2005 - Complaint Case Note 7

Case Citation:
J v Superannuation Provider [2005] PrivCmrA 7

Subject Heading:
Improper disclosure of personal information and failure to take reasonable steps to protect, and correct personal information.

Law:
National Privacy Principles 2, 4.1 and 6.5 of the Privacy Act 1988 (Cth).

Facts:
The complainant was pursuing a claim against his superannuation provider for total and permanent disability entitlements. He alleged that records relating to his claim were found on a public thoroughfare. The records included reports about covert surveillance undertaken by the superannuation provider as part of the claim assessment. The complainant also alleged that:

  • the documents included incorrect information about him, including the fact that he had visited two addresses which he claims he did not visit;
  • he was described in those documents in a manner which he found offensive; and
  • information about him was disclosed to his neighbours.

Issues:

National Privacy Principle 2

National Privacy Principle 2.1 provides that if an organisation collects personal information for one purpose it can only use or disclose it for a new purpose in limited circumstances. In particular, National Privacy Principle 2.1(a) says that the organisation can use or disclose the information for a secondary purpose only if (i) the secondary purpose is related to the primary purpose and (ii) the individual concerned would reasonably expect the organisation to use or disclose the information for the secondary purpose.

The superannuation provider responded to the disclosure allegation by providing a statement from the company which conducted covert surveillance stating that personal information about the complainant was not disclosed to his neighbours or any other person whilst the surveillance was being conducted.

In the absence of any evidence to the contrary the Commissioner formed the view that, on the balance of probabilities, the superannuation provider had not breached National Privacy Principle 2.1.

National Privacy Principle 4.1

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

The Commissioner's investigation into the allegation that records of personal information about the complainant had been found in a public thoroughfare revealed that:

  • the complainant's detailed reference to internal documents which the superannuation provider held about him indicated that he had access to those documents;
  • the records appeared to be records couriered, on the date in question, to the superannuation provider's Board Members in preparation for a Board Meeting; and
  • delivery records from the courier company showed that deliveries were made and that the packages were either signed for on delivery or left in the letterbox.

The superannuation provider advised that there is no individual service agreement in place between it and the courier company. This meant that the usual conditions of carriage applied whereby the courier company would be taken to have delivered the goods if it obtained a receipt or signed delivery docket for the goods from any person at the nominated address.

The Commissioner found that the superannuation provider failed to take reasonable steps to protect the complainant's personal information from unauthorised misuse and loss and from unauthorised access, modification or disclosure. For these reasons, the Commissioner decided that the superannuation provider had breached National Privacy Principle 4.1.

National Privacy Principle 6.5

National Privacy Principle 6.5 provides that if an organisation holds personal information about an individual and that individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

The complainant alleged that the covert surveillance records about him contained inaccurate and offensive information.

The superannuation provider agreed that its records should be amended and provided a copy of a file note accepting the complainant's advice that he had not visited two addresses noted in the covert surveillance report, and noting that all references to his appearance which he found offensive had been deleted and such references should never be made again. The superannuation provider advised that the file note would remain on the complainant's file until his file is destroyed.

Outcome:
The Commissioner found the superannuation provider had not breached National Privacy Principle 2.1. The Commissioner found the superannuation provider had breached National Privacy Principle 6.5 but decided not to investigate this aspect of the complaint further on the grounds that the superannuation provider had dealt adequately with the matter.

The Commissioner found there was a breach of National Privacy Principle 4.1 and then moved to conciliate a resolution of the matter. The parties agreed to resolution that included a formal written apology and a payment of compensation of $3500 for loss or damage including legal expenses and hurt and embarrassment. The superannuation provider also advised the Commissioner that it had changed its distribution policy to require that in future all couriered documents be signed for personally. The Commissioner then decided under section 41(2)(a) of the Act to cease investigation of the complaint on the grounds that the superannuation provider had dealt adequately with the matter.

OFFICE OF THE PRIVACY COMMISSIONER
February 2005

Return