THE OFFICE OF THE PRIVACY COMMISSIONER
Spacer GifHOME > Federal Privacy Law > 2006 - Complaint Case Note 8 Spacer Gif Spacer Gif Spacer Gif Spacer Gif
Spacer Gif
Spacer Gif Federal Privacy Law
Spacer Gif Bullet Privacy Act
Spacer Gif Bullet Privacy Act Regulations
Spacer Gif Bullet Public Interest Determinations
Spacer Gif Bullet Guidelines
Spacer Gif Bullet Complaint Case Notes & Determinations
Spacer Gif Bullet Audits
Spacer Gif Bullet Information Privacy Principles
Spacer Gif Bullet National Privacy Principles
Spacer Gif Bullet Private Sector Codes and Opt-in Registers
Spacer Gif Bullet Credit Reporting
Spacer Gif Bullet Health
Spacer Gif Bullet Telecommunications
Spacer Gif Bullet Tax File Numbers
Spacer Gif Bullet Spent Convictions
Spacer Gif Bullet Data-matching
Spacer Gif Bullet Privacy Advisory Committee
Spacer Gif Bullet Private Sector Review 2005
Spacer Gif Bullet ALRC Privacy Inquiry 2006 - 08
Spacer Gif Bullet Privacy Law History
Spacer Gif SPECIFIC PRIVACY
INFORMATION FOR:
Spacer Gif > Individuals
Spacer Gif > Business
Spacer Gif > Health
Spacer Gif > Government
Horizontal Rule
Spacer Gif > Federal Privacy Law
Spacer Gif > About the Office
Spacer Gif > Frequently Asked Questions
Spacer Gif > IT and Internet Issues
Spacer Gif > Media and Speeches
Spacer Gif > Publications
Spacer Gif > Privacy Links
Spacer Gif > International
Spacer Gif > Contact us

Spacer Gif

2006 - Complaint Case Note 8

View printable version of this page

Case Citation:

I v Retail Company [2006] PrivCmrA 8

Subject Heading:

Collection of sensitive information by a retail company for the purpose of loss prevention and the security of personal information and destruction of old records.

Law:

Section 16C(1), National Privacy Principle 10.1 and National Privacy Principle 4.1 and National Privacy Principle 4.2 in the Privacy Act 1988 (Cth)

Facts:

The complainant was accused of theft by a retail company. The complainant later became aware that information about the incident, including the fact that they had been charged, had been collected and recorded on a database maintained by the retail company. The database contained records of actual or suspected fraudulent activity, collected as a means of protecting the retail company’s assets.

The complainant wrote to the retail company some years after the incident claiming that as the information collected was sensitive information, it should only have been collected with their consent. The complainant also raised concerns about the security of the information recorded on the database, the period for which it would be retained, and requested that the information be destroyed.

Issues:

National Privacy Principle 10.1 prevents the collection of sensitive information by organisations unless an exception in National Privacy Principle 10.1(a)-(e) applies. Sensitive information is defined in section 6 of the Privacy Act to include ‘information or an opinion’ about an individual’s criminal record.

However, section 16C(1) of the Privacy Act states that National Privacy Principle 10 only applies in relation to the collection of information after the date of the commencement of the National Privacy Principles on 21 December 2001.

National Privacy Principle 4.1 requires organisations to take reasonable steps to protect the information it holds from misuse and loss and from unauthorised access, modification or disclosure. National Privacy Principle 4.2 requires that organisations take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed. National Privacy Principle 4.1 and National Privacy Principle 4.2 apply to personal information regardless of when it was collected.

Outcome:

The Commissioner investigated the matter and took the view that information stating that the complainant had been accused and charged with theft constituted ‘information or an opinion’ about an individual’s criminal record and fell within the definition of sensitive information in the Privacy Act. The Commissioner noted however that the collection of this information occurred prior to the introduction of the National Privacy Principles on 21 December 2001, and therefore the collection of the complainant’s information in this instance was not subject to National Privacy Principle 10.

The Commissioner also considered whether the retail company had adequate measures in place to protect information contained on the database. The retail company reported that the database was only accessible to a small number of people within the company, that the database was password protected and that passwords were routinely changed as a security measure. The Commissioner was satisfied that the security measures in place to protect personal information in the database were consistent with National Privacy Principle 4.1.

The Commissioner also considered whether the length of time the respondent would retain the information about the complainant was consistent with National Privacy Principles 4.2. The retail company advised that it intended to upgrade the existing database, and was implementing a new policy in relation to the retention of the information in the database. It proposed that with some exceptions, all such information would be permanently deleted from the existing database, and subsequently the upgraded database, after a retention period of five years. Additionally, the retail company stated that it had deleted the complainant’s information from the existing database in order to comply with its new policy. The Commissioner closed the complaint under section 41(2)(a) on the grounds that the retail company had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER
April 2006



Spacer Gif> Privacy Policy Spacer Gif> Copyright Spacer Gif> Site map Spacer Gif> Join Email List Spacer Gif> Glossary Spacer Gif> Calendar Spacer Gif> Newsletter