
agency to the third party, as it was
integral to the decision being made. O
complained, the agency argued the
disclosure was required by a
Commonwealth law.
The Commissioner held that the
information was required to be disclosed
under Commonwealth law, and given
the relevance of the information to the
decision being made, that disclosure
was also required to ensure procedural
fairness.
Where legislation or procedural
fairness requires the disclosure of
personal information, that disclosure
will not breach the requirements of
the IPPs.
[COMMGOV: 12499538_1] 11
4. Employees and Employment related uses and disclosures
The following cases illustrate the need to adequately protect employee records from unauthorised access, the need to ensure spent convictions are not taken into account,
the need to ensure the accuracy of personal information when investigating employee conduct, and the ability to disclose relevant employee personal information to third
parties in certain circumstances.
Case Reference Facts Determination Lessons learnt
A v Private Health
Service Provider
[2010] PrivCmrA 2
available at:
http://www.oaic.gov.au/p
rivacy/privacyarchive/
privacy-casenotes-
archive/
A was employed by a government
agency, which engaged the health
service provider to determine A’s
suitability for continued employment.
The agency provided the service
provider with information about a
criminal conviction which A alleged
was spent under the Crimes Act. This
information was then taken into
account in the service provider’s
report to the agency.
The Commissioner held that the convictions
information was protected under the Crimes
Act because it related to a spent conviction.
By taking the information into account the
health service provider contravened s
85ZW(b)(ii) of the Crimes Act. The service
provider took action to improve awareness
of, and compliance with, the spent
convictions scheme both within their
organisation and throughout the sector in
general through publications and forwarding
information to a professional body. As this
satisfied A that the provider had adequately
dealt with the matter, the Commissioner
ceased the investigation.
Agencies should take steps to ensure
the requirements of the spent
convictions scheme are complied
with.
‘Taking into account’ spent
convictions includes
asking questions about prior
convictions in interviews
seeking information on such
convictions in criminal history
checks
using information about spent
convictions.
T v Commonwealth
Agency
[2009] PrivCmrA 23
available at:
http://www.oaic.gov.au/p
rivacy/privacyarchive/
privacy-casenotes-
archive/
T was an employee of a
Commonwealth agency. In order to
investigate T’s conduct, the agency
prepared a report of T’s attendance
at work. T’s emails were also
examined. T alleged that the report
was incorrect, and that the agency
had failed to take reasonable steps to
ensure that T’s personal information
was accurate. T additionally alleged
that accessing the emails was
irrelevant to the investigation of T’s
conduct.
After comparing the report to building
access and timesheet records, the
Commissioner found that the report
contained easily remediable inaccuracies.
As the report was being used in decision
making about T, there was an increased
need for the information to be accurate, and
by failing to ensure this, the agency had
breached IPP 8. The agency apologised,
amended the report and paid compensation
to T. Examining T’s emails was determined
to be relevant to the conduct investigation,
however, and as such, the Commissioner
determined that T's privacy was not
interfered with under IPP 9.
Personal information must not be
used without taking reasonable steps
to ensure that the information is up to
date and accurate. Checking dates
and records are steps which should
be taken to ensure accuracy.
The more important the information is
to the particular decision making
process, the greater the need to take
steps to ensure the information is
accurate.
Employee emails may be relevant to
conducting investigations regarding
the conduct of an employee.
[COMMGOV: 12499538_1] 12
Case Reference Facts Determination Lessons learnt
N v Commonwealth
Agency
[2009] PrivCmr 17
(available at:
http://www.oaic.gov.au/p
rivacy/privacyarchive/
privacy-casenotes-
archive/)
N was an employee of a
Commonwealth agency, and had
lodged several complaints with
regard to their employment. The
agency provided N’s personal
information to a contractor hired to
investigate its handling of the
complaints. N claimed the agency
had improperly disclosed their
personal information without consent.
The Commissioner determined that, as the
agency had only provided the information to
the contractor for the limited purpose of
investigating the complaints, and the
information was returned to the agency
following the investigation, the agency had
complied with IPP 11 by retaining control of
the personal information and had not
disclosed it. As the information had been
collected for the purpose of administering
N’s employment, use of that information to
investigate the complaints was held to be
directly related to the purpose for which the
information was collected. The investigation
was closed as no breaches of the Privacy
Act were found.
Where personal information is
provided by an agency to an external
person, to perform services for the
agency and that person is bound by
an agreement to maintain the
confidentiality of that information, the
agency will not be deemed to have
disclosed the information as it retains
control over it.
The use of information collected
about an employee to investigation
complaints relating to that individual’s
employment with the agency is
permitted.
J v Commonwealth
Agency
[2009] PrivCmrA 13
(available at:
http://www.oaic.gov.au/p
rivacy/privacyarchive/
privacy-casenotes-
archive/)
Information about an investigation
into the conduct of J was provided to
a doctor assessing a later workplace
compensation claim. J claimed that
the information did not need to be
disclosed.
The Commissioner determined that J was
reasonably likely to be aware the
information would be disclosed, as the
purpose of the appointment was to assess
J’s ability to return to the workplace, and
the subject matter of the investigation could
have prevented J from returning to work. As
such, the information was relevant to the
decision the doctor needed to make, and
usual practice would be to provide such
information to a doctor performing
assessments of this nature. Additionally,
the agency notified J that the information
was going to be provided, and later gave J
a full copy of the information provided to the
doctor. The disclosure was consistent with
the limits in IPP 11.1(a).
Information can be disclosed to a
person or other entity where an
individual is reasonably likely to have
been aware that such information is
usually disclosed to that person or
entity. Whether a person is
reasonably likely to be aware that
such disclosure occur is determined
by looking at the purpose of the
collection of the information,
accepted practice and the nature of
the entity the information is disclosed
to.
Actual knowledge, or lack thereof, of
the disclosure is irrelevant. The
question is whether the individual
concerned is reasonably likely to be
aware that such information is
usually disclosed to such a person or
entity.
[COMMGOV: 12499538_1] 13
Case Reference Facts Determination Lessons learnt
Where information about an
employee is relevant to an
assessment of whether they are fit to
return to work, that information may
be provided to the medical
practitioner undertaking that
assessment.
F v Australian
Government Agency
[2008] PrivCmrA 6
(available at:
http://www.oaic.gov.au/p
rivacy/privacyarchive/
privacy-casenotes-
archive/)
F was a former employee of the
agency and complained that their
record held by the agency had been
accessed by a current employee of
the agency, who used the records to
locate where F was living, which
caused them to fear for the safety,
and resulted in F changing their
name and address. F raised the
issue with the agency and sought
compensation. The agency
acknowledged that F's records had
been accessed by a person
unauthorised to do so, but rejected
F's claim for compensation. The
agency terminated the employment
of the person who accessed F's
records.
The Commissioner took the view that the
agency had not taken reasonable steps to
protect F's personal information, and that
F's personal information had been used for
a purpose for which none of the exceptions
in IPP10 apply.
The Commissioner conciliated the matter
and the parties reached an agreement
under which F accepted a confidential
settlement for costs associated with the
change of name and address.
Employee records need to be
adequately protected from
unauthorised access as there may be
serious consequences for individuals
and agencies where there are
failures in this regard.
[COMMGOV: 12499538_1] 14
5. Partners and Families
The following cases illustrate that accepting personal information from, or disclosing personal information to, partners, spouses or other family members can cause significant
distress, and in some instances, may lead to physical harm.
Case Reference Facts Determination Lessons learnt
K v Commonwealth
Agency
[2010] PrivCmrA 13
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
K alleged that an agency improperly
disclosed their personal information to
their former partner. The agency
investigated the matter and agreed
that it had improperly disclosed that
information and had failed to comply
with the requirements of IPP11. The
agency made a written apology,
provided training to the employee
involved, and offered compensation to
K. K was not satisfied with those
steps, and in particular, considered the
amount of compensation offered by
the agency to be inadequate.
The Commissioner came to the view
that K had not provided sufficient
evidence to support their claim that the
compensation offered was inadequate.
In particular, no evidence was provided
to support K's claim for non-economic
loss. The Commissioner found that:
the agency had adequately dealt with
the complaint;
the compensation offered was
satisfactory; and
the improper disclosure was a oneoff
incident that did not raise
systemic issues.
Where an improper disclosure
occurs and a complaint is received,
agencies should act promptly to:
investigate the matter,
make an apology,
train, re-train or discipline
employees; and
offer reasonable compensation
(where appropriate, and based on
the evidence of loss or damage
provided by the complainant).
P v Commonwealth
Agency
[2009] PrivCmrA 19
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
Due to domestic violence, P moved
out of the marital home and into a new
residence. Following break-ins and a
violent attack, P changed their name,
informing the agency, and moved
again to an address concealed from
their ex-partner. The ex-partner later
learned P’s new name from a letter
sent by the agency to the former
marital home. P contacted the agency,
which apologised and offered
compensation which P rejected as
insufficient.
The agency accepted that it should not
have disclosed the information and that
it had breached IPP 11. The
Commissioner conciliated the matter. An
initial claim by P for health treatment
and other costs in addition to injury to
feelings was rejected. After P provided
further evidence, the agency apologised
and offered an increased sum of
compensation, which P accepted.
Some breaches of privacy can have
serious consequences for the
individual concerned, including
physical harm.
[COMMGOV: 12499538_1] 15
M v Financial Institution [2009] PrivCmrA 16
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
M and their partner held a joint bank
account, the signature authority on
which M amended after a dispute.
Several weeks later, a relative of M's
partner provided further information
about the dispute to the financial
institution, after which a staff member
modified the joint account to require
both parties to sign any withdrawals.
Several days later, the financial
institution informed M of the change. M
alleged that their personal information
had been improperly collected from a
third party, and insufficient effort had
been made to ensure the information
was accurate.
While the financial institution argued it
had not collected the information, as it
had not asked for it, the Commissioner
held that information is collected if it is
gathered, acquired or obtained from any
source by any means. By updating the
account records, the financial institution
had collected the information for
inclusion in a record. As the financial
institution is required to collect
information from the person it is about
wherever it is reasonable and
practicable to do so under NPP 1.4, and
it was possible to do so, M’s privacy was
breached. The financial institution was
also held to have breached the
requirement to ensure personal
information is accurate under NPP 3.
Compensation was offered by the
financial institution and accepted by M.
APP 3, which will apply to agencies
from 12 March 2014, contains similar
collection principles to NPP 1.4. IPP8
and APP10 contain requirements
regarding data accuracy that are
similar to the requirement of NPP3.
Agencies should, therefore,
wherever practicable, obtain
personal information from the
individual that the information relates
to. Where it is reasonable and
practical to do so, information
obtained from third parties should be
checked with the individual it relates
to, in order to determine whether it is
accurate.
L v Commonwealth
Agency
[2008] PrivCmrA 12
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
L’s former spouse submitted a form to
the agency including L’s address. This
resulted in a clerical error which
applied L’s former spouse’s address to
L’s records, and mail intended for L
was sent to the former spouse as well.
The information disclosed resulted in
legal action between L and their
former spouse. The agency
acknowledged that the disclosure
contributed to subsequent legal costs,
and offered part payment of those
costs. L was dissatisfied with the
response.
The Commissioner conciliated the
matter, and it was resolved by payment
of a settlement including the initially
offered contribution to legal costs and
damages for injuries to L’s feelings.
Where the disclosure of information
contributes to costs for the individual
concerned, it may be appropriate for
the agency in question to pay part of
those costs.
[COMMGOV: 12499538_1] 16
6. Ministers, Members of Parliament and the Media
The following cases illustrate that where an individual makes a public complaint or a complaint to a Minister or Member of Parliament about an agency, that agency may
respond appropriately, including, where necessary, by disclosing relevant personal information.
Case Reference Facts Determination Lessons learnt
L v Commonwealth
Agency
(the Media)
[2010] PrivCmrA 14
available at:
http://www.oaic.gov.a
u/privacy/privacyarchive/
privacy-casenotes-
archive/
L made adverse comments in the
media and on a blog about the way
an agency handled a complaint L had
made to the agency. The agency, in
responding the media enquiry,
disclosed L's personal information to
a journalist, who published the
personal information in an article.
The Commissioner considered that L was
reasonably likely to have been aware that
the agency may respond in the way it did
to the issues L had raised. The
Commissioner took a preliminary view
that IPP11.1(a), which permits disclosure
of personal information where the
individual concerned is reasonably likely
to have been aware that information of
that kind is usually passed to that person,
body or agency, permitted the disclosure
of L's personal information to the
journalist. The complainant withdrew their
complaint.
Where a complaint against an agency is
raised publically by an individual, that
individual can be taken to be aware that the
agency might respond to the complaint,
including by disclosing information about
the individual that is pertinent to the
complaint to a journalist.
I v Commonwealth
Agency
(Members of
Parliament)
[2010] PrivCmrA 10
available at:
http://www.oaic.gov.a
u/privacy/privacyarchive/
privacy-casenotes-
archive/
I met with their State Member of
Parliament's office to raise issues
about I's dealing with an agency. I
provided the MP's office with copies
of correspondence between I and the
agency. The MP's office asked the
agency for further information about
I. The agency provided the
information to the MP's office. I
alleged that the agency had
improperly disclosed personal
information about I to the MP's office.
The Commissioner was satisfied that, in
having the Minister's office make
representations on I's behalf, I impliedly
consented to the disclosure of their
personal information by the agency to the
MP's office. The disclosure of the
information by the agency to the MP's
office was, therefore, permitted by
IPP11.1(b) (was a disclosure with the
consent of the individual concerned).
When an MP's office seeks further
information about an individual and their
dealings with an agency, the agency can
disclose information about the individual
and their dealings with the agency to the
MP's office.
The case note states that the
Commissioner's approach to this complaint
is consistent with OAIC's Provision of
personal information by Commonwealth
agencies to members of Parliameny
Guidelines, under which an agency may
provide personal information to a Member
of Parliament or his or her staff in response
to an enquiry on behalf of a constituent,
where the officer handling the enquiry is
satisfied as to the identity of the enquirer.
[COMMGOV: 12499538_1] 17
Case Reference Facts Determination Lessons learnt
Those Guidelines are available at:
http://www.oaic.gov.au/images/documents/
migrated/migrated/HRC_PRIVACY_PUBLI
CATION.pdf_file.p6_4_78.48.pdf
[COMMGOV: 12499538_1] 18
7. Denying access to personal information
The following case illustrates that in appropriate cases, access to personal information may be refused.
Case Reference Facts Determination Lessons learnt
G v Finance Company [2010] PrivCmrA 8
available at:
http://www.oaic.gov.au/
privacy/privacyarchive/
privacy-casenotes-
archive/
G sought access to their personal
information. G had made numerous
requests, over a period of four years,
for access to an account statement
held by the company, and had raised
their access requests with a number of
government entities and Members of
Parliament. The finance company had
provided G with access to their
personal information on at least two
occasions. The finance company then
denied access on the basis that the
request was frivolous and vexatious.
The Commissioner found that G's
request for access was a repeat request
for personal information that had already
been provided.
In an appropriate case, requests to
access personal information can be
denied.
From 12 March 2014, decisions of an
agency to refuse access must be
made within 30 days of the request,
and reasons for any refusal must be
given.
