16 October 2011

Victorian Privacy Case Notes

The Victorian Privacy Commissioner has released two Case Notes.

Complainant AU v Public Sector Agency [2011] VPrivCmr 3 concerns handling of a bullying complaint from a female state government employee. The Complainant made a written complaint regarding co-workers and was advised that a full copy of the documentation would be provided to each of the alleged bullies. She initially agreed, in the belief that there was no choice but later attempted via to withdraw consent. She was then advised that the complaint documentation had already been forwarded to the unit manager (an alleged bully) who had forwarded it to other alleged bullies, consistent with the employer's internal policy. She claimed that the disclosure to the alleged bullies breached her privacy under Information Privacy Principles 2.1, 4.1 and 1.3 and argued that the alleged bullies should only have had access to the information that was relevant to each individual rather than the entire document containing all alleged incidents. She also argued that the policy statement provided to her was out of date.

The Privacy Commissioner found that in dealing with a complaint about staff members an employer must disclose only what those people 'need to know' in order to respond to the complaint. In considering the employer's handling of the bullying complaint -
the disclosure of all of the Complainant’s documentation in full (setting out the Complainant’s state of mind, emotional responses to the incidents, and outcomes sought) to all of the alleged bullies appeared to be far more than what they needed to respond to the complaint about their own alleged behaviour.

Disclosure of information in this context should have been kept to the minimum necessary to investigate the matter and would not require the wholesale disclosure that had occurred in this instance.
The Commissioner considered that it was possible to edit the document to protect the Complainant’s privacy.

The Commissioner considered the notion of consent, deciding that in this instance consent could not be relied on by the employer because under 2.1(b) individuals must be provided with a real choice about what will happen with their personal information.

In considering IPP 4 (Data Security) the Commissioner found that by providing more information to the alleged bullies than was necessary the employer had not taken reasonable steps to protect the personal information it held.

In Complainant AV v Body Established for a Public Purpose [2011] VPrivCmr 4 the Commissioner referred a complaint to conciliation, on the basis that there were insufficient grounds to exercise discretion to decline the complaint under s 29 of the Act.

The Complainant had attended two performances at a theatre (a body established for a public purpose under statute). Each time the Complainant was asked for his name, address, email address and telephone number, despite wanting to pay with cash.
Staff of the theatre informed him that refusal or failure to provide the requested information would result in him being refused entry to the venue. The Complainant complained at the time about the unnecessary collection of his personal information, but the complaint was not logged by the organisation and was not escalated further. He was admitted to the venue, however, as he already had an account under his name with the theatre.

The Complainant complained to the Privacy Commissioner, arguing that the theatre had breached IPP 1.1 by collecting personal information about him that was not necessary for its functions or activities, and had failed to provide him with the option of transacting anonymously with the organisation under IPP 8.1.
The theatre argued that there was no breach of the Complainant’s privacy as it had conducted an investigation into the complaint and found that staff at the ticket office could not recall the incident. It also argued that because the Complainant had only complained to ticket office staff and had not escalated the complaint higher the theatre did not have a chance to respond to the complaint.

The Commissioner took a positive stance, noting that there was disagreement about whether the information had been collected at all. The Commissioner stated that a ticket person's failure to escalate a complaint was insufficient reason for the Commissioner to decline the complaint. The Commissioner indicated that whether information collected was necessary for a function or activity of an organisation, and accordingly whether an option to transact anonymously was practicable, depended on the circumstances.