Privacy case note #4, 2021: Employee of agency accesses personal information of multiple family members without authority to do so
Multiple members of the same family complained that an employee of the agency had accessed their personal information without reason to do so. The agency conducted audit logs of their records which confirmed the complainants’ allegations. Immediately after the agency interviewed the employee about the alleged breach of privacy, they left the agency.
This matter raised issues under Information Privacy Principle (IPP) 4 – an agency must protect personal information against unauthorised access, use and any other misuse, and must include appropriate security protections.
One of the complainants’ requested outcomes included the agency pursuing the employee for the privacy breach. OIC reiterated to the family that the privacy jurisdiction did not have the capacity for either them or the agency to pursue a privacy complaint against the now ex-employee, nor did the jurisdiction’s remedial nature allow punitive measures to be taken against the employee.
OIC advised the family that while it is invariably individuals who breach the privacy of other individuals, the IP Act states that the employing agency is liable for the actions of its employees.
The agency offered letters of apology to all complainants and advised it would introduce a mandatory training module for staff regarding their privacy obligations. The agency further advised that steps would be taken to restrict access to staff, who only have a professional reason to access personal information.
While the complainants continued to pursue financial compensation for ‘emotional distress and impact on family relationships’, the agency considered that it had responded appropriately and within its remit. The complaint was not resolved.