Traps for the unwary
The Federal Privacy Commissioner has released several case notes dealing with complaints received by the Commissioner and other investigations concerning private organisations and government agencies.
These case notes follow on from the publication last August of the Australian Law Reform Commission's final report on privacy, which recommended sweeping changes to Australia's privacy regime (refer to our previous e-alert).
The lesson from some of these cases is that merely having a procedure for dealing with privacy issues and handling personal information will often not be sufficient to meet an organisation's privacy obligations. A failure to regularly review those policies and procedures, and even apparent one-off breaches of privacy, may result in the unnecessary cost and inconvenience of the matter being referred to the Commissioner.
Case 1: Mistaken address
A person provided a government agency with an application form which included the address of the person's former spouse. The agency then mistakenly sent mail intended to be sent to the person to the former spouse's address. As a result of this mistake, legal action followed between the person and their former spouse in relation to the information which was revealed.
The person complained directly to the agency and in response, the agency offered to reimburse part of the person's legal fees. The person then complained to the Commissioner. The matter was subsequently resolved by conciliation and a confidential settlement. The settlement moneys included the amount of the reimbursement offer and also a further amount on account of emotional distress. The agency also issued an apology.
This case illustrates that even an inadvertent breach of privacy such as mistakenly addressing mail may have serious consequences for an organisation and is a reminder of the importance of maintaining appropriate procedures for handling personal information.
Case 2: Community centre surveillance
The separated parents of two children used private rooms at a community centre for the purpose of transferring custody of their children from one parent to another. The rooms were subject to video surveillance.
One of the parents claimed that they were not aware that video surveillance was conducted at the centre. The Commissioner investigated and found that there was no breach of privacy as the parent had signed a document which stated that video surveillance was used in the centre, large signs were displayed in the centre which also referred to the surveillance, and that upon request the parent was given a CD with surveillance footage in which the parent appeared.
Case 3: Sending documents by normal post
A person requested that a medical service provider arrange for the person's medical records and x-rays to be forwarded to another provider. Copies of the medical records and the original x-rays were sent in an envelope by normal post. The provider sending the documents also contacted the other provider to confirm that it had received the documents. The person claimed that the provider had not taken reasonable steps to protect their information by sending the documents using normal post.
The Commissioner agreed with the person's claim. In doing so, particular emphasis was placed on the fact that the information was "sensitive information", the potential loss that the person would suffer if the original x-rays were lost and the relatively insignificant cost of using an alternative method to send the documents.
In this case, there was no suggestion that the documents were actually lost in the mail and presumably the complainant had simply expressed their concern that the documents were transmitted by post. The case suggests that in the Commissioner's view, procedures which would appear to be satisfactory for most documents may still not qualify as "reasonable steps" where sensitive information is involved.
Case 4: Health records
A person made an appointment at a clinic and completed the usual form with details as to the person's contact information, Medicare number and medical history. Prior to receiving any treatment at the clinic, the person decided not to proceed and requested that their personal information be destroyed. The clinic refused on the basis that it had obligations under law to retain the person's information.
It was found by the Commissioner that although no actual services had been provided, the person was a patient of the clinic. As a result, the personal information was a medical record and the Commissioner agreed that the clinic was obliged to retain the information under law for at least 7 years.
Case 5: Disclosure of health information to newspaper
During a newspaper interview, a health service provider disclosed information about a particular patient's medical history. The name of the patient was not mentioned by the provider.
The patient resided in a remote location and complained to the Commissioner that in light of the small community in which they resided, they could be easily identified by the information which appeared in the newspaper. The provider agreed that this may have been the case and agreed to pay financial compensation without any formal investigation by the Commissioner.
This case demonstrates the importance of considering a person's individual circumstances prior to revealing any information about them (even if it is not strictly personal information) to avoid unwittingly breaching privacy obligations as occurred in this case.
Case 6: TV purchase
A person purchased various gifts as a surprise for their partner from a "home shopping" retailer which advertised the products on television. Subsequently, the partner called the retailer to purchase items and was told that the person had already purchased some gifts. The retailer also mentioned which gifts were purchased.
The person complained to the retailer and then to the Commissioner. In response, the retailer undertook to monitor calls received, reminded its staff as to the retailer's privacy obligations, apologised to the person and gave a substantial discount on the gifts.
Case 7: Failure to give notice of purpose
An organisation managed certain premises on behalf of a government agency. The organisation required all persons to provide personal information prior to allowing entry to the premises.
A person who entered the premises claimed that they were not informed of the purpose for which the information was being collected. The Commissioner investigated and found that it was necessary for the organisation to collect personal information as part of their role in maintaining the security of the premises.
However, the Commissioner also found that the organisation had breached its privacy obligations by failing to take reasonable steps to provide adequate notice as to the purpose for which the personal information was being collected.
In response, the organisation agreed to include a notice on the standard visitor application form explaining the purpose of collecting the information (being to improve the care of clients and to investigate any incidents involving visitors) and advising that personal information would be treated confidentially. They also agreed to display the notice in several languages.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.