Privacy case note #3, 2021: Agency discloses copy of records to a legal firm whose client had the same name as complainant

OIC was contacted by a complainant who stated the agency had provided a copy of her agency records to a legal firm, whose client had the same name as her. All other information was different including the two people’s ages, their places of residence and the currency of the records.

The complainant found out about the breach when the client contacted her to advise her of the agency’s mistake.

The complainant contacted the agency who acknowledged that in this case, the search for the records had used only the name of the individual and that had any other identifier been checked, the mistake would not have occurred.

Privacy principles

The complaint raised issues under the following Information Privacy Principles (IPPs):

• IPP 8 – reasonable steps must be taken to ensure personal information is accurate, complete and up-to-date.
• IPP 10 – use of personal information for a purpose other than that for which it was collected.
• IPP 11 – disclosure of personal information to a person other than the individual it is about.

The agency acknowledged a breach of IPP 11 only.

Mediation

In the consequent mediation, the complainant sought financial compensation for the ‘pain and suffering’ the disclosure had caused. While the agency was willing to agree to a measure of financial compensation, there was an unbridgeable gap between the complainant and the agency on the amount of compensation. The complaint was not resolved.

The client lodged their own complaint of IPP 11 breach in relation to this incident. However, as the client’s personal information was not disclosed to a third party, OIC declined to accept this complaint.