The complainant was followed into a retail store by the local manager of an insurance company after a near accident between their cars. The manager was seen and overheard by customers in the store threatening to endorse the complainant's file and referring to the complainant's past accident record.

The complainant contacted the insurance company about the actions of its manager. Because the complainant was not satisfied with the settlement terms offered by the company, he referred the matter to me. I considered principles 5 and 11 of the Privacy Act 1993 were relevant.

Principle 5

Principle 5 requires agencies to take reasonable security safeguards against unauthorised access, use and disclosure of personal information.

The key to principle 5 is whether the agency has security safeguards, such as rules and procedures, to guard against unauthorised access or disclosure of personal information and whether these safeguards are reasonable in the circumstances. My investigation under this principle focused on the company's actions rather than those of the manager.

My investigations revealed that the company provided intensive training and resources on the Privacy Act to its employees, including an instruction manual. In fact, the manager had not only taken part in Privacy Act training but had led discussions in some sessions. I considered the company had taken reasonable steps to ensure that personal information it held was not disclosed unnecessarily or without the authority of the company. I formed the opinion that the company did not breach information privacy principle 5.

Principle 11

Principle 11 provides that an agency must not disclose personal information to a third party unless certain specified exceptions apply. It was not necessary for me to apply this principle or determine whether one of the exceptions applied in this instance, because I considered that section 126 of the Privacy Act applied. Section 126(1) places the responsibility on the employer for any act or omission by an employee. However section 126(4) recognises there are limits on employers' liability for employee actions:

In proceedings under this Act against any person respect of an act alleged to have been done by an employee of that person, it shall be a defence for that person to prove that he or she took such steps as were reasonably practicable to prevent the employee from doing that act, or from doing as an employee of that person acts of that description

As discussed above, I formed the provisional opinion that the agency took such steps as were reasonably practicable in the circumstances to prevent the manager disclosing the complainant's personal information to third parties. I considered that the defence provided by section 126(4) was available to the agency.

After being informed of my provisional opinion, the parties agreed to settle. The company apologised and gave confirmation of the action taken against the manager and assured the complainant that no notation had been placed on his file. No further action was necessary.

Indexing terms: Storage and security - Insurance company - disclosure of personal information - agency provided extensive training and instruction manuals - reasonable security safeguards in place - Information privacy principle 5

July 2001