This article summarises three recent cases that came before the Privacy Commissioner late last year and recent news from the Office of Privacy Commissioner.

Y v Ticketing Company [2007] PrivCmrA 27

This complaint arose following the purchase of tickets by the complainant using their credit card. The complainant considered that the receipt issued by the ticketing company, which disclosed their personal details including their name, credit card number and expiry date, compromised the security of their information. The complainant was concerned that if a third party obtained the receipt it could use the details to make a purchase.

The Privacy Commissioner opened a formal investigation focusing on whether the respondent had taken reasonable steps to protect the personal information it held from misuse and loss, and from unauthorised access, modification or disclosure (NPP 4.1).

The ticketing company argued that the practice of issuing detailed receipts was common in a number of industries and was intended to guard against fraud rather than to facilitate it. The company noted that its credit card transactions were processed using a bank-provided merchant EFTPOS facility, and that this facility was responsible for printing the details on the receipt.

The Commissioner concluded that the ticketing company had not failed to comply with NPP4.1 as its practice was to provide receipts only to the credit card holder and that the merchant company of the receipt was kept secure so that there was little risk that a third party could obtain the details. The Commissioner also considered that the EFTPOS facility provider was primarily responsibility for the receipt details and on the above bases, decided not to investigate the matter further under section 41(1)(a) of the Privacy Act.

A copy of the case note can be found here.

X v Transport Company [2007] PrivCmrA 26

The complaint arose because a manager of the transport company had disclosed to employees that one employee had failed their medical examination. However, the manager did not identify the complainant or the reasons why the person had failed the assessment. Some employees believed that the person who had not passed the medical assessment was the complainant.

The Privacy Commissioner investigated whether there was an improper disclosure of personal information relating to a medical assessment in breach of NPP 2.1. On the facts presented the Privacy Commissioner was not satisfied that the information disclosed by the transport company was sufficient to make it likely that the workers could identify the complainant as the individual who had not passed the medical assessment. Therefore, on the balance of probabilities, the transport company did not breach NPP 2.1

Although the Commissioner did not have enough evidence to determine whether the Privacy Commissioner had breached NPP 4.1, the Commissioner advised the transport company to adopt additional security measures to minimise the possibility that any such incidents may occur in the future.

A copy of the case note can be found here.

W v Telecommunications Company [2007] PrivCmrA 25

The complaint arose because, after an agreement to upgrade to a separate fax line, the complainant's address appeared in electronic and hard copy directories with a listing for their new fax number, when they had previously paid the telecommunications company to have their address suppressed on listing their original combined fax and phone number. The complainant was not satisfied with the company's offer of compensation.

The Commissioner concluded that the complainant's customer record would have shown that they had previously sought and for a fee had been provided with a service that suppressed their residential address from publication in relation to their combined number. Therefore the complainant could not have reasonably expected, when upgrading their fax line to a full service second phone line, that their address would be disclosed in the manner it was. This failed the reasonable expectations test in NPP 2.1(a) which allows disclosure of personal information for a secondary purpose, if the individual would reasonably expect the information to be used or disclosed for that secondary purpose. No other exceptions applied. The Commissioner found the company had breached NPP 2.1.

The Commissioner noted that the company had in place a number of policies and mechanisms for the proper collection and use of data and that the disclosure of the complainant's address and fax number had occurred as the result of 'an uncommon combination of events'. However as the company did not take timely action to correct the error once they were informed of it, the Commissioner found the company had failed to fulfil the requirements of NPP 6.5, which requires an organisation, upon receiving notification from an individual, to take reasonable steps to keep information accurate, complete and up-to-date. A settlement was agreed to by the parties.

A copy of the case note can be found here.

In more recent news, the Privacy Commissioner has issued a series of new Information Sheets and FAQs for private healthcare providers. A copy of Commissioner's media release can be found here.

The Privacy Commissioner has also recently issued revised guidelines in relation to the handling of claims information collected under the Medicare and Pharmaceutical Benefits programs. These guidelines come into effect on 1 July 2008 and replace the existing guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.