Privacy Case Note 04-2011 (Information Privacy Principle 4, 10 & 11)
Case note number: 04/2011
Privacy principles: Information Privacy Principle 4 – an agency must protect personal information against unauthorised access, use and any other misuse, and must include appropriate security protections; Information Privacy Principle 10 – use of personal information for a purpose other than that for which it was collected; Information Privacy Principle 11 – disclosure of personal information to a person other than the individual it is about.
The Complainant wrote to the Respondent Agency on 27 April 2010 after receiving a number of harassing and intimidating telephone calls from ‘anonymous’ persons. The Complainant believed they had been made by a person associated with the Complainant’s estranged spouse who was employed by the Respondent Agency. The complaint alleged that the Complainant’s estranged spouse had accessed the Respondent Agency’s databases to obtain the Complainant’s telephone numbers and home address which the Complainant suspected had been disseminated to other persons.
The Respondent Agency conducted an audit of its database on 28 April 2010 and confirmed that the Complainant’s personal information had been accessed without authorisation on several occasions. The Respondent Agency replied to the complaint on 25 June advising the Complainant of its findings and requesting further time to conduct the investigation. At no time did the Respondent Agency offer an apology for what had occurred or acknowledge that the Complainant had been negatively impacted by the privacy breach.
On 14 July the Respondent Agency advised that, due to the complex nature of the investigation, the Departmental investigator had not finalised his investigations and advised that the Complainant had a right to bring the complaint to the OIC.
The complaint satisfied all the criteria in section 166 and was about an action that took place after the right to complain had commenced. The Privacy Commissioner accepted the complaint and advised the Complainant and the Respondent Agency on 4 August 2010 that the complaint would be mediated.
The alleged breach of the privacy principles
Based on the Respondent Agency’s correspondence with the Complainant it appeared to have breached Information Privacy Principles 4 and 10 when the Complainant’s personal details were accessed without authorisation and used for a purpose that was not permitted. Whether those details were disclosed to a third party in breach of Information Privacy Principle 11 was not clear.
The complaint process
The Complainant advised the OIC that he was suffering from stress and depression as a result of the harassment which necessitated medication; this had been exacerbated by the Respondent Agency’s handling of the complaint, lack of communication and overall laggardness.
At all times the Complaint emphasised to the OIC that the desired outcome was:
- an apology made on the Respondent Agency’s behalf
- an acknowledgement of the effect the matter had had on the Complainant
- an expression of the seriousness with which the Respondent Agency was taking the matter
- indication or comment on steps the Respondent Agency would take to ensure this did not happen to anyone else
- an undertaking that the Respondent Agency would inform the Complainant when the investigation was completed. The Complainant did not wish to know the result, merely that it had been finalised.
The Respondent Agency was not willing to offer these things to the Complainant, despite the efforts of the OIC and privacy officers working in the Respondent Agency. Accordingly, the Privacy Commissioner determined under section 174(b) that the complaint was not able to be mediated and advised the Complainant that, under section 175, the complaint could be referred to the Queensland Civil and Administrative Tribunal for determination.