Privacy Case Note 01-2016 (Information Privacy Principle 11 – Disclosure of personal information)

Case note number: 01-2016

Privacy principles: Information Privacy Principle 11 – Disclosure of personal information

The complaint

The Complainant was a current customer of an agency.  Personal information which included their address, date of birth and driver licence number, was held by the agency in its customer database, together with details of the customer’s account history with the agency.

The Complainant became aware that their personal information had been disclosed to a third party after the third party contacted them advising of their receipt of the Complainant’s information in correspondence sent to them by the Respondent Agency.  The Complainant first complained to the Respondent Agency and brought their complaint to the Office of the Information Commissioner (OIC) after 45 business days had passed and they had not received a response from the Respondent Agency.

The alleged breach of the privacy principles

OIC contacted the Respondent Agency to advise that the Complainant had brought their complaint to us.  The Respondent Agency investigated the complaint and found that the Complainant’s user account had been administratively merged with the third party on the basis that they had the same first name, surname and date of birth.  This had resulted in the third party receiving the Complainant’s personal information.

The Respondent Agency promptly acknowledged that human error had led to the merging of similar but separate accounts, and the subsequent disclosure of the Complainant’s personal information to the third party. The Respondent Agency also acknowledged that none of the permitted exemptions in Information Privacy Principle 11 could be applied to this action.

The mediation process

The Respondent Agency immediately took steps to both separate the accounts and to remedy the damage that the Complainant had suffered as a result of their actions.  Among a range of remedial actions taken by the Respondent Agency in response to the complaint was an apology.

The following is an excerpt from the written apology that was provided to the Complainant:

I confirm that due to an error by [agency], your personal information was inadvertently disclosed to a third party.  This caused you some embarrassment and created genuine concern for you about future risks regarding the misuse of your identity.  As a result you took positive steps to resolve the matter, and suffered some inconvenience as a result.

On behalf of [agency] I sincerely apologise for the error and the inconvenience it has caused you.  Although the error was inadvertent, [agency] takes its privacy obligations very seriously and any release of personal information is not acceptable.  Accordingly [agency] has taken active steps to address this issue and reduce the risk of this type of error recurring, by reviewing procedures and providing feedback and training to staff.

In OIC’s experience, an apology can be a significant step to resolving a privacy complaint if the apology is unqualified.  An appropriate apology is often the main outcome sought by a complainant and may greatly assist to maintain or restore a relationship, which is particularly important where there will be ongoing interactions between a complainant and an agency.

The key points in this apology include:

  • The agency takes responsibility for its actions and does not try to shift any measure of blame onto the complainant.  In particular, it avoids using qualifiers such as ‘if’ and ‘but’.1
  • It explains what led to the action but it does not offer this as an excuse for it.
  • It shows that the agency understands what injury, loss or damages were suffered by the Complainant as a result of its actions.
  • It tells the complainant what steps it has taken to prevent any repeat of their actions.

In this complaint, the apology was one of a number of remedial actions which resolved the matter for the Complainant.

1 For example, a phrase such as ‘I am sorry if you felt that your privacy was breached’ can prompt a complainant to question the sincerity of the apology and often make the situation worse.