The Federal Privacy Commissioner has released several further case notes dealing with complaints received by the Commissioner and other investigations concerning private organisations and government agencies.

Case 1: Access to medical records

Case 2: Use of employee records

Case 3: Release of information by government agency

Case 4: Credit default – car loan

Case 5: Credit default – advertising fee

Case 6: Breach of security of medical information

Case 1: Access to medical records

A person requested that their medical practitioner provide them with a copy of their medical records. After receiving no response, the person made a second request and also asked for the original of a specialist medical report (which they had given to the practitioner) to be returned on the basis that it had been unnecessarily retained by the practitioner.

The practitioner responded by offering the person the opportunity to view but not copy their medical record, including the specialist report, and also offered to explain the content of the person's medical record. However, the practitioner refused to provide a copy of the person's medical record or to return the original specialist report.

The Commissioner found that allowing the person an opportunity to view their records was sufficient to satisfy the practitioner's privacy obligations. The Commissioner also had no objection to the practitioner retaining the original report, on the basis that the report was relevant to the person's treatment and the person had consented to its collection.

This case indicates that where an individual has requested a certain type of access to their personal information (in this case, taking a copy), providing a different form of access may be acceptable. It also suggests that organisations may be allowed to refuse to return original documents, although the reasoning behind the Commissioner's approach is not entirely clear in this case given that presumably a copy of the report could have been retained by the practitioner.

Case 2: Use of employee records

An organisation was owed money by an individual. The organisation subsequently contacted the individual's former employer to obtain their address and other information as to their whereabouts. In response, the former employer disclosed the individual's address, financial details and other personal information.

The Commissioner investigated and the former employer claimed in their defence that the employment records exemption under section 7(B) of the Privacy Act applied. This section exempts an organisation's actions relating to employee records provided that it directly relates to (1) a current or former employment relationship; and (2) an employee record held by the organisation relating to the individual.

The Commissioner concluded that while the information was held in an employment record, its disclosure to the organisation did not directly relate to a current or former employment relationship. As such, the former employer had breached its privacy obligations. The former employer apologised and implemented privacy training for its employees.

This case is a warning to all employers who might seek to rely on the employee records exemption when disclosing personal information of their employees or former employees. The Privacy Act does not exempt all actions relating to employee records and organisations should seek advice if they are unsure of whether the exemption will apply.

Case 3: Release of information by government agency

A person applied to a Commonwealth government agency for a change to the benefit which they were receiving from the agency. The application was refused and the person lodged a complaint with an appropriate tribunal to appeal the agency's decision.

The agency provided certain documents, including personal information, to the tribunal prior to the hearing. The person claimed that the disclosure of the information was unnecessary and asked the Commissioner to investigate.

The investigation found that the tribunal had issued a legally valid notice instructing the agency to produce documents which the agency considered to be relevant. The Commissioner concluded that the agency had satisfactorily met its privacy obligations as it was required by law to respond to the notice, and it had provided the tribunal with relevant information only. This case reinforces the view that disclosing information as and when required by law will generally be permissible.

Case 4: Credit default – car loan

A person had entered into a loan agreement for the purchase of a vehicle. The repayments were made by direct debit. Before the loan was repaid, the direct debit ceased and the account was in arrears. The finance company subsequently listed the default on the person's consumer credit file. The person alleged that they had received no prior notice from the finance company and that they were unaware that their account was in arrears until they viewed their credit file.

The Commissioner investigated and found that while the finance company had written to the individual, the address which they had used was incomplete and it was unlikely that the person had actually received the letters.

The matter was resolved after the finance company and the credit reference agency acted to remove the default listing from the person's consumer credit file.

Case 5: Credit default – advertising fee

A person advertised goods for sale which were related to the person's former business. The advertiser subsequently contacted the person to enquire whether they were interested in re-advertising the goods for sale. The person alleged that they declined to re-advertise the goods.

However, the goods were re-advertised and the person received an invoice from the advertiser. The person refused to pay the invoice and the advertiser then listed the default on the person's consumer credit file.

The Commissioner held that the consumer credit provisions in the Privacy Act applied as the goods for sale were personal belongings and there was deferred payment of the advertising fees. The Commissioner concluded that notwithstanding the person's claim, the person had in fact agreed over the phone to pay for the re-advertisement of the goods and that the advertiser was entitled to list the person's payment default on their consumer credit file.

While there was no breach of privacy in this case, it is a reminder for organisations which give credit to individuals in their personal capacity that they need to be aware of their consumer credit obligations under the Privacy Act.

Case 6: Breach of security of medical information

Various medical documents – including prescriptions, pathology results and documents containing patients' names, addresses and phone numbers – were found in a park which was adjacent to a medical centre.

The Commissioner commenced her own investigation into the matter. The investigation revealed that the documents had originally been placed in a locked medical waste bin outside the centre. The lock on the bin had been broken, which led to the documents being found in the park.

The medical centre had earlier commenced its own investigation and co-operated with the Commissioner. The centre agreed to make a number of changes to its security procedure, including moving the waste bin inside the centre, fitting a new lock on the bin, instituting new policies and training for the handling and destruction of personal information and obtaining a shredder. Significantly, the centre also undertook to inform all of its patients of the breach of security and the proposed security changes. The Commissioner was satisfied with these actions and concluded its investigation.

An obligation to notify individuals where there has been a breach of data security is one of the key recommendations of the Australian Law Reform Commission's final report on privacy (refer to our e-alert in August 2008). While those recommendations have not yet become law, this case illustrates how some of those recommendations are already being incorporated into the Commissioner's approach and gives an indication of what can be expected in the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.