Focus: Consumer Compliance and eCommerce – May 2003
Privacy and financial information
In brief: As consumers become more aware of their rights under the Privacy Act, it is imperative that financial institutions ensure they comply with publicised privacy policies. In April 2003, the Privacy Commission investigated two incidents involving the mishandling of financial information of customers. Senior Associate Lorien Beazley reports.
Case 1
In E v Financial Institution1, the financial institution was found to have taken inadequate steps to protect the personal information held by it from:
- misuse; and
- unauthorised access, modification or disclosure.
'E' claimed an employee of E's financial institution accessed and disclosed personal information about E's investment account to the employee's family . These circumstances would infringe:
- NPP 2.1, which only allows the financial institution to disclose E's personal information for a secondary purpose in limited circumstances. (However, since the alleged unauthorised access occurred before the introduction of the National Privacy Principles, there was no infringement); and
- NPP 4.1, which requires the financial institution to take reasonable steps to protect the personal information it holds from misuse and unauthorised access, modification or disclosure.
The financial institution could not determine whether the information had in fact been accessed because its computer system only recorded transactions that modified (rather than simply accessed) accounts. Even so, the Commissioner suggested that, in light of modern technology, compliance with NPP 4.1 may require a financial institution to monitor access to personal information held in computer systems accessible by employees. The financial institution agreed to put such a monitoring system in place.
Case 2
Credit providers must not disclose credit information except in specified circumstances (Part IIIA of the Act). This was at issue in the case F v Credit Provider2 in which 'F' complained that an employee of a retail store at which she held a credit account improperly disclosed to her former partner:
- the amount owing in relation to the purchase of an appliance by F for which credit had been provided; and
- the balance of F's general credit account.
F suffered anger and embarrassment and sought an apology and compensation. The credit provider agreed to apologise and pay compensation of $750, after which the investigation was discontinued.
In this case, disclosure of a report that had a bearing on credit worthiness, credit standing, credit history or credit capacity occurred when:
- the balance of a credit account was disclosed; and
- factual information, such as the account being in arrears, was disclosed.
As a result, credit providers must consider carefully the wide interpretation of 'report' and ensure only essential and authorised disclosures are made, even after an account is closed.
Consumers are becoming more aware of their rights under the Privacy Act. A failure to comply with publicised privacy policies can amount to a breach of both the Privacy Act and Trade Practices Act. The Banking Ombudsman is likely to pursue privacy breaches. What may appear to be small or insignificant disclosures or security breaches may be sufficient to amount to significant and embarrassing breaches under the law, attracting not only financial penalties but also adverse publicity.
References
- The parties' names are kept confidential by the Privacy Commissioner: E v Financial Institution [2003] PrivCmrA 3
- F v Credit Provider [2003] PrivCmrA 4