Privacy Commission issues new case notes

The Privacy Commission recently issued five new case notes regarding personal information handled by a money transfer service, a taxation accountant, a retail company, a utility company and an industry group. Summaries of the Commissioner's findings are detailed below.

For copies of the complaint case notes see http://www.privacy.gov.au/news/06_07.html

Authority to transfer personal information overseas and to a foreign regulatory body

In E v Money Transfer Service (2006) PrivCmrA 5 the complainant alleged that in the course of making an electronic transfer to their family in a foreign country the money transfer service had improperly transferred the information overseas and to a foreign regulatory body.

Section 13D of the Privacy Act provides that an act or practice of an organisation done or engaged in outside Australia is not an interference with the privacy of an individual if the act or practise is required by an applicable law. With respect to section 13D, the Commissioner’s view was that the Australian subsidiary of the money transfer service had collected the additional information in Australia. Therefore section 13D did not apply and the collection of information was subject to the Privacy Act.

National Privacy Principal (NPP) 9 requires that an organisation may only transfer personal information to an organisation in a foreign country under limited circumstances. Specifically, NPP 9 (b) allows for disclosure of personal information where the individual has consented to the transfer. In this instance, the complainants were advised why their transaction had been halted and for what purpose they needed to provide further information. The Commissioner’s view was that the complainant’s subsequent provision of the necessary documentation implied consent to the transfer and for this reason the transfer did not breach NPP 9. The Commissioner found that there had not been an interference with the complainant’s privacy.

Improper disclosure of individual’s Tax File Number information

Paragraph 2.4 of the Tax File Number Guidelines require that Tax File Number (TFN) recipients only use or disclose TFN information as authorised by taxation, assistance agency or superannuation law.

In F v G Taxation Accountant (2006) PrivCmrA 6 the Commissioner considered the issue of whether disclosure of the complainant’s TFN to a debt collector and solicitor for the purpose of pursuing the debt was consistent with the TFN Guidelines. In this case, the Commissioner found the TFN disclosure was inconsistent with the Guidelines. The taxation accountant agreed to the complainant’s request for an apology and compensation for costs associated with obtaining new group certificates.

Improper disclosure of Tax File Number information

In H v Chartered Accountant (2006) PrivCmrA 7 a chartered accountant, appointed administer of a company in liquidation, wrote to over 100 employees of the company regarding their employee entitlement claims including a complete list of each employees’ superannuation claims and their TFN information. In this case, the Commissioner decided that the disclosure of the complainant’s TFN information to other employees was in error and not done so in accordance with paragraph 2.4 of the TFN Guidelines.

In consultation with the Commissioner the chartered accountant agreed to take a number of steps to resolve the matter including contacting the Australian Taxation Office to coordinate a process for employees to apply for a new TFN if they wished to, writing to the complainant and all affected employees apologising for the disclosure of their TFNs and advising them of the process to obtain a new TFN, reminding the chartered accountant’s staff of their obligations under the TFN Guidelines, and instituting Guidelines for the handling of outgoing mail to help prevent such an occurrence happening in the future.

The complainant’s proposed remedy, which was the imposition of sanctions on the chartered accountant, was beyond the Commissioner’s powers.

Collection of sensitive information by a retail company for the purpose of loss prevention and the security of personal information and destruction of old records

In I v Retail Company (2006) PrivCmrA 8 the complainant alleged that the retail company had collected sensitive information about the individual’s criminal record without their consent and raised concerns about the security of the information which had been recorded on a database and the period for which the information had been retained.

The Commissioner investigated the matter and took the view that the information stating that the complainant had been accused and charged with theft constituted ‘sensitive information’ as defined in section 6 of the Privacy Act to include ‘information or an opinion’ about an individual’s criminal record. However the collection of this information was not subject to NPP 10, which prevents the collection of such sensitive information, as it occurred prior to the introduction of the NPPs on 21 December 2001.

Regardless of when information is collected, an organisation is required to take steps to ensure the security of the information and to destroy or permanently de-identify personal information if it is no longer needed. The Commissioner was satisfied that the retail company had adequate security measures in place (such as the limited accessibility of the database and password protection) to protect personal information in the database and were consistent with NPP 4.1. Further, the Commissioner determined that the proposed upgrade of the database and changes to the organisation’s retention policy, now being five years, satisfied the requirements of NPP 4.2. The retail company also confirmed that it had deleted the complainant’s information from the existing database in order to comply with its new policy.

Collection and disclosure of personal information by an industry group, disclosure of personal information by a utility company

In J v Utility Company and Industry Group (2006) PrivCmrA 9 the Commissioner considered the issue of whether the disclosure of the complainant’s personal information by the utility company, and the disclosure and subsequent collection of the information by the complainant’s industry group, was consistent with the NPPs. While business information is not usually covered by the Privacy Act, in this case, as the complainant was a sole trader, the information was found to identify the complainant.

NPP 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose unless certain exceptions apply.

In considering the action of the utility company, the Commissioner found the disclosure by the utility company to be inconsistent with the NPPs and noted that the utility company had disclosed the complainant’s information in a way that contravened its own privacy policy.  The Commissioner was not satisfied that the disclosure of the complainant’s personal information, including personal contact details to the complainant industry body was related to the provision of utility services, which was the primary purpose for which the utility company held the company’s personal information. Further, there was insufficient evidence for the utility company to be satisfied that the complainant would have reasonably expected this disclosure. The utility company apologised to the complainant and stated that it was wiling to compensate the complainant for any distress the disclosure may have caused.

The industry group's disclosure and subsequent collection of personal information was considered necessary for the purpose of providing advice and assistance to its members and this would be within the reasonable expectation of its members. The industry group was found not to be in breach of the Privacy Act.

This article was written by Jacqueline Cachia, Graduate.

Name : Duncan Giles
Title : Special Counsel
Office : Sydney
Phone : +61 2 9225 5954
Fax : +61 2 9322 4000
Email : duncan.giles@freehills.com