Case Notes

 

Disclaimer

The Privacy and Data Protection Act 2014 (PDPA) replaced the IPA and established the Office of the Commissioner for Privacy and Data Protection (CPDP) in September 2014. The following material was published by the Office of the Victorian Privacy Commissioner and references the Information Privacy Act 2000 (IPA) current at the time of original publication.

The privacy provisions of the PDPA reproduce those in the IPA with some additions. In particular, the IPA’s ten Information Privacy Principles were incorporated into the PDPA without amendment.

 

Complainant AY v Public Sector Employer (2013)

Complainant AY v Public Sector Employer [2013] VPrivCmr 02, Case Note 02.13, issued February 2013. IPP 2 – Use and Disclosure; IPP 3 – Data Quality; and IPP 4 – Data Security.

 

Complainant AX v Public Sector Employer (2013)

Complainant AX v Public Sector Employer [2013] VPrivCmr 01, Case Note 01.13, issued January 2013. IPP 1 – Collection – Comments on the necessity of collection of identity documents. IPP 4 – Data Security – Allegation that a Public Sector Employer failed to take reasonable steps to protect personal information (copies of identity documents and other employment documents) from loss.

 

Complainant AW v Statutory Authority (2012)

Complainant AW v Statutory Authority [2012] VPrivCmr 01, Case Note 01.12, issued May 2012. IPP 8 – Anonymity – Allegation that Statutory Authority (a regulator accepting complaints from individuals) failed to provide option of anonymity where lawful and practical. 

 

Complainant AV v Body Established for a Public Purpose (2011)

Complainant AV v Body Established for a Public Purpose [2011] VPrivCmr 04, Case Note 04.11, issued September 2011. IPP 1 – Collection – whether the organisation collected information that was necessary for its functions or activities - IPP 8 – Anonymity – whether the organisation failed to provide an anonymity option where it was lawful and practicable. 

 

Complainant AU v Public Sector Agency (2011)

Complainant AU v Public Sector Agency [2011] VPrivCmr 03, Case Note 03.11, issued September 2011. IPP 1 – Collection – whether the organisation failed to provide the Complainant with notice under IPP 1.3(d) to whom the organisation usually discloses information of that kind – IPP 2 – Use and Disclosure – whether the organisation used/disclosed personal information in a way not authorised – IPP 4 – Data Security – whether the organisation failed to take reasonable steps to protect personal information held from unauthorised access and disclosure. 

 

Complainant AT v Local Council (2011)

Complainant AT v Local Council [2011] VPrivCmr 2, Case Note 02.11, issued March 2011. IPP 2 – Disclosure of personal information – whether information was disclosed for purpose other than primary purpose of collection – IPP 1 – Collection – whether Local Council gave notice that personal information contained in a submission would be published on its website – IPP 4 – Data Security – whether Local Council failed to take reasonable steps to protect personal information. 

 

Complainants AS v Contracted Service Provider to a Department (2011)

Complainants AS v Contracted Service Provider to a Department [2011] VPrivCmr 1, Case Note 01.11, issued March 2011. IPP 6.1 – Access and Correction – Allegation that the Contracted Service Provider failed to provide access to personal information it held (IPP 6.1). Allegation that the Contracted Service Provider failed to respond to an access request within 45 days of receiving request, and failed to provide adequate reasons for denial of access (IPP 6.8). 

 

Complainant AR v the Department (2010)

Complainant AR v the Department [2010] VPrivCmr 3, Case Note 03.10, issued August 2010. IPP 2 - Use and Disclosure - Allegation that the deletion of emails was an unauthorised use of personal information. IPP 4 - Data Security - Allegation that the Department failed to take reasonable steps to protect the personal information it held from misuse, loss, unauthorised access and modification. 

 

Complainant AQ v Contracted Service Provider to the Department (2010)

Complainant AQ v Contracted Service Provider to the Department [2010] VPrivCmr 2, Case Note 02.10, issued August 2010. IPP 2 - Use and Disclosure - Disclosure of personal information. Whether information was disclosed for purpose other than primary purpose of collection. IPP 5 - Openness - Delay by organisation in providing its privacy policy. 

 

Complainant AP v Organisation B (2010)

Complainant AP v Organisation B [2010] VPrivCmr 1, Case Note 01.10, issued February 2010. IPP 2 – Use and Disclosure – Allegation that the Organisation allowed personal information to be used and disclosed for a purpose unrelated to the primary or permitted secondary purpose of collection. IPP 4 – Data Security – Allegation that the Organisation failed to take reasonable steps to protect personal information from misuse and loss, unauthorised access, modification or disclosure. 

 

Complainants AO v Organisation (2009)

Complainants AO v Organisation [2009] VPrivCmr 4, Case Note 04.09, July 2009. IPP 1 - Collection - Allegation that the organisation collected personal information which was not necessary for one or more of its functions or activities (IPP 1.1). IPP 2 - Use and Disclosure - Allegation that the organisation allowed personal information to be used and disclosed for a purpose unrelated to the primary, or permitted secondary purpose of collection. IPP 4 - Data Security - Allegation that the organisation failed to take reasonable steps to protect personal information from misuse and loss, unauthorised access, modification or disclosure. 

 

Complainants AN v Statutory Authority (2009)

Complainants AN v Statutory Authority [2009] VPrivCmr 3, Case Note 03.09, issued June 2009. IPP 2 - Use and Disclosure – Allegation the Statutory Authority disclosed personal information to a neighbour, for a related secondary purpose, which would not reasonably be expected (IPP 2.1(a)). IPP 4 - Data Security – Allegation that by disclosing personal information to a neighbour, the Statutory Authority failed to take reasonable steps to protect personal information from misuse, loss and unauthorised disclosure (IPP 4.1).

 

Complainant AM v Local Council (2009)

Complainant AM v Local Council [2009] VPrivCmr 2, Case Note 02.09, issued February 2009. IPP 1 - Collection - Allegation that a Local Council failed to give notice of the collection of personal information (IPP 1.3(a)), and the purpose for which the personal information was collected (IPP 1.3(c)).   

 

Complainant AL v Local Council (2009)

Complainant AL v Local Council [2009] VPrivCmr 1, Case Note 01.09, issued February 2009. IPP 1 - Collection – Allegation that the Local Council failed to provide adequate notice about whom it usually discloses personal information to. IPP 2 - Use and Disclosure – Allegation that the Local Council disclosed personal information for a purpose either unrelated to collection or one which was not reasonably expected. Case 

 

Complainant AK v Statutory Authority (2008)

Complainant AK v Statutory Authority [2008] VPrivCmr 3, Case Note 03.08, issued December 2008. IPP 1 - Collection – Allegation that the Statutory Authority (the Authority) failed to notify that the Complainant’s personal information would be available on the world wide web (www) (IPP 1.3). IPP 2 - Use and Disclosure – allegation that the disclosure of the Complainant’s personal information on the Statutory Authority’s website was not in accordance with the primary purpose of collection or a related secondary purpose that would reasonably be expected  (IPP 2.1). 

 

Complainant AJ v The Department (2008)

Complainant AJ v The Department [2008] VPrivCmr 2, Case Note 02.08, issued October 2008. IPP 3 - Data Quality – Allegation that the Department failed to update its records and ensure that the personal information it collected, used and disclosed was accurate, complete and up to date. IPP 4 - Data Security – Allegation that the Department failed to take reasonable steps to protect the personal information it held from unauthorised disclosure. 

 

Complainants AI v Local Council (2008)

Complainants AI v Local Council [2008] VPrivCmr 1, Case Note 01.08, issued June 2008. IPP 2 - Use and Disclosure  – Informal bulk release of personal information in response to an FOI application (IPP 2.1). Interaction between the Freedom of Information Act 1982 and the Information Privacy Act 2000. more » 

 

Complainant AH v The Department (2007)

Complainant AH v The Department [2007] VPrivCmr 3, Case Note 03.07, issued November 2007. IPP 2 - Use and Disclosure – Allegation that the Department disclosed personal information unrelated to an investigation being undertaken. IPP 4 - Data Security – Allegation that the Department failed to take reasonable steps to secure the personal information from unauthorised disclosure. more » 

 

Complainant AG v Local Council (2007)

Complainant AG v Local Council [2007] VPrivCmr 2, Case Note 02.07, issued June 2007. IPP 2 - Use and Disclosure – allegation that a kindergarten operated under licence from the local council disclosed personal information for an unauthorised purpose. IPP 4 - Data Security – Allegation that kindergarten failed to take reasonable steps to secure the personal information from unauthorised disclosure. Whether licence is a State Contract within the definition of section 17 IPA between local council and kindergarten. 

 

Complainant AF v Local Council (2007)

Complainant AF v Local Council [2007] VPrivCmr 1, Case Note 01.07, issued May 2007. IPP 1 - Collection – allegation that a local council failed to give notice of the purpose for which information was collected. IPP 2 - Use and Disclosure – allegation that a local council used and disclosed personal information for a purpose unrelated to the primary purpose of collection. 

 

Complainant AE v Contracted Service Provider to a Statutory Authority (2006)

Complainant AE v Contracted Service Provider to a Statutory Authority [2006] VPrivCmr 6, Case Note 06.06, issued August 2006. IPP 1 - Collection of personal information – Whether collection of personal information by a Contracted Service Provider to a Statutory Authority was necessary for one or more of the Contracted Service Provider’s functions or activities. IPP 3 - Data Quality – whether the Contracted Service Provider failed to take reasonable steps to ensure that the information it collected about the Complainant was accurate. 

 

Complainant AD & Others v The Department (2006)

Complainant AD & Others v The Department [2006] VPrivCmr 5, Case Note 05.06, issued May 2006. IPP 4 - Data Security – Unintended disclosure of personal information on world wide web (www) of entrants to competition run by Department. Efforts made to retrieve information on www, including involvement of major search engine operator. Details of conciliated result of multiple complaints.   

 

Complainant AC v Public Sector Body (2006)

Complainant AC v Public Sector Body [2006] VPrivCmr 4, Case Note 04.06, issued April 2006. IPP 2 - Use and Disclosure – Disclosure in context of informing a member of the public of results of an internal investigation into a member of staff. Disclosure that is sufficient to show investigation and outcome were fair would be reasonably expected. 

 

Complainant AB v Victoria Police (2006)

Complainant AB v Victoria Police [2006] VPrivCmr 3, Case Note 03.06, issued March 2006. IPP 2 - Use and Disclosure - Personal information collected for a particular purpose, used for an unrelated purpose. Allegation that Victoria Police collected personal (fingerprint) information for the purpose of assessing a firearms licence and continued to use the information for a purpose (comparison with fingerprints found at crime scenes) which is unrelated to the primary purpose of collection. 

 

Complainant AA v The Department (2006)

Complainant AA v The Department [2006] VPrivCmr 2, Case Note 02.06, issued January 2006. IPP 2 - Use and Disclosure - Disclosure of personal information. Disclosure to a member of the public by Departmental administrative officer. IPP 2.1 – Section 29(1)(e) – Commissioner may decline privacy complaint where it is misconceived. 

 

Complainant Z v Local Council (2006)

Complainant Z v Local Council [2006] VPrivCmr 1, Case Note 01.06, issued January 2006. IPP 2 - Use and Disclosure - Disclosure of personal information. Disclosure to local residents during local government election period of complainant’s dispute with local council. Allegation that a local councillor disclosed complainant’s personal information obtained whilst acting in capacity as local councillor, for the purpose of seeking re-election. 

 

Complainant Y v The Department (2005)

Complainant Y v The Department [2005] VPrivCmr 7, Case Note 07.05, issued November 2005. IPP 2 - Use and Disclosure - Disclosure of personal information. Disclosure to the media by the Department in response to Complainant’s comments to media following a tribunal hearing. IPP 2.1(a) – Disclosure for a related secondary purpose an individual would reasonably expect after willingly and knowingly speaking to media about complaint. 

 

Complainant X v Contracted Service Provider to a Department (2005)

Complainant X v Contracted Service Provider to a Department [2005] VPrivCmr 6, Case Note 06.05, issued September 2005. IPP 1 – Collection – Collection by contracted service provider in the course of conducting an investigation. Whether collection of personal information was necessary for one or more of its functions. IPP 3 – Data Quality – Whether information collected was accurate. 

 

Complainant W v Public Library (2005)

Complainant W v Public Library [2005] VPrivCmr 5, Case Note 05.05, issued June 2005. IPP 1 – Collection – Collection through public library’s use of virus-scanning computer software. Whether collection necessary for library’s functions and activities. Whether reasonable steps taken to give notice of collection. IPP 4 – Data Security – Reasonable steps to protect personal information from unauthorised access. Whether mere retention by computer system of copies of documents containing personal information posed data security risk. 

 

Complainants R, S, T, U and V v Local Council (2005)

Complainants R, S, T, U and V v Local Council [2005] VPrivCmr 4, Case Note 04.05, issued May 2005. IPP 2 – Use and Disclosure – Whether information was disclosed for purpose other than primary purpose of collection. IPP 10 – Sensitive Information – Whether sensitive information collected. 

 

Complainant Q v Contracted Service Provider to a Department (2005)

Complainant Q v Contracted Service Provider to a Department [2005] VPrivCmr 3, Case Note 03.05, issued April 2005. IPP 2 – Use and Disclosure - disclosure by contracted service provider’s Human Resources Manager of employee’s criminal record check to other staff without employee’s express consent. Whether disclosure authorised under IPP 2. IPP 4 – Data Security – Whether check no longer needed for any purpose. 

 

Complainant P v Local Council (2005)

Complainant P v Local Council [2005] VPrivCmr 2, Case Note 02.05, issued February 2005. IPP 2 – Use and Disclosure - Disclosure of personal information. Small community. Disclosure by council of Complainant’s name and address as a person reporting a lost dog to council. Whether disclosure authorised under IPP 2. IPP 4 – Data Security – Whether council took ‘reasonable steps’ to ensure that Complainant’s name was protected from unauthorised disclosure. 

 

Complainant O v Health Services Commissioner (2005)

Complainant O v Health Services Commissioner [2005] VPrivCmr 1, Case Note 01.05, issued February 2005. Collection of personal information. Collection by Health Services Commissioner of ‘in confidence’ correspondence written by an individual to another government organisation. Disclosure of correspondence to medical practitioner engaged by Health Services Commissioner to assess complaint. Quasi-judicial functions. Operation of section 10 of the Information Privacy Act 2000 by virtue of Health Services Commissioner’s statutory immunities in the Health Services (Conciliation and Review) Act 1987. 

 

Complainant N v Local Council (2004)

Complainant N v Local Council [2004] VPrivCmr 8, Case Note 08.04, issued December 2004. Use of personal information leading to unauthorised disclosure. Small community. Unnecessarily wide circulation by council among employees of Complainant’s name as a person reporting public health and safety issue for action by council. IPP 4 - Data Security - Allegation that one employee, who did not need to know the name, disclosed personal information to employee’s spouse. 

 

Complainant M v Tertiary Institution (2004)

Complainant M v Tertiary Institution [2004] VPrivCmr 7, Case Note 07.04, issued November 2010. IPP 2 - Use and Disclosure - Disclosure of personal information. Disclosure by Tertiary Institution of Complainant’s personal information to debt collection agency in the context of recovering outstanding debt. IPP 2.1(a) – Disclosure for a related secondary purpose reasonably expected

 

Complainant L v Tertiary Institution (2004)

Complainant L v Tertiary Institution [2004] VPrivCmr 6, Case Note 06.04, issued November 2004. IPP 1 - Collection -  Collection of personal information. Collection by means of e-mail monitoring. Whether collection fair and not unreasonably intrusive. Whether Complainant informed of matters listed at IPP 1.3. Disclosure of results of e-mail monitoring to third party. Whether reasonable steps taken to protect against unauthorised disclosure. IPP 4 - Data Security.   

 

Complainant K v Local Council (2004)

Complainant K v Local Council [2004] VPrivCmr 5, Case Note 05.04, issued November 2004. IPP 2 - Use and Disclosure - Disclosure of personal information. Disclosure by Local Council of Complainant’s personal information to contractor of Council in the context of Complainant having made a complaint to Council about works not completed. Section 29(1)(h)(i). Local Council adequately dealt with complaint.

 

Complainant J v Statutory Entity (2004)

Complainant J v Statutory Entity [2004] VPrivCmr 4, Case Note 04.04, issued May 2004. IPP 2 – Use and Disclosure – Disclosure of personal information contained in correspondence to court-appointed liquidator pursuant to statutory notice under the Corporations Act 2001 (Cth). Whether disclosure “required under law”. Interpretation of statutory provisions in other Acts for the purpose of Privacy Commissioner exercising functions under Part 5 of the Information Privacy Act.

 

Complainant I v Department (2004)

Complainant I v Department [2004] VPrivCmr 3, Case Note 03.04, issued April 2004. IPP 2 - Use and Disclosure - Disclosure personal information. Disclosure by Department of its employee’s bank account and leave details. Disclosure to external investigator and review panel in context of a misconduct matter. Disclosure necessary as part of investigation into suspected unlawful activity. 

 

Complainant H v Local Council (2004)

Complainant H v Local Council [2004] VPrivCmr 2, Case Note 02.04, issued February 2004. IPP 2 - Use and Disclosure - Disclosure personal information. Local Council.  Name and address on petition displayed on a website. Primary purpose or secondary purpose individual would reasonably expect. Authorised or required by law. Availability of council minutes. 

 

Complainant G v Department (2004)

Complainant G v Department [2004] VPrivCmr 1, Case Note 01.04, issued January 2004. IPP 1 - Collection - Collection of identifiable image (by media, facilitated by Respondent’s contracted service provider). Whether Respondent or contracted service provider collected personal information. IPP 5 – Openness – Whether Complainant’s request for contracted service provider’s privacy policy met. 

 

Complainant F v Tertiary Institution (2003)

Complainant F v Tertiary Institution [2003] VPrivCmr 6, Case Note 06.03, issued December 2003. IPP 2 - Use and Disclosure – Disclosure by Tertiary Institution of Complainant’s personal information to supervisor of Complainant’s Master’s thesis in the context of review of the Complainant’s candidature for PhD. Disclosure for a related secondary purpose reasonably expected

 

Complainant E v Statutory Entity (2003)

Complainant E v Statutory Entity [2003] VPrivCmr 5, Case Note 05.03, issued October 2003. IPP 1 – Collection – Whether organisation took reasonable steps to let Complainant know register was a public register and would be made available to public online. IPP 3 – Data Quality – Whether organisation took reasonable steps to ensure personal information published online was accurate. IPP 4 – Data Security – Whether organisation took reasonable steps to protect online information from misuse by others in circumstances where personal safety was a concern. 

 

Complainant D v Minister (2003)

Complainant D v Minister [2003] VPrivCmr 4, Case Note 04.03, issued September 2003. IPP 2 – Use and Disclosure - Disclosure of a complainant’s contact details to the organisation complained against. Disclosure, if not for the primary purpose of collection, for a secondary purpose related to the primary purpose and one an individual might reasonably expect. 

 

Complainant C v Department (2003)

Complainant C v Department [2003] VPrivCmr 3, Case Note 03.03, issued August 2003. IPP 1 – Collection – Whether personal information collected by government department was necessary for functions and activities. IPP 10 – Sensitive Information – Whether sensitive information collected. IPP 3 – Data Quality – Whether government department took reasonable steps to ensure information collected was accurate.

 

Complainant B v Statutory Entity (2003)

Complainant B v Statutory Entity [2003] VPrivCmr 2, Case Note 02.03, issued June 2003. IPP 4 – Data Security – Disclosure of B’s current address to former husband at the front counter. Whether reasonable steps taken to protect against unauthorised disclosure. Disclosure of personal information. Disclosure of B’s current address by Statutory Entity to former husband at the front counter. IPP 2 – Use and Disclosure - Disclosure of current address not a permitted disclosure under the Act. 

 

Complainant A v Local Council (2003)

Complainant A v Local Council [2003] VPrivCmr 1, Case Note 01.03, issued March 2003. IPP 1 – Collection – Collection prior to 1 September 2002. IPP 2 – Use and Disclosure - Disclosure of personal information at a pre-hearing conference. Disclosure of details of conversation between A and credit service provider about a disputed debt A had with the Local Council. Disclosure related to the primary purpose of collection and can be reasonably expected. Some instances disclosure also authorised or required under law.