Privacy Case Note 07-2011 (Information Privacy Principle 4)
Case note number: 07/2011
Privacy principles: Information Privacy Principle 4 – an agency must protect personal information against unauthorised access, use and any other misuse, and must include appropriate security protections.
Other sections: Schedule 1 – documents to which the privacy principles do not apply.
The Complainant is employed by the Respondent Agency and, in the course of that employment, was involved in a complaint and investigation. The Complainant developed the belief that reports related to the investigation were being stored on a generally accessible network drive.
In order to prove this the Complainant accessed the drive, identified two reports—Report A and report B—containing personal information arising out of the investigation, and printed them. As those actions were a breach of the Respondent Agency’s policies, it conducted a second investigation. As part of the second investigation, the Complainant was interviewed; during the interview, the Complainant presented the two reports and made a privacy complaint, stating that Respondent Agency had breached Information Privacy Principle 4 (IPP 4).
The Complainant received no response to the privacy complaint from the Respondent Agency and brought their complaint to the OIC.
The OIC conducted preliminary inquiries under section 167 to determine if the privacy complaint could be accepted. The Respondent Agency advised that it believed the documents fell within Schedule 1 of the Information Privacy Act and, as such, were not subject to the privacy principles. The Complainant accepted that Report A was a Schedule 1 document but contested Report 2. There was some difficulty with discussing Report 2 with the Respondent Agency, as it did not respond to the OIC’s enquiries in a timely fashion, but the Respondent Agency eventually provided the OIC with the information necessary to determine that Report B was also a Schedule 1 document.
The Complainants’ complaint was about the inappropriate storage of Report A and Report B, both which were Schedule 1 documents. As the privacy principles do not apply to Schedule 1 documents, the Privacy Commissioner had no jurisdiction to accept the complaint and advised the Complainant and the Respondent Agency.