Federal Privacy Commissioner case notes of general interest

The Federal Privacy Commissioner has released case notes on 9 completed matters, 5 on
26 June and 4 on 30 June.

Two case notes are of particular interest. In L v Health Service Provider (2006) PrivCmrA11 the health service provider refused access to a medical report about the complainant on the grounds that it had been prepared for an insurance company for a fee. The Privacy Commissioner found that National Privacy Principle 6 – an individual’s right to access personal information - applied regardless of whether the documents had been prepared in response to a request from an insurer. The insurance company suggested it may have had grounds for claiming legal privilege – documents prepared for the dominant purpose of use in legal proceedings – but agreed not to test the claim in this instance.

In N v Utility Provider (2006) PrivCmrA13 the complainant alleged that their ex-partner, an employee of the utility provider, improperly accessed the complainant’s records to ascertain information about the complainant’s assets.

The Privacy Commissioner found that the utility provider held personal information about a large number of individuals, and given its nature should be given a high level of protection, as unauthorised access could lead to serious consequences for customers. The automated billing system however, had no capacity to identify instances where staff browsed records. The Commissioner said that the absence of an audit trail was a breach of the requirement to take reasonable steps to safeguard information from unauthorised access and misuse.

In the light of this finding public and private sector organisations might want to have a look at whether their IT systems have such a trail – my guess is this could be a common failing.