Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

January 9, 2012

OAIC Privacy case notes 1-13 of 2011

The Office of the Australian Information Commissioner published 13 privacy case notes on 22 December 2011.

The cases include successful complaints against a registered club, an insurer, a credit reporting agency, a financial institution and a retailer.

In G and Parking Services Organisation [2011] AICmrCN 1 dealt with a complaint against a parking services organisation which, in order to pursue the debt, obtained a court subpoena for records held by a state government department. These records contained the complainant's personal information, relating to the complainant.The Commissioner considered that the collection of the complainant's information by the parking services organisation was necessary for its activities and was collected by lawful and fair means and not unreasonably intrusively. Accordingly, the Commissioner found that the collection was permitted by the Privacy Act. The information provided by the organisation showed that the obligations it had under taxation and corporations law meant it had to keep records for at least five years. On this basis, the Commissioner was satisfied that the organisation had a legitimate reason for retaining the complainant's personal information.

In H and Registered Club [2011] AICmrCN 2 the complainant alleged that a registered club interfered with their privacy by scanning their driver licence and, in doing so, recording unnecessary information. The complainant conceded that the club was required to collect their name, address and signature. However, the complainant considered the collection of the other information on the licence, including their date of birth, driver's licence number, driver's licence type and photograph to be unnecessary. The complainant also raised concerns that the registered club's notice and security procedures were insufficient. The registered club would not agree to cease or alter its identity scanning practices. Instead, it explained it would continue to offer its patrons the alternate option of manually completing and signing the register. The registered club also offered that, if a patron changed their mind after having their identification scanned; it would endeavour to delete this information in a similar way to the complainant. The Commissioner decided that the offer of deletion coupled with the alternative option of manual sign-in adequately dealt with the collection issues in the complaint. The Commissioner also considered the security procedures and notice at the entrance of the club adequately dealt with that aspect of the complainant's complaint.

In I and Insurance Company [2011] AICmrCN 3 the complainant was a loss assessor in the insurance industry. In the course of investigating alleged fraud an insurance company collected the complainant's personal information from a third party insurance industry database. The complainant accessed their file on the industry database and discovered that the insurance company had made multiple enquiry listings about them and had inaccurately listed the purpose for the enquiries. The Commissioner found that the insurance company had recorded incorrect descriptors against the complainant's personal information. Also, by not using a reference number, the insurance company was not able to verify why it had made the enquiries, or to find the various entries when it needed to correct the information. As such, the Commissioner formed the view that the insurance company had not taken reasonable steps to ensure the personal information it disclosed was accurate and complete. The insurance company amended the complainant's personal information held with the insurance industry database so it was accurate. The insurance company also offered the complainant an unconditional apology, which the complainant accepted.

In J and Commonwealth Agency [2011] AICmrCN 4 the complainant claimed that during the AAT application process, the agency obtained their fingerprints and provided these to a law enforcement body for the purpose of analysing certain documents.The agency advised the Commissioner that it collected the complainant's fingerprints and provided them to a law enforcement agency to verify the authenticity of documents considered relevant to the complainant's AAT application. On this basis, the Commissioner found the collection was for a lawful purpose and directly related to one of the agency's functions

In K and Finance Company [2011] AICmrCN 5 the complainant complained that a finance company who provided the loan to a family member subsequently listed a serious credit infringement on the complainant's consumer credit information file held by a credit reporting agency. The Commissioner obtained a copy of the loan contract showing the complainant was not a guarantor for the loan but was a joint borrower with the family member. The loan contract showed that the complainant was made aware at the time of signing the loan contract that their personal information may be disclosed to a credit reporting agency. Additionally, the finance company had sent a number of demand letters to the complainant's last known address and the mail had been returned marked ‘not known at this address'. A collection agent visited the complainant's last known address and reported the complainant was no longer at the address, the complainant's home telephone number had been disconnected, and messages left by the finance company on the complainant's mobile telephone went unanswered. Based on the information provided by the finance company, the Commissioner formed the view that, at the time of the listing, the account was overdue and that the finance company had made reasonable efforts without success to contact the complainant. The Commissioner was also satisfied that the complainant had stopped making payments under the credit contract and that the actions of the complainant would indicate to a ‘reasonable person' an intention by the complainant to no longer comply with their obligations in relation to the debt.

In L and Insurer [2011] AICmrCN 6 the complainant had lodged workers compensation claims with two current employers. The complainant alleged the insurer handling those claims disclosed details about a third, unrelated workers compensation claim against a previous employer to the solicitors handling the claims for their two current employers. The Commissioner considered that the insurer had handled the complainant's personal information in relation to the two current workers compensation claims, for the purpose of directly or indirectly meeting its obligations as claims management agent for the state government corporation. Consequently, the Commissioner found the insurer's actions were exempt under the Privacy Act.

In M and Law Firm [2011] AICmrCN 7 a law firm, acting on behalf of the complainant's former utility service provider, commenced debt recovery with the complainant. Before the utility service provider advised the law firm of the settlement the law firm sent correspondence to the complainant's neighbour seeking information from the neighbour about the complainant's whereabouts. The branding of the law firm, including on the letter to the neighbour, identified that its legal expertise included debt collection. The Commissioner formed the view that the correspondence sent by the law firm amounted to a disclosure of the complainant's personal information. The information disclosed was that the law firm wished to contact the complainant, not any specific information about the debt. The Commissioner considered that the disclosure of the complainant's information to a third party for the purpose of assisting them with their investigation into the complainant's whereabouts was related to the primary purpose of debt collection and was permitted. But the Commissioner referred the complainant to the Australian Competition and Consumer Commissioner to consider whether the debt collection practices were consistent with its debt collection guidelines.

In N and Law Firm [2011] AICmrCN 8 the complainant alleged that a law firm acting for a client insurer interfered with their privacy by improperly collecting their personal information, including their health information, using covert film surveillance. The Commissioner was of the view that the law firm's collection of personal information was by fair means and not in an unreasonably intrusive way as it was part of defending a claim where the law firm and insurer suspected that the individual may have misrepresented their claim or the extent of their injuries.

In O and Professional Association [2011] AICmrCN 9 the complainant sought access to their completed and marked exam paper from a professional association. The complainant also sought access to the associated documents which were used to mark and rate their performance along with the application for special consideration and all relevant documentation used in assessment of that application. The professional association refused to provide the complainant with working papers for marking. The Commissioner agreed that providing access to these documents would reveal evaluative information generated in connection with the commercially sensitive decision making process of the Professional Association. The Commissioner was also of the view that the professional association had provided an explanation of the commercially sensitive decision through its personal analysis letter.

In P and Retail Company [2011] AICmrCN 10 the complainant alleged that a retail company recorded outbound calls it made to them without providing notification that it was recording the calls.The retail company verbally apologised. However, it advised the complainant that they had been notified about the recording of calls by the interactive voice response system when they made their first inbound call to the retail company. In considering whether the collection was by fair and lawful means, the Commissioner had regard to the relevant industry standards and telecommunications recording laws. The Telecommunications (Interception and Access) Act 1979 (Cth) specifies that all parties in the telephone conversation must have actual knowledge that the conversation will be monitored and this notification must occur prior to the activity taking place for both inbound and outbound calls. Notification can be by pre-recorded message, verbal or written notification. The Commissioner did not accept that the subsequent calls received by the complainant were a continuation of the original incoming call where notification had been provided. The respondent claimed that it was relying on implied consent from the complainant when it collected personal information in subsequent outbound calls. The Commissioner reviewed the retail company's privacy policy and formed the view that it did not provide sufficient notification that the collection of information via call recording would occur. As the complainant was not notified that the retail company was recording outbound calls and, taking into consideration the company's other legal obligations, the Commissioner formed the view that the collection of personal information during such calls was unfair and unlawful. Subsequently, the retail company changed its procedures for recording calls. It implemented a procedure where a standard script is read by the relevant staff member when making outbound calls to advise the individual the call is being monitored and recorded for training purposes.

In Q and Financial Institution [2011] AICmrCN 11
The complainant's financial institution had taken an interest in a car as security for the complainant's loan. A prospective buyer later obtained a letter from the financial institution confirming that it had received funds to finalise the account and, subject to the clearance of these funds, it would release its security interest in the vehicle in ten working days. The letter did not contain details such as the complainant's name, address or date of birth. However, it did contain information about the status of the complainant's account with the financial institution, and specifically, that funds had been received to finalise the account and the financial institution's security interest in the car. The Commissioner formed the view that, in the circumstances, the prospective buyer could have reasonably ascertained that the details in the letter related to the complainant's account with the financial institution. On that basis, the information contained in the letter was personal information about the complainant and was therefore an unauthorised disclosure of personal information about the complainant to the prospective buyer. The financial institution immediately ceased its practice of sending such letters to third parties without the written consent of the account holder. In addition to its change in practice, it apologised and offered a goodwill payment.

In R and Credit Reporting Agency [2011] AICmrCN 12 the complainant became aware the credit reporting agency had linked their consumer credit information file with the credit files of other individuals. The complainant advised the credit reporting agency that they were not connected to the other individuals. The credit reporting agency advised that it had used information from a law enforcement agency notice. The Commissioner considered the law enforcement agency's notice was insufficient for the purposes of linking the complainant's credit file with those of other individuals. On this basis, the Commissioner formed the view that by the linking of the complainant's personal information to other individuals, the credit reporting agency had failed to take reasonable steps to ensure the information it contained in its records about the complainant was accurate and not misleading.The credit reporting agency agreed to remove the links to the other individuals from the complainant's credit file.

In S and Telecommunication Company [2011] AICmrCN 13 the complainant had attempted to access their personal information, held by a telecommunication company, which they believed included correspondence to a law enforcement agency. The Commissioner decided the telecommunication company was not obligated to reveal whether it possessed records from a law enforcement agency, as such actions would prejudice the law enforcement activities of the agency. The Commissioner considered if law enforcement processes were revealed to the complainant this would prejudice activities carried out by the enforcement body.

Print This Post Print This Post

Posted 9th January 2012 by David Jacobson in Financial Services, Insurance, Privacy