Australia - Case Notes

A v Medical Practitioner

Case Citation: 

A v Medical Practitioner [2009] PrivCmrA 1 

Subject Heading:

Collection of personal information and access to personal information

Law:

National Privacy Principles 1.1, 10.1 and 6.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant wrote to their medical practitioner requesting a copy of all of the personal information that the practitioner held about them in their medical record.  A period of thirty days passed and the complainant had not received a response from the medical practitioner.

The complainant made a further request for a copy of their medical record.  The complainant also requested that an original specialist medical report they had provided to the medical practitioner be returned, stating that the report was only to be seen by the practitioner and not retained as part of their medical record.  The practitioner provided the complainant with a written response to their request, but did not provide them with copies of their medical records nor the original specialist report.

The complainant claimed that the medical practitioner had interfered with their privacy by failing to provide them with access to their medical record, and by unnecessarily retaining the original specialist report.

Issues:

NPP 1.1 states that an organisation must not collect personal information unless the information is necessary for its functions or activities.

NPP 10.1 provides that an organisation must not collect sensitive information about an individual unless certain circumstances exist, such as where the individual has provided consent.

NPP 6.1 provides that individuals may access personal information that organisations hold about them unless certain exceptions apply.

While NPP 6 does not specify the form of access, it is the Commissioner's view that access should generally be provided in the form requested by the individual.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act. 

The Commissioner found that the medical practitioner had sought advice following the complainant's first request for access.  The practitioner had not yet responded to the first request when they received the complainant's second request for access.

While the Commissioner acknowledged the delay whilst the medical practitioner sought advice, she did not consider it to be a failure or refusal to provide the complainant with access to their personal information.  The delay did not constitute an interference with the complainant's privacy.

When the medical practitioner responded to the complainant's requests for access they provided the complainant with written information about how to access their personal information.  The practitioner offered the complainant the opportunity to view, but not copy, their medical record.  The practitioner also offered to assist the complainant in understanding the content of the detailed record.

The practitioner also advised the complainant that the original specialist report provided several years prior had been incorporated into the complainant's medical record and would not now be removed.  The complainant was offered access to the original specialist report as part of their access request.

The complainant did not accept the practitioner's offer to view their medical record.  They were also dissatisfied that the original specialist report remained on their medical record and would not be returned to them.

While it is the Commissioner's view that, generally, access should be provided in the form requested by an individual, in some cases it is neither possible nor appropriate to do so.  An organisation is still able to meet the obligations imposed by NPP 6.1 by providing access in another form.

The Commissioner formed the view that in this case, the medical practitioner had met the requirements of NPP 6.1 by offering the complainant the opportunity to view their medical record.

The Commissioner also considered that the specialist report was collected by the practitioner because it was necessary and relevant to their treatment of the complainant.  Additionally, the Commissioner considered that the specialist report was provided to the medical practitioner with the complainant's consent.  It was then incorporated into their medical record where it remained until several years later, when the complainant asked for it to be returned.

The Commissioner formed the view that this was neither a breach of NPP 1.1 nor NPP 10.1 as the collection of the report was both necessary and done with the complainant's consent.

The Commissioner closed the complaint under section 41(1)(a) of the Privacy Act on the basis that the medical practitioner had not interfered with the complainant's privacy.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

B v Cleaning Company

Case Citation: 

B v Cleaning Company [2009] PrivCmrA 2 

Subject Heading:

Disclosure of personal information and the employee records exemption

Law:

National Privacy Principle 2.1 in Schedule 3, and Section 7B(3) of the Privacy Act 1988 (Cth)

Facts:

The complainant was employed by a large cleaning company for several years before resigning from their position.  At the time of their resignation, the complainant owed a sum of money to another organisation and had entered into a repayment arrangement.  The complainant then defaulted on that arrangement.

The organisation contacted the complainant's former employer, the cleaning company, seeking information as to the complainant's whereabouts.  A statement later provided to the complainant by the organisation indicated that the cleaning company had disclosed the complainant's personal information to the organisation, including their address and financial details.

The complainant complained that the personal information collected for the purposes of their employment was inappropriately disclosed by the cleaning company.

Issues:

Section 7B(3) of the Privacy Act exempts the handling of employee records.  To be exempt, the act or practice complained of must be related to a current or former employment relationship, and the personal information subject to the complaint must be held in an employment record.

NPP 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection unless an exception in National Privacy Principle 2.1(a)-(h) applies.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act. 

The Commissioner examined the information available and was of the view that the complainant's personal information had been disclosed by the cleaning company.

The cleaning company claimed that the disclosure was subject to the employment records exemption and that it did not have to comply with the requirements of NPP 2.1.

The Commissioner found that the personal information in question was held in an employment record by the cleaning company.  The cleaning company was clearly the former employer of the complainant.

However, the act or practice complained about was the disclosure of the complainant's personal information to an organisation to which the complainant was personally indebted.  This disclosure was not related to their employment and was therefore an act or practice unrelated to the administration of the complainant's employment with the cleaning company.  As such, the disclosure was not exempt and must comply with NPP 2.1.

The Commissioner formed the view that none of the exceptions listed at NPP 2.1 applied to the disclosure and found that the cleaning company had interfered with the complainant's privacy.

The cleaning company agreed to the conciliation of this matter under section 27(1)(ab) of the Privacy Act.  It apologised to the complainant and agreed to develop and implement privacy training for all staff in the management of personal information.

The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the cleaning company had dealt adequately with the matter.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

C v Commonwealth Agency

Case Citation: 

C v Commonwealth Agency [2009] PrivCmrA 3 

Subject Heading:

Disclosure of personal information

Law:

Information Privacy Principle 11 in Part III Division 2 of the Privacy Act 1988 (Cth)

Facts:

The complainant was receiving a benefit from a Commonwealth government agency.  The complainant applied for a change to the benefit but was refused.  Dissatisfied with the agency's decision, the complainant lodged a complaint with the appropriate tribunal in an effort to have the agency's decision changed. 

When the tribunal was hearing the complainant's matter, the complainant viewed the documents that the agency had provided to the tribunal for its consideration.  The complainant claimed that those documents were not relevant to the matter being heard.  They claimed that the disclosure of the personal information in those documents was unnecessary.  The agency claimed that it was obliged to provide those documents to the tribunal.

Issues:

IPP 11 prohibits agencies from disclosing personal information to anyone other than the individual concerned, unless an exception applies.  IPP 11.1(d) states that an agency may disclose personal information if the disclosure is required or authorised by law. 

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act. 

The Commissioner confirmed that the role of the particular tribunal is to review complaints about an agency's decision or conduct.  In doing so, the tribunal is required to notify the complainant and the agency if the matter is to be reviewed.  The tribunal also has powers vested in it by its governing legislation that allow it to obtain information from the agency to review the matter at hand.  The agency is required to provide the information to the tribunal within 28 days of the notice being issued.  

In this instance, the Commissioner found that the tribunal issued the agency with a written notice in accordance with its governing legislation.  That notice required that the agency provide the tribunal with copies of those documents that the agency considered relevant to its decision concerning the complainant's benefit. 

The agency reviewed all of the information that it held about the complainant and provided to the tribunal only copies of the documents that it considered relevant to the complainant's matter.

The notice issued to the agency by the tribunal did allow the agency to consider what information might be relevant to the matter.  The Commissioner found that this was permissible under the terms of the governing legislation and then turned her mind to the issue of relevance.

The Commissioner considered that for information to be relevant to the matter at hand, it should have some bearing on, or be connected to, that same matter.  The Commissioner was satisfied that the agency had properly considered whether all of the information it held about the complainant was relevant to the matter being reviewed by the tribunal, and had only provided the tribunal with that information in response to its notice.

The Commissioner formed the view that the agency had met the obligations imposed by IPP 11.1(d) in that it was required by law to disclose to the tribunal all of the information that it held about the complainant if it considered that information  relevant. 

The Commissioner closed the complaint under section 41(1)(a) of the Privacy Act on the basis that the agency had not interfered with the complainant's privacy.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

D v Finance Company

Case Citation: 

D v Finance Company [2009] PrivCmrA 4 

Subject Heading:

Improper listing of a payment default on an individual's consumer credit information file

Law:

Section 18E in Part IIIA of the Privacy Act 1988 (Cth) and Paragraph 2.7 of the Credit Reporting Code of Conduct

Facts:

The complainant entered into a loan agreement with a finance company for the purchase of a motor vehicle.  The complainant repaid the loan by regular direct debit.

Before the loan was repaid in full the direct debit arrangement ceased.  The complainant was unaware that the account had fallen into arrears until they found a default listed on their consumer credit file.

The complainant claimed that they had not received any notification from the finance company of the amount outstanding or of the finance company's intention to list the default on their consumer credit file.

Issues:

Section 18E(8)(a) of the Privacy Act restricts information that can be disclosed by a credit provider to a credit reporting agency.

Where a payment in relation to consumer credit is outstanding and remains unpaid, a credit reporting agency may record a ‘default listing' on the individual's credit report.  The Privacy Act permits a credit reporting agency to list an overdue payment if:

Outcome:

The Privacy Commissioner commenced an investigation of the matter under section 40(1) of the Privacy Act. 

The Commissioner found that when the complainant's account fell into arrears the finance company had attempted to contact them by writing to them at their last known address.

However, during the investigation it became apparent that the address used by the finance company was incomplete.  The finance company had omitted enough information from the address so that it was unlikely that the complainant could have received the letters advising them the account was in arrears and that the default would be listed on their credit report.

The Commissioner exercised the powers of conciliation under section 27(1)(ab) of the Privacy Act to attempt to resolve the matter.

The complainant indicated that they would be satisfied with the payment default listing being removed from their consumer credit file.  The finance company agreed and promptly contacted the credit reporting agency to ask that the listing be deleted.

The credit reporting agency removed the payment default listing.  Satisfied that the matter had been adequately dealt with by the finance company, the Privacy Commissioner closed the matter under section 41(2)(a) of the Privacy Act.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

E v Advertiser

Case Citation: 

E v Advertiser [2009] PrivCmrA 5 

Subject Heading:

Improper listing of a payment default on an individual's consumer credit information file

Law:

Sections 18E and 18G in Part IIIA of the Privacy Act 1988 (Cth) and Paragraph 2.7 of the Credit Reporting Code of Conduct

Facts:

The complainant had a number of items advertised for sale in a local newspaper and in an online advertisement.  Those items were left over from a business venture that the complainant had since ceased.  The respondent organisation, an advertiser, contacted the complainant offering to readvertise those goods.  The complainant claimed that they did not accept the advertiser's offer.

Several weeks later the complainant received a letter from the advertiser which they did not open.  The complainant then received another letter from the advertiser and found that it contained an invoice for the publication of the complainant's advertisement.  The complainant maintained that they had not accepted the advertiser's offer to readvertise the goods and refused to make any payment.  The advertiser later contacted a credit reporting agency to have the complainant's failure pay the invoice recorded on their consumer credit file.

The complainant claimed that the default listing was invalid as they had not engaged the services of the advertiser.

Issues:

Section 6(1) of the Privacy Act defines ‘credit' as a loan that is intended to be used wholly or primarily for domestic, family or household purposes.  This is considered consumer credit and is regulated by Part IIIA of the Privacy Act.  Credit sought or obtained for any other purpose is considered commercial credit and is not regulated by Part IIIA of the Privacy Act.

Section 18E(8)(a) of the Privacy Act restricts information that can be disclosed by a credit provider to a credit reporting agency.

If a payment in relation to consumer credit is outstanding and remains unpaid, a credit reporting agency may record a ‘default listing' on the individual's credit report.  The Privacy Act permits a credit reporting agency to list an overdue payment if:

Additionally, according to section 18G of the Privacy Act, a credit provider or credit reporting agency in possession or control of a credit report, must take reasonable steps to ensure that personal information contained in the file or report is accurate, up-to-date, complete and not misleading.

Outcome:

The Privacy Commissioner commenced an investigation of the matter under section 40(1) of the Privacy Act.

The Commissioner first considered whether any credit extended to the complainant was intended for commercial or consumer purposes.

The goods for sale were once part of a business run by the complainant and could be considered commercial in nature.  However, the complainant's business had ceased and the goods had become part of the complainant's personal or household belongings.  Additionally, the subject of any agreement between the complainant and advertiser was for the publication of an advertisement for those goods, rather than the goods themselves.

In the circumstances, the Commissioner considered that any credit provided to the complainant was for personal or household purposes. 

This meant that the advertiser would be required to comply with the consumer credit reporting provisions in Part IIIA of the Privacy Act.

The Commissioner found that the advertiser had phoned the complainant offering to readvertise the goods for sale and offered the complainant the opportunity to pay for the advertisement immediately or to be invoiced at a later date.

Though the complainant denied agreeing to the advertisement, the advertiser claimed that the complainant accepted its offer and opted to receive an invoice for payment.  The advertiser claimed that it collected the complainant's personal information directly from them during that phone call.  It stated that without collecting that information from the complainant, the invoice could not have been issued nor would the advertisement have been published.

The Commissioner considered all of the information available and formed the view that the complainant had agreed to the service provided by the advertiser, and had elected to be invoiced for payment at a later date.

The account was established and a full invoice posted to the complainant's address.  The complainant did not open this letter nor pay the account.  A second invoice was posted to the complainant but the account remained unpaid.  The advertiser then recorded the default on the complainant's consumer credit information file.

The Commissioner was satisfied that the parties had engaged in a valid credit agreement for the advertisement of the complainant's goods.  The Commissioner was also satisfied that the account was more than 60 days overdue at the time of the listing, that the advertiser had attempted to recover the amount owing by writing to the complainant, and had notified the complainant that if unpaid, the  account would be recorded on the complainant's consumer credit file.

The Commissioner closed the matter under section 41(1)(a) of the Privacy Act on the basis that there had been no interference with the complainant's privacy.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

OMI v Medical Centre

Case Citation: 

Own Motion Investigation v Medical Centre [2009] PrivCmrA 6 

Subject Heading:

Failure to keep sensitive personal information secure

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The Privacy Commissioner was informed that a number of medical documents, including patients' prescriptions and pathology results, were found scattered in a public park adjacent to a private medical centre.  The name of the centre was visible on some of the documents.  The documents included patients' names, addresses and phone numbers.  The information given to the Commissioner suggested that the documents had come from a large bin at the rear of the private medical centre.

Issues:

Section 6 of the Privacy Act defines personal information as information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.  Sensitive information is a particular subset of personal information to which more stringent standards apply.  It includes, but is not limited to, an individual's health information.

NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

In deciding what are ‘reasonable steps' to ensure data security an organisation must consider a number of factors.  For instance, what is reasonable depends on the circumstances in which personal information is held.  The sensitivity of personal information stored is also an important factor and higher levels of security could be expected for sensitive information, such as health information.

Outcome:

The Privacy Commissioner commenced an own motion investigation under section 40(2) of the Privacy Act.

The medical centre responded promptly to the Commissioner's investigation as it had already commenced its own investigation into the matter.

The medical centre found that a lock on a medical waste bin, kept outside at the rear of the centre, had been tampered with and the contents of the bin thrown around an adjacent public park.  The contents included medical documents belonging to the centre that contained individuals' personal and sensitive information.

The medical centre advised that facilities nearby the park, including rear access to a shopping centre, a car park, and a public toilet block, had previously been broken into or vandalised.

Having regard to the sensitivity of the information held by the medical centre, the Commissioner and the centre devised a number of steps that the centre could take to ensure that information was kept securely.

The medical centre advised that it had already sought council approval to have secure fencing installed around the premises to reduce the risk of break-ins and vandalism.  It agreed to move the secure medical waste bin inside the secured premises so that it could not be tampered with.  The bin was fitted with a new secure lock to which the medical centre manager held the key.

The medical centre developed policies and procedures for the secure destruction of personal information and trained medical and administrative staff in the proper destruction of both medical waste and medical documents.  The medical centre instructed its staff that medical documentation was not to be left with general medical waste for collection.  Instead, the centre obtained a shredder so that medical documents that were no longer needed could be securely destroyed on-site.

The medical centre also advised the Commissioner that it would write to all of its patients and advise them of the matter and the steps the medical centre was taking to address it.

The Commissioner considered all of the action taken by the medical centre and was satisfied that it had taken reasonable steps to protect the sensitive information it holds from misuse and loss, and from unauthorised access, modification or disclosure.  As the medical centre had met the obligations imposed by NPP 4.1, the Commissioner ceased her own motion investigation into the matter.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009

Back to top

Office of the privacy Commissioner Hong Kong logo Office of the Privacy Commissioner New Zealand logo Office of the Privacy Commissioner Australia logo Office of the New South Wales Privacy Commissioner logo Office of the Victorian Privacy Commisioner logo Office of the Privacy Commissioner Northern Territory logoOffice of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada logoKorea Information Security Agency logoOffice of the Information and Privacy Commissioner British Columbia logo