2008 - Complaint Case Note 13
View printable version of this page
Case Citation:
M v Commonwealth Agency [2008] PrivCmrA 13
Subject Heading:
Unauthorised access and improper disclosure of personal information.
Law:
Information Privacy Principles 4 and 11 in Part III Division 2 of the
Privacy Act 1988 (Cth).
Facts:
During ongoing communications with the agency, the complainant began to
suspect that an employee of the agency might be improperly disclosing their
personal information to unauthorised third parties. The complainant raised their
concerns with the respondent agency on several occasions, however the
complainant felt that the agency had disregarded them.
Later, the complainant advised the agency that they were planning to start a
retail business. A short time later, a friend invited the complainant to a party
and whilst there, inquired if the complainant was planning to start a business.
The complainant believed that their friend was working for the respondent agency
at that time.
The complainant felt that the respondent agency had not taken adequate steps
to protect their personal information from unauthorised access or disclosure,
and made a complaint to the Privacy Commissioner.
Issues:
Information Privacy Principle 4(a) obliges an agency to protect the personal
information it holds in a record with such security safeguards as are reasonable
in the circumstances to protect against loss, unauthorised access, use,
modification or disclosure and against other misuse.
Information Privacy Principle 11 prohibits an agency from disclosing personal
information to third parties unless certain circumstances exist, such as where
an individual has consented to the disclosure or where the disclosure is
required or authorised under law.
Outcome:
The Commissioner conducted preliminary enquiries into the matter under
section 42 of the Privacy Act in order to establish whether to investigate the
matter.
The respondent agency examined its records and advised the Commissioner that
the only information recorded about the complainant’s intention to start a
retail business was recorded a year after the complainant had alleged the
information was disclosed.
Furthermore, the employee of the agency that the complainant alleged had
inappropriately accessed and then disclosed their personal information had
resigned from the agency the previous year.
The agency also had in place audit trails for the records it held. It
examined the audit trail relating to the personal information it held about the
complainant and advised the Commissioner there was no indication that the
complainant’s friend, or any other employee of the agency, had accessed the
complainant’s record inappropriately.
The complainant was unable to provide further information that demonstrated
that the respondent agency had held in a record information about the
complainant’s intention to start a retail business, at or around the time of the
alleged disclosure. Neither was the complainant able to substantiate their claim
that an employee of the agency had accessed their personal information
inappropriately.
In the absence of any evidence to the contrary, the Commissioner considered
that it was unlikely that the source of the alleged disclosures was the personal
information that the agency held about the complainant.
The Commissioner decided not to investigate the matter further under section
41(1)(a) of the Privacy Act as she was satisfied that there was no interference
with the privacy of the individual.
OFFICE OF THE PRIVACY COMMISSIONER
June 2008
|
HOME > Federal Privacy Law > 2008 - Complaint Case Note 13
