Those notes ("intended to offer a synopsis only and not to be a comprehensive account") are -
• S and Telecommunication Company [2011] AICmrCN 13Highlights are as follows.
• R and Credit Reporting Agency [2011] AICmrCN 12
• Q and Financial Institution [2011] AICmrCN 11
• P and Retail Company [2011] AICmrCN 10
• O and Professional Association [2011] AICmrCN 9
• N and Law Firm [2011] AICmrCN 8
• M and Law Firm [2011] AICmrCN 7
• L and Insurer [2011] AICmrCN 6
• K and Finance Company [2011] AICmrCN 5
• J and Commonwealth Agency [2011] AICmrCN 4
• I and Insurance Company [2011] AICmrCN 3
• H and Registered Club [2011] AICmrCN 2
• G and Parking Services Organisation [2011] AICmrCN 1
In S and Telecommunication Company (re NPP 6.1 and 6.7) the complainant had attempted to access personal information held by a telco, which the person believed included correspondence to a law enforcement agency. The telco relied on its internal privacy policy in its explanation of its decision to deny access, going on to quote exceptions under NPP 6 (ie denial of access to an individual when access would prejudice activities being carried out by, or on behalf of, a law enforcement body) when the complainant pursued the matter.
In R and Credit Reporting Agency (re s 18G(a) of the Act 1988) the complainant became aware the agency had linked the person's consumer credit information file with the credit files of other individuals. The complainant advised the agency that there was no connection to the other individuals. The credit reporting agency refused to remove the links. The Commissioner considered that by linking the complainant's personal information to other individuals the agency had failed to take reasonable steps to ensure the accuracy of information in its records and that the agency had thus not met the requirements of s 18G(a). A conciliation took place.
In Q and Financial Institution (re s 6 and NPP 2.1) the complainant contracted with a buyer to sell his car, which was under finance to a financial institution. The financial institution advised a prospective buyer that the vehicle had been under finance but the account had recently been paid in full. The prospective buyer later obtained a letter from the financial institution confirming receipt of funds to finalise the account; subject to clearance of these funds it would release its security interest in the vehicle in ten working days. In providing this information to the prospective buyer the institution denied disclosing the complainant's personal information, arguing that the letter to the prospective buyer only contained details about the complainant's vehicle and did not mention the complainant's name or account number. The prospective buyer was aware that the complainant owned the car and that the car had been under finance. The fact that the prospective buyer had previous knowledge of these details did not lessen the institution's obligation under NPP 2.1 to only disclose an individual's personal information for the primary purpose of its collection, or for a secondary purpose where it can rely on one of the exceptions at NPP 2.1(a) to NPP 2.1(h). The Commissioner considered that the prospective buyer could have reasonably ascertained that details in the letter related to the complainant's account with the institution; on that basis the letter contained personal information about the complainant, contrary to NPP 2. Conciliation was reflected in the institution's agreement to change its practice, offer an apology and offered a goodwill payment.
In P and Retail Company (re NPP 1.1 and 1.2) the complainant alleged that a retail company recorded outbound calls it made without providing notification of that recording the calls. The complainant objected on the basis that there had been no notification or request for consent. The retailer advised the complainant that there had been notification through its interactive voice response system when the complainant made the first inbound call to the company, claimed as providing awareness and consent. The Commissioner referred to the Telecommunications (Interception and Access) Act 1979 (Cth) - all parties must have actual knowledge that the telephone conversation will be monitored, with notification occurring prior to the activity taking place for both inbound and outbound calls - before indicating that the subsequent calls received by the complainant were a continuation of the original incoming call where notification had been provided. The Commissioner appears to have been unimpressed by the retailer's claim of implied consent. The collection of personal information during such calls was unfair and unlawful, with the retailer failing to comply with NPP 1.2.
In O and Professional Association (re NPP 6.1 and 6.2) the complainant sought access to that person's completed and marked exam paper from a professional association, along with access to the associated documents used to mark and rate performance along with all relevant documentation used in assessment of an application for special consideration. The association (NSW Bar Council?) refused to provide access to most documents, including working papers for marking. The Commissioner considered the exception under NPP 6.2, concluding that access would reveal evaluative information generated in connection with the association's commercially sensitive decision making process and that the association had provided an explanation through its personal analysis letter. The Commissioner declined to investigate the complaint under s 41(1)(a) on the grounds that the association had not interfered with the complainant's privacy.
In N and Law Firm (re NPP 1.2 and 10) the complainant alleged that a law firm improperly collected personal information, including their health information, using covert film surveillance. The law firm was acting for an insurer, with the information being subsequently disclosed during court proceedings. The Commiossioner noted that NPP 10.1(e) allows collection of sensitive information for the establishment, exercise or defence of a legal or equitable claim. In this instance the collection was necessary for the defence of a legal claim; the Commissioner accordingly declined to investigate under s41(1)(a) of the Act.
In M and Law Firm [2011] (re NPP 2) another law firm, acting on behalf of the complainant's former utility provider, commenced debt recovery with the complainant. The complainant subsequently settled the debt and was advised by the utility provider that debt recovery would cease. Oops, prior to receiving advice of the settlement the lawyers sent correspondence to the complainant's neighbour seeking information about the complainant's whereabouts. The branding of the law firm, including on the letter to the neighbour, identified that its legal expertise included debt collection. The complainant complained that the law firm had contacted the neighbour and revealed an outstanding debt. The Commissioner concluded that the correspondence amounted to a disclosure of the complainant's personal information. The complainant would reasonably expect that an organisation would disclose its name, and the complainant's name, to contact a third party in the circumstances, which included the law firm not being able to contact the complainant. Disclosure by the law firm was consistent with NPP 2.1(a); the law firm had not interfered with the complainant's privacy. The Commissioner referred the complainant to the Australian Competition & Consumer Commission to consider whether the debt collection practices were consistent with ACCC debt collection guidelines.
In L and Insurer the Commissioner noted the xemption in s 7B(5) for action under a State contract. The complainant, who had lodged workers compensation claims with two current employers, alleged the insurer disclosed details about a third unrelated compo claim to solicitors handling the claims for the two current employers. The Commissioner considered that, as the appointed claims manager of a state government body, the insurer was a contracted service provider to a state body. Additionally, the insurer had handled the complainant's personal information in relation to the two current workers compensation claims, for the purpose of directly or indirectly meeting its obligations as claims management agent for the state government corporation. The insurer's actions were thus exempt under the Privacy Act.
In contrast, I and Insurance Company (re NPP 3) concerned an insurance company collecting the complainant's personal information from a third party insurance industry database. The complainant was a loss assessor and the insurer was investigating alleged fraud. The complainant's file on the industry database featured multiple enquiry listings about the complainant and inaccurately listed the purpose for those enquiries. The insurer attributed the multiple enquiries to inexperienced staff andagreed that several of the descriptors were inaccurate. The Commissioner found that the insurer had recorded incorrect descriptors against the complainant's personal information and by not using a reference number was unable to verify why it had made the enquiries, or to find the various entries when it needed to correct the information. The insurer had thus not taken reasonable steps to ensure the personal information it disclosed was accurate and complete. In conciliation the insurer's procedures were changed, the complainant's personal information on the industry database was amended and the complainant received an unconditional apology.
In K and Finance Company (re ss 18E and 6 of the Act and para 65 of the explanatory notes to the Credit Reporting Code of Conduct) the complainant claimed to have signed as guarantor for a loan for a family member. The finance company providing the loan to that relative subsequently listed a serious credit infringement on the complainant's consumer credit information file held by a credit reporting agency. A copy of the loan contract obtained by the Commissioner showing the complainant was a joint borrower with the family member rather than a guarantor for the loan and that the complainant was made aware at the time of signing the loan contract that personal information might be disclosed to a credit reporting agency. The financier had sent demand letters to the complainant's last known address, with the mail had been returned marked 'not known at this address'. A collection agent visited the complainant's last known address and reported the complainant was no longer at the address, the complainant's home telephone number had been disconnected, and messages left by the finance company on the complainant's mobile telephone went unanswered. The Commissioner concluded that at the time of the listing the account was overdue, with the finance company having made reasonable efforts without success to contact the complainant. The complainant had stopped making payments under the credit contract and that the actions of the complainant would indicate to a ‘reasonable person' an intention to no longer comply with obligations in relation to the debt. The financier had not interfered with the complainant's privacy.
In J and Commonwealth Agency (re IPP 1, 10 and 11) the complainant claimed that during lodgement of an application with Administrative Appeals Tribunal (AAT) regarding a decision made by an Australian Government agency that agency obtained the complainant's fingerprints and provided them to a law enforcement body for the purpose of analysing certain documents. The agency advised that it had submitted the fingerprints for the sole purpose of having them forensically tested, as part of its duty to check the veracity of documents for an external tribunal. The law enforcement agency confirmed that, in line with its standard procedure, it would destroy the information when advised to do so by the referring agency. The Commissioner concluded that use of the fingerprints was consistent with the purpose for collecting the fingerprints – to check the veracity of documents – and was therefore authorised under IPP 10.
In H and Registered Club (re NPP 1.1, 1.3 and 4.2) the complainant alleged that a registered club interfered with their privacy by scanning their driver licence and, in doing so, recording unnecessary information. The complainant conceded that the club was required to collect their name, address and signature but argued the collection of the other information on the licence (inc date of birth, driver's licence number, driver's licence type and photograph) to be unnecessary. The club relied on statutory obligations to retain certain personal information for five years, stating it had a procedure in place to delete the information after that time. It would not agree to cease or alter its identity scanning practices, instead continuing to offer patrons the option of manually completing and signing its entry register. The club advised that a privacy statement is displayed at its entrance regarding collection and handling of their personal information; the statement is also displayed on the terminal when identification is scanned. The Commissioner decided that the offer of deletion coupled with the alternative option of manual sign-in adequately dealt with the collection issues in the complaint.
In G and Parking Services Organisation (re NPP 1.1, 1.2 and 4.2) the complainant alleged that a parking services organisation had no reason to collect the person's personal information and sought destruction of the information. The parking body had a short business relationship with the complainant and believed it was owed money from that relationship, going on to obtain a subpoena for records held by a state government department. These records contained the complainant's personal information, relating to the complainant. Sounds like the WA problem noted recently. The complainant alleged there was a mistake - there was no debt and it was thus unnecessary for the organisation to collect/hold the personal information. The complainant had not received a response after raising the issue with the parking body. That body indicated to the Commissioner that at the time it collected the complainant's personal information it believed the complainant owed money. It noted that the information was not obtained by deception but through a court subpoena. It went on to note that it later identified that there had been an administrative error: the complaint did not owe a debt. No matter, it seems: when the information was collected from the state government department the organisation believed in good faith that the information was necessary to pursue the non-payment for its services. That received a pat on the head from the Commissioner, which noted that the parking body did not need the complainant's consent before it collected the information, which was necessary for its activities and "was collected by lawful and fair means and not unreasonably intrusively". The Commissioner was similarly persuaded by the body's claim that it was required to keep the complainant's personal information to meet obligations with other laws, including taxation and corporations law. The body had written to the complainant, outlining why it needed to continue to hold the personal information in its records and the timeframe for destruction (ie for at least five years). The case note states that the Commissioner is "satisfied that the organisation had a legitimate reason for retaining the complainant's personal information". The implication seems to be that if you act in good faith in seeking recover a non-exiostent debt you get to keep the data for seven years, rather than apologising for your ineptitude and deleting the info forthwith.