Traps for the unwary: concerns that privacy could be used to harass organisations based on an unrealistic perception of an individuals rights to privacy
The Federal Privacy Commissioner has recently released several case notes dealing with privacy complaints and enforcement proceedings against private organisations and government agencies.
The case notes highlight the concern that individuals will use privacy to harass organisations based on an unrealistic perception of their rights to privacy. We think it is unfortunate that some of these cases were considered by the Commissioner given the triviality of the complaint or the clear lack of any infringement of the Privacy Act.
The lesson from some of these cases is that if your organisation handles personal information, you should be very cautious about disclosing it to any party even in circumstances where it seems harmless and is consistent with past practice. A failure to do so may result in the unnecessary cost and inconvenience of the matter being referred to the Commissioner.
Case 1: Hotel chain privacy matter
A person was mistakenly sent garments which did not belong to them by a hotel where they had stayed. The person returned the garments to the hotel. It appears that the mistake arose as the person and the owner of the garments had the same name.
The hotel disclosed the person's contact details to the owner of the garments, who subsequently sent a letter to the individual. It was found that the hotel had interfered with the person's privacy and the matter was settled by the hotel providing the person with one night's complimentary accommodation and an apology.
In this matter, presumably the owner simply wanted to contact the person to thank them for returning the garments. We do not believe that this is the type of case which warrants the attention of the Commissioner. However, in future, the preferred course of action in these circumstances would be for the owner to send their letter to the hotel for them to forward to the person.
Case 2: Health service provider privacy matter
A person wrote to a relative's employer to express concern as to the relative's health. The employer provided a copy of their letter to the relative's health service provider. In turn, the provider notified the relative of the nature of the letter, and also disclosed the person's name and occupation.
The person claimed that as a direct result of these actions, they had experienced difficulties and been harassed by their relative.
The provider admitted that it had improperly disclosed the person's personal information to their relative and the matter was settled by a written apology from the provider. The disclosure from the employer to the provider was not able to be investigated by the Commissioner as the employer was a state authority and not covered by the federal Privacy Act.
Case 3: Insurance company discloses contact details
A policyholder submitted a claim in relation to a car accident with their insurance company. The claim documentation included the policyholder's contact details.
The insurance company disclosed those contact details to the third party involved in the accident, who subsequently telephoned the policyholder to discuss the claim.
It was found that the insurance company had inadvertently disclosed the policyholder's contact details to the third party. A written apology and a settlement amount was provided to the policyholder.
Case 4: Former government employee's records accessed
In this case, an employee of a government agency accessed the personal records of a former employee to determine where that person was living. The former employee subsequently changed their name and place of residence, and argued that they feared for their safety.
The Commissioner found that the access to the records was unauthorised and that the agency had failed to take reasonable steps to protect the former employee's personal information.
The employee who accessed the records was terminated, the agency adopted additional protection measures, and the matter was settled confidentially.
Case 5: Medical records and personal information
In this case, pre-surgical notes which were prepared by a private clinic were misplaced. The client argued that the clinic had failed to take adequate steps to protect their personal information.
The notes were taken on a single A4 sheet of paper which was separate from the rest of the person's medical file. The clinic claimed that the doctor did not record any details on the sheet which would have identified the patient (such as their name or address).
The Commissioner found that there was insufficient evidence to confirm that there was personal information on the sheet, and held that there was no interference with the person's privacy.
It is important to note that the misplacing of a document alone does not mean that the clinic has breached its obligation under the Privacy Act to take reasonable steps to protect the personal information it holds from misuse and unauthorised access.
Case 6: Private school argues privacy issue
A former student of a private school requested access to their personal information held by the school. The individual had previously been asked to leave the school as a result of an internal investigation.
The school provided access to reports and relevant correspondence, but refused access to other records relating to the investigation. The school argued that providing those records would have an unreasonable impact on the privacy of other individuals and was concerned that there may be reprisals against those individuals.
The Commissioner reviewed the records which were not disclosed. It was found that the school was entitled to rely upon the belief that disclosure would have had an unreasonable impact on the privacy of other individuals. This was held to be the case even if the individuals' names were suppressed.
It should be noted that the school was not exempt from the application of the Privacy Act, as it had an annual turnover of more than $3 million.
Case 7: Financial institutions and AUSTRAC in privacy issue
Two financial institutions provided information to AUSTRAC in respect of a significant cash deposit and cash withdrawal. The information included the relevant person's name, address, date of birth and occupation. In the report provided by one financial institution, the person's occupation was incorrect.
It was held that there was no interference with the person's privacy, as both financial institutions were required by law to disclose the information to AUSTRAC. In relation to the incorrect information, the relevant financial institution issued an apology and corrected its records.
This is a case where we fail to understand why the Commissioner allowed the complaint to proceed, given that this type of disclosure was required by law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.