Privacy complaints and investigations (2008 – 2013)

Contents

The following guide sets out a number of privacy complaints and investigations undertaken by the Privacy Commissioner over the past five years, along with lessons for Commonwealth agencies.

The summaries of these investigations and what they mean for agencies are set out below under the following

subject headings.

1. Collection of personal information p 2

The case summary provided under this heading illustrates the need for agencies to ensure that contractors who

collect personal information on behalf of the agency comply with the collection principles and notification

requirements of the Privacy Act 1988.

2. Data security p 3

The cases listed under this heading illustrate the need to take reasonable steps to protect personal information

from loss, interference, unauthorised access, use and disclosure. The cases relate to the need to adequately

protect information against hacking attempts, to take appropriate precautions when sending personal information,

and to ensure appropriate data access arrangements are in place.

 2.1 Hackers p 3

 2.2 Data access arrangements p 5

 2.3 Sending personal information p 6

3. Administrative decision making, investigations and legal proceedings p 9

The cases under this subject heading illustrate the privacy precautions that should be taken during investigation

processes, and the circumstances in which disclosures of personal information may be made in the course of

administrative decision making processes or legal proceedings.

4. Employees and Employment related uses and disclosures of personal information p 11

The cases set out in this section illustrate the need to adequately protect employee records from unauthorised

access; the need to ensure spent convictions are not taken into account; the need to ensure the accuracy of

personal information when investigating employee conduct; and the ability to disclose relevant employee personal

information to third parties in certain circumstances.

5. Partners and Families p 14

The cases in this section illustrate that accepting information from, or disclosing personal information to, partners,

spouses or other family members can cause significant distress, and in some instances, may lead to physical

harm.

6. Ministers, Members of Parliament and the Media p 16

The cases in this section illustrate that where an individual makes a public complaint or a complaint to a Minister

or Member of Parliament about an agency, that agency may respond appropriately, including, where necessary,

by disclosing relevant personal information about the complainant.

7. Denying access to personal information p 18

The case summary provided under this heading illustrates that in appropriate cases, access to personal

information may be refused.

[COMMGOV: 12499538_1] 2

1. Collection of personal information

The following case illustrates the need for agencies to ensure that contractors who collect personal information on behalf of the agency comply with the collection principles

and notification requirements of the Privacy Act.

Case Reference Facts Determination Lessons learnt

I v Contracted Service

Provider to

Commonwealth Agency

[2008] PrivCmrA 9

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

I provided their personal information to

a contracted services provider (CSP)

to an agency as a condition of entry to

the premises managed by the CSP.

The CSP entered the personal

information in a computer database. I

complained that they did not know the

purpose for which the information was

collected, how it would be used or the

authority or law under which it was

collected.

The Commissioner determined that,

while the organisation was required to

maintain security and the data collection

was for this purpose, insufficient notice

regarding the purpose of the collection

had been provided, in breach of IPP 2.

The CSP added an appropriate notice to

its visitor application form and displayed

a notice in the visitor’s area in several

languages. The Commissioner decided

not to investigate further when satisfied

that the respondent has dealt

adequately with the matters giving rise

to the complaint.

When providing notice that data is

being collected, an agency and its

contractors must comply with the

requirements of APP2 (from 12

March 2014, APP5).

[COMMGOV: 12499538_1] 3

2. Data Security

The following cases provide examples of data security issues and mishaps. These cases illustrate the need to take reasonable steps to protect personal information from loss,

interference, unauthorised access, use and disclosure. The cases relate to the need to adequately protect information against hacking attempts, to take appropriate

precautions when sending personal information, and to ensure appropriate data access arrangements are in place.

Further information about the risks to the security of personal information that departments and agencies should consider, and the reasonable steps that it might be

appropriate for an agency to take to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure are provided in the OAIC's

Guide to information security available at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-information-security.

2.1 Hackers

Case Reference Facts Determination Lessons learnt

AAPT and

Melbourne IT (OMI,

October 2013)

Own Motion

Investigations (OMIs)

are available at:

http://www.oaic.gov.au

/privacy/applyingprivacy-

law/privacyomi-

reports/

Data, belonging to AAPT and held on

a server managed by a webhosting

business unit of Melbourne IT, was

accessed and downloaded by hacker

group Anonymous. Melbourne IT

identified the incident after becoming

aware of other attacks on their servers,

and notified AAPT three days after the

data transfers were completed. AAPT

immediately disconnected from the

Melbourne IT network and took steps

to avoid further compromise of data.

The stolen data, which was

subsequently published by

Anonymous, included personal

information used for billing and phone

number transfers, some of which was

no longer in use at the time of the

incident.

The Commissioner determined that, as

AAPT had the right or power to deal with

the information, AAPT was the body

which ‘held’ the information for the

purposes of NPP 4.1 and was as such

responsible for it. AAPT had not

contractually obliged Melbourne IT to

update software to the latest and most

secure version, assess security liabilities

and take other steps to ensure the data

was secure. AAPT also appeared to be

unaware of the software being used to

protect the data. The Commissioner

therefore held that AAPT had failed to

take reasonable steps to protect the

information held by it, under NPP 4.1.

AAPT also failed to take reasonable

steps to implement their data retention

policy requiring the deletion of unused

information, contravening NPP 4.2. As

Anonymous, an outside entity, published

the data, AAPT was not responsible for

the disclosure of personal information

under NPP 2.1.

Similar requirements to those in NPPs

4.1 and 4.2 apply to Commonwealth

agencies (under Information Privacy

Principle 4) and from March 2014, will

apply to public and private sector

entities to which the Act applies under

Australian Privacy Principle 11. The

Commissioner's findings are, therefore,

relevant to Commonwealth agencies

now and in the future.

Agencies need to take reasonable steps

to ensure that data held by contractors

and third parties on their behalf is

secure, either through ensuring the

contractor/third party maintains software

and takes other steps to address

vulnerabilities or by doing so

themselves. This responsibility is in

addition to securing and addressing

vulnerabilities in their own systems.

Subject to Commonwealth record

keeping requirements under the

Archives Act 1983, personal information

which is no longer in use or required

should be destroyed or permanently deidentified.

Agencies need to develop and

maintain systems to accomplish this,

[COMMGOV: 12499538_1] 4

Case Reference Facts Determination Lessons learnt

including liaising with the National

Archives of Australia and establishing

appropriate records authorities.

In the event of a data security breach,

agencies should take immediate action

to remedy the vulnerability, audit their

systems and put in place adequate

protections and new policies if

necessary.

DELL Australia and

Epsilon

(OMI, June 2012)

Own Motion

Investigations (OMIs)

are available at:

http://www.oaic.gov.au

/privacy/applyingprivacy-

law/privacyomi-

reports/

Epsilon provided email marketing

services to DELL and held DELL

customer information for this purpose.

After an Epsilon employee's computer

was infected with malware, an

unauthorised person used the malware

to obtain employee login credentials

and conduct a series of attacks which

obtained personal information about

the customers of several companies

including Dell Australia. Upon

becoming aware of the breach, Epsilon

discovered and disabled the

compromised login and initiated

additional virus scans. Epsilon also

immediately notified customers, law

enforcement bodies and the public,

added information to protect the public

from attacks using the stolen data to its

website and engaged in a full forensic

investigation.

The Commissioner held that Epsilon had

taken reasonable steps, under NPP 4.1,

to secure the data, including security

training, a comprehensive annually

reviewed security policy as well as

audits and information security

programs which conform to industry

standards. Dell, in the contractual

agreement with Epsilon, had taken

reasonable steps to ensure the security

of personal information it holds from

misuse.

A successful attack on personal

information will not breach NPP 4 where

the Commissioner is satisfied that

reasonable steps have been taken to

secure the information. Appropriate

contractual provisions, security training,

policies and compliance with industry

standards are indicative of reasonable

steps.

[COMMGOV: 12499538_1] 5

Case Reference Facts Determination Lessons learnt

Sony PlayStation

Network / Qriocity

(OMI, September

2011)

Own Motion

Investigations (OMIs)

are available at:

http://www.oaic.gov.au

/privacy/applyingprivacy-

law/privacyomi-

reports/

A sophisticated hacking attack on

Sony Network Entertainment Europe

(SNEE) obtained large amounts of

personal information, including names,

addresses and credit card details

relating to Playstation Network

subscribers. SNEE operated the

Network for customers globally,

including in Australia. After becoming

aware of the incident, SNEE and

related companies in Europe, the USA

and Japan commenced an

investigation, temporarily shut down

the Network platform and implemented

new security measures. Customers

were informed of the breach seven

days after it occurred.

The Commissioner determined that, as

SNEE Australia did not hold customer

data, it could not be responsible for any

privacy breach. The Commissioner also

held that, as physical, network and

communication security measures,

encryption of credit card information and

the use of IT security standards based

on international standards were in place

to secure the data by SNEE, appropriate

steps had been taken to protect the

data.

The Commissioner expressed concern

about the time taken to notify customers

of the breach, as immediate notification

of compromised financial details can

limit harm to customers.

Encryption of particularly sensitive

information, such as credit card details,

and implementation of international

security standards are indicative of

reasonable steps having been taken to

protect personal information.

When deciding when to disclose a

breach, agencies and organisations

should consider the harm that could be

caused by delay. In particular, if a data

security breach is likely to cause

significant individual harm, as is the

case for credit card information,

individuals whose information has been

compromised should be notified in a

timely manner.

2.2 Data access arrangements

Internal….

Case Reference Facts Determination Lessons learnt

Vodafone Hutchison

Australia

(OMI, February

2011)

Own Motion

Investigations (OMIs)

are available at:

http://www.oaic.gov.au

/privacy/applyingprivacy-

law/privacyomi-

reports/

A Vodafone store access login was

used to show a customer, with their

consent, the personal information

Vodafone held in its customer

management system about them. No

other customer information was

disclosed. The login to the network

was via store IDs, rather than

individual staff IDs, and personal

identity information was accessible by

staff across Australia.

The Commissioner held that, as the only

disclosure was providing the customer

with the personal information held about

them in the Vodafone system, there was

no unauthorised disclosure under NPP

2.1. However, Vodafone’s information

protections were held to be insufficient

to meet obligations under NPP4.1, as

key information such as passport

numbers could be found by anyone with

access to the system, and store-wide

rather than individual employee login

IDs reduced the ability of Vodafone to

develop an audit trail to track

unauthorised access.

Giving an individual access to

information an agency holds about them

will not amount to an unauthorised

disclosure.

Sensitive information such as passport

numbers should not be accessible by

large numbers of employees, and data

access systems should allow

identification of the user who accesses

the data so as to provide an effective

audit trail. Failure to do so may breach

the personal information protection

requirements of NPP4/IPP4/APP11.

[COMMGOV: 12499538_1] 6

External….

Case Reference Facts Determination Lessons learnt

Own Motion

Investigation v

Information

Technology

Company

[2010] PrivCmrA 16

available at:

http://www.oaic.gov.au

/privacy/privacyarchive/

privacy-casenotes-

archive/

A telecommunications company

permitted individuals to access

information about their mobile account,

including the credit balance and

transaction details of the last payment,

by calling a 1800 number and keying in

the mobile number. No restrictions

prevented persons other than the

owner of the phone from accessing

this information, providing that they

knew the mobile number in question.

Mobile phone numbers are easily

accessible by many parties. As mobile

phones are personal rather than

residence-based, they can be linked to

particular individuals. Given this, the

absence of additional verification

requirements would allow many people

to access mobile account information for

an individual. While the system at the

time of investigation did not comply with

the requirement to protect personal

information (NPP 4.1), this was rectified

by changes which provided additional

authentication methods. As the issues

had been addressed, the Commissioner

ceased his investigation.

Agencies should have appropriate

authentication systems in place to

ensure that the person given access to

personal information is the person the

information is about.

2.3 Sending personal information

Case Reference Facts Determination Lessons learnt

Telstra Corporation

Limited (Telstra)

(OMI, July 2011)

Own Motion

Investigations (OMIs)

are available at:

http://www.oaic.gov.au

/privacy/applyingprivacy-

law/privacyomi-

reports/

Telstra accidentally sent 60,300

incorrectly addressed letters due to a

mailing list error. These letters

contained names and phone numbers

of customers, including some silent

phone numbers. Upon discovering the

error, Telstra immediately stopped the

mail out, investigated the problem and

notified affected customers, prioritising

those with silent phone numbers.

Telstra had:

 an agreement with the mail house

that included privacy and

confidentiality obligations;

 conducted a privacy impact

assessment at the commencement

of the mailout activities;

The Commissioner held that the

information in question was personal

information under s 6 of the Privacy Act,

as it included the names of the individuals

affected. As the mailout disclosed

personal information, including the names

and phone numbers of customers and

their association with Telstra, to third

parties, the Commissioner held that

Telstra had breached NPP 2.1, which

regulates the disclosure of personal

information. Taking into account the steps

Telstra had taken to prevent or minimise

the risk of privacy breaches in relation to

its mail outs, the Commissioner

determined that NPP 4.1, which requires

reasonable steps to be taken to protect

personal information, was not breached

The fact that a disclosure of personal

information is accidental will not

prevent an organisation or agency

from being in breach of its obligations

in relation to disclosure of personal

information.

However, where accidental disclosure

occurs, but reasonable steps have

been taken to minimise the risk of that

disclosure occurring, there may be no

failure to take reasonable steps to

protect that information under NPP 4.1

(or IPP4 or APP11).

[COMMGOV: 12499538_1] 7

Case Reference Facts Determination Lessons learnt

 a number of approval steps before

mailouts took place; and

 quality control procedures for

creating mailing lists.

as the incident had been caused by

human error rather than systemic failure.

The investigation concluded as Telstra

had taken adequate measures to remedy

the problem.

Own Motion

Investigation v

Airline

[2010] PrivCmrA 12

available at:

http://www.oaic.gov.au

/privacy/privacyarchive/

privacy-casenotes-

archive/

The Commissioner received a

complaint from an individual who had

booked a flight online, but received an

email from the airline containing

another traveller's personal

information, including the traveller and

their companion's names and

addresses, financial information, and

flight details. The airline acknowledged

that the disclosure occurred and that

they were not compliant with NPP2.

The airline investigated the matter and

found that the wrong details were

populated due to an overload of its

server. The airline introduced new

protections to improve IT security

including new servers, regular

"flushing" of the database logs and a

new hourly testing procedure.

The Commissioner found that the airline's

system was not sufficient to comply with

the requirements of NPP4.1 at the time of

the incident, but that the steps the airline

had taken since the complaint was made

were reasonable in accordance with NPP

4.1. NPP 4.1 provides that an

organisation must take reasonable steps

to protect the personal information it holds

from misuse and loss and from

unauthorised access, modification and

disclosure. Similar requirements apply to

Commonwealth agencies under IPP4, and

from March 2014, will apply to public and

private sector entities under APP11.

Agencies handling large volumes of

personal information need to ensure

that they have taken reasonable steps

to protect the personal information they

hold from misuse, interference, loss,

unauthorised access, modification or

disclosure.

Own Motion

Investigation v

Financial Institution

[2009] PrivCmrA 12

available at:

http://www.oaic.gov.au

/privacy/privacyarchive/

privacy-casenotes-

archive/

A financial institution sent bank

account statements addressed to a

previous occupant to an address

despite the statements being

consistently sent back marked ‘return

to sender. Address unknown’.

The Commissioner was informed upon

investigation that the financial institution

had created a process specifically to deal

with such mail, first checking for other

issues then attempting to contact the

customer. If no contact is made, a stop is

put on the account. The investigation

ceased as the Commissioner was

satisfied that the financial institution was

meeting NPP 3 requirements to ensure

the accuracy of personal information.

Agencies need to have appropriate

processes for the updating of personal

information in a timely manner,

including having procedures for

dealing with returned mail.

[COMMGOV: 12499538_1] 8

Case Reference Facts Determination Lessons learnt

S v Health Services

Provider

[2008] PrivCmrA 19

available at:

http://www.oaic.gov.au

/privacy/privacyarchive/

privacy-casenotes-

archive/

S received a medical service from the

health services provider, and provided

X-rays to the provider for that purpose.

When S requested the return of the Xrays,

the original films and copies of

medical records were forwarded to

their nominated health service provider

by general post. The service provider

later checked to confirm the recipient

had received the originals and medical

record copies.

The Commissioner noted that whether an

organisation has taken reasonable steps

under NPP 4.1 to protect personal

information will depend on the

circumstances, including the sensitivity of

the information. As the loss S would suffer

by loss of the X-rays was significant, the

information was sensitive and the cost of

sending the records more securely was

not a significant burden, it was held that

the provider had not taken reasonable

steps to protect the information.

General post (rather than registered

post or courier services) may not be

sufficiently secure for sending sensitive

personal information.

To determine whether the measures

your agency is taking to secure

information, consider:

 the sensitivity of the information

 the expense and viability of more

secure methods of storing or

transmitting it.

[COMMGOV: 12499538_1] 9

3. Administrative decision making, legal proceedings and investigations

The following cases illustrate the privacy precautions that should be taken during investigation processes, and the circumstances in which disclosures of personal information

may be made in the course of administrative decision making processes or legal proceedings.

Case Reference Facts Determination Lessons learnt

D v Commonwealth

Agency

[2010] PrivCmrA 5

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

D was a person of interest in relation

to compliance activities being

undertaken by an agency. D had to

answer questions posed by agency

officers and complete forms. D alleged

that the agency had not appropriately

secured their personal information as

the questioning took place in a public

space where journalists were present

and could overhear. The agency also

sent background information about D

to journalists.

The Commissioner took the view that

the agency did not have adequate

safeguards in place to protect D's

personal information against

unauthorised access, and that the

agency had not, therefore, complied

with IPP4, as there was a high risk that

the journalists would overhear D's

questioning, and there was some risk of

the journalists viewing the documents D

was asked to complete. The

Commissioner exercised their

conciliation powers, and the agency

apologised and provided compensation

to D. The agency also changed the

methods for protecting personal

information in similar activities and

provided additional privacy training to

compliance officers.

Compliance activities such as asking

questions and completing forms

should not be carried out in public.

Agencies should take care when

releasing information about an

ongoing investigation to ensure that

the information is not personal

information or could not be used to

identify an individual.

C v Commonwealth

Agency

[2009] PrivCmrA 3

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

C claimed that the disclosure of

personal information to a tribunal for

the purpose of reviewing a benefits

claim was unnecessary. The agency

claimed it was required to provide the

information.

The Commissioner held that the agency

was asked to provide information under

the relevant legislation, and only

provided those documents it believed

relevant to the matter. As the

information provided was relevant to the

matter in question, the Commissioner

held that the disclosure was legitimate

and in response to a proper notice from

the tribunal under IPP 11.1(d).

An individual can expect that when

they request an appeal of a decision

by a tribunal or similar body, an

agency will provide all relevant

information to that body.

However, when providing information

in response to a notice requesting

relevant information, an agency

should carefully consider whether the

information to be provided is relevant

to the matter.

[COMMGOV: 12499538_1] 10

Case Reference Facts Determination Lessons learnt

V v Commonwealth

Agency

[2008] PrivCmrA 22

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

V provided a letter and gave an

interview supporting an application for

a service by their partner to a

government agency. The agency was

later informed that the statements

made by V in the interview and letter

were inaccurate.

The agency investigated whether the

statements were false or misleading

by verifying the information with third

parties, including V’s employer, and

asking V to attend a second meeting.

V claimed that they were not informed

of the purpose of the second meeting,

and that their personal information had

been improperly collected and

disclosed during the investigation.

The Commissioner held that:

 the agency was required to

investigate breaches of legislation;

and

 the disclosure of the investigation

to V’s employer was necessary for

that purpose and authorised by IPP

11.1(e).

As the agency advised that V was

informed before the second meeting

what the purpose of the meeting was,

and was offered the opportunity not to

participate, the Commissioner was

satisfied that V was sufficiently aware of

the purpose of the information collection

and that the collection was not unfair or

unlawful. As enforcing the governing

legislation is a core function of the

agency, the information was collected

for a lawful purpose directly related to its

functions under IPP 1.1.

Where an agency is required to

investigate potential breaches of the

criminal law, they may disclose

information that is reasonably

necessary for the investigation to

third parties.

Collection of information through a

meeting or interview is less likely to

be unfair where the complainant is

provided with the opportunity not to

attend the meeting.

O v Commonwealth

Agency

[2008] PrivCmrA 15

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

O disclosed their occupation to the

agency during a decision being made

between O and a third party,

requesting that the agency not

disclose that information to anyone

without sufficient justification. As part

of the decision-making process, the

information was disclosed by the

agency to the third party, as it was

integral to the decision being made. O

complained, the agency argued the

disclosure was required by a

Commonwealth law.

The Commissioner held that the

information was required to be disclosed

under Commonwealth law, and given

the relevance of the information to the

decision being made, that disclosure

was also required to ensure procedural

fairness.

Where legislation or procedural

fairness requires the disclosure of

personal information, that disclosure

will not breach the requirements of

the IPPs.

[COMMGOV: 12499538_1] 11

4. Employees and Employment related uses and disclosures

The following cases illustrate the need to adequately protect employee records from unauthorised access, the need to ensure spent convictions are not taken into account,

the need to ensure the accuracy of personal information when investigating employee conduct, and the ability to disclose relevant employee personal information to third

parties in certain circumstances.

Case Reference Facts Determination Lessons learnt

A v Private Health

Service Provider

[2010] PrivCmrA 2

available at:

http://www.oaic.gov.au/p

rivacy/privacyarchive/

privacy-casenotes-

archive/

A was employed by a government

agency, which engaged the health

service provider to determine A’s

suitability for continued employment.

The agency provided the service

provider with information about a

criminal conviction which A alleged

was spent under the Crimes Act. This

information was then taken into

account in the service provider’s

report to the agency.

The Commissioner held that the convictions

information was protected under the Crimes

Act because it related to a spent conviction.

By taking the information into account the

health service provider contravened s

85ZW(b)(ii) of the Crimes Act. The service

provider took action to improve awareness

of, and compliance with, the spent

convictions scheme both within their

organisation and throughout the sector in

general through publications and forwarding

information to a professional body. As this

satisfied A that the provider had adequately

dealt with the matter, the Commissioner

ceased the investigation.

Agencies should take steps to ensure

the requirements of the spent

convictions scheme are complied

with.

‘Taking into account’ spent

convictions includes

 asking questions about prior

convictions in interviews

 seeking information on such

convictions in criminal history

checks

 using information about spent

convictions.

T v Commonwealth

Agency

[2009] PrivCmrA 23

available at:

http://www.oaic.gov.au/p

rivacy/privacyarchive/

privacy-casenotes-

archive/

T was an employee of a

Commonwealth agency. In order to

investigate T’s conduct, the agency

prepared a report of T’s attendance

at work. T’s emails were also

examined. T alleged that the report

was incorrect, and that the agency

had failed to take reasonable steps to

ensure that T’s personal information

was accurate. T additionally alleged

that accessing the emails was

irrelevant to the investigation of T’s

conduct.

After comparing the report to building

access and timesheet records, the

Commissioner found that the report

contained easily remediable inaccuracies.

As the report was being used in decision

making about T, there was an increased

need for the information to be accurate, and

by failing to ensure this, the agency had

breached IPP 8. The agency apologised,

amended the report and paid compensation

to T. Examining T’s emails was determined

to be relevant to the conduct investigation,

however, and as such, the Commissioner

determined that T's privacy was not

interfered with under IPP 9.

Personal information must not be

used without taking reasonable steps

to ensure that the information is up to

date and accurate. Checking dates

and records are steps which should

be taken to ensure accuracy.

The more important the information is

to the particular decision making

process, the greater the need to take

steps to ensure the information is

accurate.

Employee emails may be relevant to

conducting investigations regarding

the conduct of an employee.

[COMMGOV: 12499538_1] 12

Case Reference Facts Determination Lessons learnt

N v Commonwealth

Agency

[2009] PrivCmr 17

(available at:

http://www.oaic.gov.au/p

rivacy/privacyarchive/

privacy-casenotes-

archive/)

N was an employee of a

Commonwealth agency, and had

lodged several complaints with

regard to their employment. The

agency provided N’s personal

information to a contractor hired to

investigate its handling of the

complaints. N claimed the agency

had improperly disclosed their

personal information without consent.

The Commissioner determined that, as the

agency had only provided the information to

the contractor for the limited purpose of

investigating the complaints, and the

information was returned to the agency

following the investigation, the agency had

complied with IPP 11 by retaining control of

the personal information and had not

disclosed it. As the information had been

collected for the purpose of administering

N’s employment, use of that information to

investigate the complaints was held to be

directly related to the purpose for which the

information was collected. The investigation

was closed as no breaches of the Privacy

Act were found.

Where personal information is

provided by an agency to an external

person, to perform services for the

agency and that person is bound by

an agreement to maintain the

confidentiality of that information, the

agency will not be deemed to have

disclosed the information as it retains

control over it.

The use of information collected

about an employee to investigation

complaints relating to that individual’s

employment with the agency is

permitted.

J v Commonwealth

Agency

[2009] PrivCmrA 13

(available at:

http://www.oaic.gov.au/p

rivacy/privacyarchive/

privacy-casenotes-

archive/)

Information about an investigation

into the conduct of J was provided to

a doctor assessing a later workplace

compensation claim. J claimed that

the information did not need to be

disclosed.

The Commissioner determined that J was

reasonably likely to be aware the

information would be disclosed, as the

purpose of the appointment was to assess

J’s ability to return to the workplace, and

the subject matter of the investigation could

have prevented J from returning to work. As

such, the information was relevant to the

decision the doctor needed to make, and

usual practice would be to provide such

information to a doctor performing

assessments of this nature. Additionally,

the agency notified J that the information

was going to be provided, and later gave J

a full copy of the information provided to the

doctor. The disclosure was consistent with

the limits in IPP 11.1(a).

Information can be disclosed to a

person or other entity where an

individual is reasonably likely to have

been aware that such information is

usually disclosed to that person or

entity. Whether a person is

reasonably likely to be aware that

such disclosure occur is determined

by looking at the purpose of the

collection of the information,

accepted practice and the nature of

the entity the information is disclosed

to.

Actual knowledge, or lack thereof, of

the disclosure is irrelevant. The

question is whether the individual

concerned is reasonably likely to be

aware that such information is

usually disclosed to such a person or

entity.

[COMMGOV: 12499538_1] 13

Case Reference Facts Determination Lessons learnt

Where information about an

employee is relevant to an

assessment of whether they are fit to

return to work, that information may

be provided to the medical

practitioner undertaking that

assessment.

F v Australian

Government Agency

[2008] PrivCmrA 6

(available at:

http://www.oaic.gov.au/p

rivacy/privacyarchive/

privacy-casenotes-

archive/)

F was a former employee of the

agency and complained that their

record held by the agency had been

accessed by a current employee of

the agency, who used the records to

locate where F was living, which

caused them to fear for the safety,

and resulted in F changing their

name and address. F raised the

issue with the agency and sought

compensation. The agency

acknowledged that F's records had

been accessed by a person

unauthorised to do so, but rejected

F's claim for compensation. The

agency terminated the employment

of the person who accessed F's

records.

The Commissioner took the view that the

agency had not taken reasonable steps to

protect F's personal information, and that

F's personal information had been used for

a purpose for which none of the exceptions

in IPP10 apply.

The Commissioner conciliated the matter

and the parties reached an agreement

under which F accepted a confidential

settlement for costs associated with the

change of name and address.

Employee records need to be

adequately protected from

unauthorised access as there may be

serious consequences for individuals

and agencies where there are

failures in this regard.

[COMMGOV: 12499538_1] 14

5. Partners and Families

The following cases illustrate that accepting personal information from, or disclosing personal information to, partners, spouses or other family members can cause significant

distress, and in some instances, may lead to physical harm.

Case Reference Facts Determination Lessons learnt

K v Commonwealth

Agency

[2010] PrivCmrA 13

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

K alleged that an agency improperly

disclosed their personal information to

their former partner. The agency

investigated the matter and agreed

that it had improperly disclosed that

information and had failed to comply

with the requirements of IPP11. The

agency made a written apology,

provided training to the employee

involved, and offered compensation to

K. K was not satisfied with those

steps, and in particular, considered the

amount of compensation offered by

the agency to be inadequate.

The Commissioner came to the view

that K had not provided sufficient

evidence to support their claim that the

compensation offered was inadequate.

In particular, no evidence was provided

to support K's claim for non-economic

loss. The Commissioner found that:

 the agency had adequately dealt with

the complaint;

 the compensation offered was

satisfactory; and

 the improper disclosure was a oneoff

incident that did not raise

systemic issues.

Where an improper disclosure

occurs and a complaint is received,

agencies should act promptly to:

 investigate the matter,

 make an apology,

 train, re-train or discipline

employees; and

 offer reasonable compensation

(where appropriate, and based on

the evidence of loss or damage

provided by the complainant).

P v Commonwealth

Agency

[2009] PrivCmrA 19

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

Due to domestic violence, P moved

out of the marital home and into a new

residence. Following break-ins and a

violent attack, P changed their name,

informing the agency, and moved

again to an address concealed from

their ex-partner. The ex-partner later

learned P’s new name from a letter

sent by the agency to the former

marital home. P contacted the agency,

which apologised and offered

compensation which P rejected as

insufficient.

The agency accepted that it should not

have disclosed the information and that

it had breached IPP 11. The

Commissioner conciliated the matter. An

initial claim by P for health treatment

and other costs in addition to injury to

feelings was rejected. After P provided

further evidence, the agency apologised

and offered an increased sum of

compensation, which P accepted.

Some breaches of privacy can have

serious consequences for the

individual concerned, including

physical harm.

[COMMGOV: 12499538_1] 15

M v Financial Institution [2009] PrivCmrA 16

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

M and their partner held a joint bank

account, the signature authority on

which M amended after a dispute.

Several weeks later, a relative of M's

partner provided further information

about the dispute to the financial

institution, after which a staff member

modified the joint account to require

both parties to sign any withdrawals.

Several days later, the financial

institution informed M of the change. M

alleged that their personal information

had been improperly collected from a

third party, and insufficient effort had

been made to ensure the information

was accurate.

While the financial institution argued it

had not collected the information, as it

had not asked for it, the Commissioner

held that information is collected if it is

gathered, acquired or obtained from any

source by any means. By updating the

account records, the financial institution

had collected the information for

inclusion in a record. As the financial

institution is required to collect

information from the person it is about

wherever it is reasonable and

practicable to do so under NPP 1.4, and

it was possible to do so, M’s privacy was

breached. The financial institution was

also held to have breached the

requirement to ensure personal

information is accurate under NPP 3.

Compensation was offered by the

financial institution and accepted by M.

APP 3, which will apply to agencies

from 12 March 2014, contains similar

collection principles to NPP 1.4. IPP8

and APP10 contain requirements

regarding data accuracy that are

similar to the requirement of NPP3.

Agencies should, therefore,

wherever practicable, obtain

personal information from the

individual that the information relates

to. Where it is reasonable and

practical to do so, information

obtained from third parties should be

checked with the individual it relates

to, in order to determine whether it is

accurate.

L v Commonwealth

Agency

[2008] PrivCmrA 12

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

L’s former spouse submitted a form to

the agency including L’s address. This

resulted in a clerical error which

applied L’s former spouse’s address to

L’s records, and mail intended for L

was sent to the former spouse as well.

The information disclosed resulted in

legal action between L and their

former spouse. The agency

acknowledged that the disclosure

contributed to subsequent legal costs,

and offered part payment of those

costs. L was dissatisfied with the

response.

The Commissioner conciliated the

matter, and it was resolved by payment

of a settlement including the initially

offered contribution to legal costs and

damages for injuries to L’s feelings.

Where the disclosure of information

contributes to costs for the individual

concerned, it may be appropriate for

the agency in question to pay part of

those costs.

[COMMGOV: 12499538_1] 16

6. Ministers, Members of Parliament and the Media

The following cases illustrate that where an individual makes a public complaint or a complaint to a Minister or Member of Parliament about an agency, that agency may

respond appropriately, including, where necessary, by disclosing relevant personal information.

Case Reference Facts Determination Lessons learnt

L v Commonwealth

Agency

(the Media)

[2010] PrivCmrA 14

available at:

http://www.oaic.gov.a

u/privacy/privacyarchive/

privacy-casenotes-

archive/

L made adverse comments in the

media and on a blog about the way

an agency handled a complaint L had

made to the agency. The agency, in

responding the media enquiry,

disclosed L's personal information to

a journalist, who published the

personal information in an article.

The Commissioner considered that L was

reasonably likely to have been aware that

the agency may respond in the way it did

to the issues L had raised. The

Commissioner took a preliminary view

that IPP11.1(a), which permits disclosure

of personal information where the

individual concerned is reasonably likely

to have been aware that information of

that kind is usually passed to that person,

body or agency, permitted the disclosure

of L's personal information to the

journalist. The complainant withdrew their

complaint.

Where a complaint against an agency is

raised publically by an individual, that

individual can be taken to be aware that the

agency might respond to the complaint,

including by disclosing information about

the individual that is pertinent to the

complaint to a journalist.

I v Commonwealth

Agency

(Members of

Parliament)

[2010] PrivCmrA 10

available at:

http://www.oaic.gov.a

u/privacy/privacyarchive/

privacy-casenotes-

archive/

I met with their State Member of

Parliament's office to raise issues

about I's dealing with an agency. I

provided the MP's office with copies

of correspondence between I and the

agency. The MP's office asked the

agency for further information about

I. The agency provided the

information to the MP's office. I

alleged that the agency had

improperly disclosed personal

information about I to the MP's office.

The Commissioner was satisfied that, in

having the Minister's office make

representations on I's behalf, I impliedly

consented to the disclosure of their

personal information by the agency to the

MP's office. The disclosure of the

information by the agency to the MP's

office was, therefore, permitted by

IPP11.1(b) (was a disclosure with the

consent of the individual concerned).

When an MP's office seeks further

information about an individual and their

dealings with an agency, the agency can

disclose information about the individual

and their dealings with the agency to the

MP's office.

The case note states that the

Commissioner's approach to this complaint

is consistent with OAIC's Provision of

personal information by Commonwealth

agencies to members of Parliameny

Guidelines, under which an agency may

provide personal information to a Member

of Parliament or his or her staff in response

to an enquiry on behalf of a constituent,

where the officer handling the enquiry is

satisfied as to the identity of the enquirer.

[COMMGOV: 12499538_1] 17

Case Reference Facts Determination Lessons learnt

Those Guidelines are available at:

http://www.oaic.gov.au/images/documents/

migrated/migrated/HRC_PRIVACY_PUBLI

CATION.pdf_file.p6_4_78.48.pdf

[COMMGOV: 12499538_1] 18

7. Denying access to personal information

The following case illustrates that in appropriate cases, access to personal information may be refused.

Case Reference Facts Determination Lessons learnt

G v Finance Company [2010] PrivCmrA 8

available at:

http://www.oaic.gov.au/

privacy/privacyarchive/

privacy-casenotes-

archive/

G sought access to their personal

information. G had made numerous

requests, over a period of four years,

for access to an account statement

held by the company, and had raised

their access requests with a number of

government entities and Members of

Parliament. The finance company had

provided G with access to their

personal information on at least two

occasions. The finance company then

denied access on the basis that the

request was frivolous and vexatious.

The Commissioner found that G's

request for access was a repeat request

for personal information that had already

been provided.

In an appropriate case, requests to

access personal information can be

denied.

From 12 March 2014, decisions of an

agency to refuse access must be

made within 30 days of the request,

and reasons for any refusal must be

given.