Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

A woman complained that a process server, seeking to recover a debt from her husband, visited her previous address and discussed the debt with a family member. She said this had caused considerable embarrassment.

The process server had asked to speak to the woman's husband. He told the man who answered the door that he was from a debt collection agency and was calling on behalf of a government department about a debt. In response to a question, the process server said a large sum of money was owed to the department.

The debt collection agency claimed the process server was self-employed and was merely contracted to undertake process serving and debt collection. It denied liability for the process server's actions as it had not authorised the disclosure.

Section 4 of the Privacy Act requires actions done by a person 'in the service of' an agency in the performance of that person's duties to be treated as having been done by the agency. While the process server might have been self-employed, he was clearly 'in the service of' the agency for the purposes of s 4, so the agency was liable for his actions.

I formed the opinion that the agency had breached information privacy principles 5 and 11.

Information privacy principle 5

Principle 5(b) requires agencies to ensure that:

'If it is necessary for personal information to be given to a person in connection with the provision of a service to an agency, everything reasonably within the powers of that agency is done to prevent unauthorised use or disclosure of the information.'



I considered that the agency had not taken reasonable steps to prevent the process server's unauthorised disclosure. It had not taken any formal steps to ensure its agents were aware of the requirements of the Privacy Act, although it had recently advised them to obtain a copy of the Act and to familiarise themselves with it. I considered that the obligations imposed by principle 5 went well beyond a simple instruction for the agent to be familiar with the Act's requirements. In my opinion, the agency had not done everything reasonably within its power to prevent an unauthorised disclosure.

The agency acknowledged its training of process servers in relation to the Privacy Act was deficient.

Information privacy principle 11

Principle 11 provides that personal information may not be disclosed unless the agency believes on reasonable grounds that an exception applies.

The agency submitted that the process server's actions were directly related to a purpose in connection with which the information was obtained (principle 11(a)). I accepted that the process server had information about the debt to aid in its recovery, but considered that disclosure about the debt and debtor to a third party was not directly related to the task of recovering the debt, and formed the opinion that principle 11(a) did not allow the disclosure.

The agency also submitted that the disclosure was necessary for the protection of public revenue (principle 11(e)(iii)). As the debt was an overpayment by a government department, it believed the process server was recovering public revenue.

The Oxford English Dictionary defines revenue as 'annual income, especially that of the state or government institution'. 'Income' is in turn defined as 'periodical, especially annual, receipts from one's work, lands and investments', so an essential characteristic of 'revenue' is regular payments to a person or agency. In view of this, I did not consider that the occasional recovery of an overpayment could be viewed as revenue. I formed the opinion that the recovery of overpaid expenditure was not the revenue Parliament intended to protect by this exception.

In any case, the exception would only apply if the disclosure was necessary for the protection of public revenue. I did not consider that the process server needed to disclose more than his identity and the name of the person he was looking for in order to achieve this purpose.

The agency also claimed that the disclosure of information by the process server was necessary for the conduct of proceedings (principle 11(e)(iv)). I accepted that the conduct of proceedings over the debt required the debtor to be located. However, I did not consider it was necessary to disclose the existence of the debt or the reasons for seeking the woman's husband.

Settlement

Following discussions with my investigating staff, the agency apologised to the complainant for its actions and gave an undertaking to ensure that its process servers would comply with the Privacy Act in the future. A new procedure manual was to be prepared with guidelines on the Privacy Act. All of the agency's sub-contractors would have to comply with it and failure to do so could result in termination of their contracts.

The woman was satisfied with the actions taken by the agency and considered they resolved her complaint.

April 1998

_Indexing terms: Storage and security - Debt collection agency - Reasonable steps to prevent process server's unauthorised disclosure - Privacy Act 1993, s 4 - Information privacy principle 5
Disclosure of personal information - Debt collection agency - Disclosure by process server - Whether debt collection agency liable for actions of process server - Whether disclosure 'directly related' to purpose information obtained, necessary for the 'protection of public revenue' or necessary for the 'conduct of proceedings' - Privacy Act 1993, s 4 - Information privacy principle 11(a), (e)(iii) and (iv)_