This article summarises three recent cases that were considered by the Privacy Commissioner.
- F v Insurance Company [2007] PrivCmrA 8,
- I v Insurance Company [2007] PrivCmrA 11, and
- M v Health Service Provider [2007] PrivCmrA 15.
F v Insurance Company
[2007] PrivCmrA 8
Implications of the case
Care should be taken to ensure that any disclosure of personal information by organisations accords with the notice that has been given to individuals, especially where the individual has authorised the organisation to disclose their information to specific third parties.
Facts
Following the death of their de facto partner, the complainant lodged a compensation claim against the deceased person’s insurance policy. The insurance company required the complainant to provide personal information relating to the complainant and the deceased. The complainant also gave the insurance company authority to obtain information and documents in relation to the claim from a number of specified parties, including the employer or accountant of the deceased.
In processing the claim, the insurance company telephoned the business, formerly owned by the deceased, and spoke to an employee of the business. It was alleged that during this telephone conversation, the insurance company questioned the employee about the relationship between the complainant and the deceased and disclosed the fact that the complainant was claiming compensation in relation to the death of their partner.
The complainant alleged, that as a result of this improper disclosure of their personal information to third parties in the community, they experienced familial and financial difficulties.
The issues for consideration in this case were:
- whether the complainant had been made aware of the purpose for which their personal information would be collected; and
- whether the insurance company could rely on any exception in National Privacy Principle (NPP) 2.1 for the disclosure of personal information about the complainant.
Findings
The Commissioner held the view that the claim form, containing the authorisation to contact specific parties for further information, did not provide sufficient advice to the complainant that information would be collected from the employee. Thus, obtaining information from this source was beyond the scope of the authorisation. On that basis, the Commissioner found that the insurance company did not comply with the requirements of National Privacy Principles (NPPs) 1.3 and 1.5.
In relation to the disclosure of information to the employee, the Commissioner accepted that the disclosure was related to the primary purpose of collection. The Commissioner assessed whether the insurance company could rely on the exceptions listed in NPP 2.1, when disclosing the complainant’s personal information.
The Commissioner noted that:
- the complainant had not given consent;
- the insurance company did not provide the complainant with any notice that their personal information would be disclosed to the business formerly owned by the deceased; and
- the claim form did not give any indication that the complainant’s personal information would be disclosed to the employee.
The Commissioner found that the disclosure was not within the complainant’s reasonable expectations and there were no other exceptions under NPP 2, on which the company could rely. The matter was resolved by conciliation.
I v Insurance Company
[2007] PrivCmrA 11
Implications of the case
Computer systems must be updated so they are capable of keeping records in accordance with the Privacy Act. Failure to update computer systems may constitute a breach of National Privacy Principle (NPP) 4.1.
Facts
The complainant and their then spouse, held a joint account with an insurance company. Following a divorce, the complainant sought to have their name removed from the joint account. The removal did not happen, which allowed the complainant’s former spouse access to information including the complainant’s new home address. Subsequently, a complaint was lodged to the Privacy Commissioner.
The insurer conducted an internal search and found that although a new membership had been set up at the complainant's request, the existing computer system allowed a hidden link to still exist between the new membership and the former joint membership. The insurer blamed its 'archaic’ computer system.
Findings
The Commissioner formed the view that by failing to fully upgrade their computer system to eliminate inappropriately linked files, the insurer had failed to taken reasonable steps to properly protect the complainant’s personal information, and it had therefore breached NPP 4.1.
The insurer apologised, took steps to rectify their system, offered a substantial sum of compensation and provided the complainant with three years worth of free services.
M v Health Service Provider
[2007] PrivCmrA 15
Implications of the case
Organisations that regularly collect personal information should assess whether all the information that they collect is necessary. For example, is it necessary to the organisation's function to collect details about a person's marital status or their profession?
Facts
The complainant visited a doctor, who took a digital photograph of the complainant for their medical file. The complainant viewed this as an unnecessary collection of their personal information. The complainant raised the issue directly with the doctor but the matter was not resolved. The complainant subsequently complained to the Privacy Commissioner.
Findings
The Commissioner took the view that the doctor breached NPP 1.1 by unnecessarily collecting the complainant’s digital photograph for inclusion in the patient database.
In the course of the investigation the doctor and the complainant disagreed on whether consent had been given for the photograph to be taken, which made it difficult to determine whether NPP 10.1(a) (which states that sensitive information may be collected with the individual's consent), could be relied upon.
As a result of the complaint, the doctor removed the digital photograph from the medical practice’s records and has discontinued the practice of taking photographs for patient files.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
