THE OFFICE OF THE PRIVACY COMMISSIONER
Spacer GifHOME > Federal Privacy Law > 2007 - Complaint Case Note 6 Spacer Gif Spacer Gif Spacer Gif Spacer Gif
Spacer Gif
Spacer Gif Federal Privacy Law
Spacer Gif Bullet Privacy Act
Spacer Gif Bullet Privacy Act Regulations
Spacer Gif Bullet Public Interest Determinations
Spacer Gif Bullet Guidelines
Spacer Gif Bullet Complaint Case Notes & Determinations
Spacer Gif Bullet Audits
Spacer Gif Bullet Information Privacy Principles
Spacer Gif Bullet National Privacy Principles
Spacer Gif Bullet Private Sector Codes and Opt-in Registers
Spacer Gif Bullet Credit Reporting
Spacer Gif Bullet Health
Spacer Gif Bullet Telecommunications
Spacer Gif Bullet Tax File Numbers
Spacer Gif Bullet Spent Convictions
Spacer Gif Bullet Data-matching
Spacer Gif Bullet Privacy Advisory Committee
Spacer Gif Bullet Private Sector Review 2005
Spacer Gif Bullet ALRC Privacy Inquiry 2006 - 08
Spacer Gif Bullet Privacy Law History
Spacer Gif SPECIFIC PRIVACY
INFORMATION FOR:
Spacer Gif > Individuals
Spacer Gif > Business
Spacer Gif > Health
Spacer Gif > Government
Horizontal Rule
Spacer Gif > Federal Privacy Law
Spacer Gif > About the Office
Spacer Gif > Frequently Asked Questions
Spacer Gif > IT and Internet Issues
Spacer Gif > Media and Speeches
Spacer Gif > Publications
Spacer Gif > Privacy Links
Spacer Gif > International
Spacer Gif > Contact us

Spacer Gif

2007 - Complaint Case Note 6

View printable version of this page

PDF, Word

Case Citation: 

D v Insurance Company [2007] PrivCmrA 6

Subject Heading:  

Improper disclosure of personal information; failure to take reasonable steps to ensure the personal information collected or disclosed was accurate, complete and up to date; failure to take reasonable steps to secure personal information from unauthorised access and disclosure.

Law:  

National Privacy Principle 2.1, National Privacy Principle 3 and National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988(Cth).

Facts:

The complainant had an account with an insurance company and without their knowledge, their personal information was visible for two years on the accounts of a third party, whose accounts had been managed by a relative.  The third party's relative advised the insurance company and asked them to attempt to remove the complainant's information.  The insurance company refused to action the request on the basis that the individual was not the actual account holder as the personal information related to their relative. 

When the matter came to the complainant's attention they contacted the insurance company regarding the disclosure of their personal information on the third party's accounts.  The complainant was also concerned about the accuracy and security of that information and the general privacy practices of the insurance company.  In response, the insurance company amended its records so that the complainant's personal information was no longer visible on the third party's accounts.  The insurance company also apologised for the inconvenience caused and for the length of time it took to resolve the issue, and offered the complainant an ex gratia payment of $750. 

The complainant was dissatisfied with this proposed resolution claiming that the insurance company had not taken steps to ensure that their personal information would not be similarly disclosed in future.  The complainant wanted the insurance company to amend its business practices to ensure that personal account information remained secure, accurate, and up to date.  Additionally, the complainant was dissatisfied with the payment offered by the insurance company.  

Issues:

National Privacy Principle 2.1 provides that personal information collected for a primary purpose may only be used or disclosed for a secondary purpose if one of a number of exceptions in National Privacy Principle 2.1(a)-(h) apply.

National Privacy Principle 3 provides that an organisation must take reasonable steps to ensure that the personal information it collects uses or discloses is accurate, complete and up to date. 

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Privacy Commissioner treated the complainant's letter as a complaint under section 36 of the Privacy Act and conducted preliminary enquiries under section 42 of the Privacy Act.  The Commissioner also referred the complaint to the insurance company in order for it to further consider the issues raised by the complainant before the commencement of a formal investigation.

Subsequent to the referral of the complaint the insurance company advised the complainant that staff members involved had been counselled and that a notice had been circulated to all call centres and branches reminding staff of their obligations under the Privacy Act.  The insurance company also noted that it requested account holders to notify it of any changes or errors in their personal information and advised that it would consider suggestions made by the complainant to further ensure this information was up to date, accurate and complete.  The insurance company also offered an apology to the complainant and an ex gratia payment of $1250 in full settlement of the case.   The complainant accepted the apology and payment of $1250.

The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the grounds that the complaint had been adequately dealt with by the respondent. 

OFFICE OF THE PRIVACY COMMISSIONER

April 2007



Spacer Gif> Privacy Policy Spacer Gif> Copyright Spacer Gif> Site map Spacer Gif> Join Email List Spacer Gif> Glossary Spacer Gif> Calendar Spacer Gif> Newsletter