A man asked for access to personal information held by a credit reporting agency. The agency had previously experienced some difficulties with him, so it took the added precaution of despatching the documents by courier. However, the man did not receive the documents. He alleged that the agency had failed to take reasonable safeguards to protect his personal information and suggested it should have required the courier to obtain a signature on delivery. However, I did not agree.

Principle 5 requires agencies to take reasonable security safeguards to ensure that personal information is protected against loss, so I had to consider whether the agency had done so when it sent the information by courier. A check with the courier company confirmed that it had the right address and verified that it had delivered the file to the correct address.

The security safeguards have to be reasonable, not fail-safe. I know that many organisations regard the use of a courier as a more certain means of delivery than the general mail. The loss of the file was unfortunate, but I considered it would be wrong to consider courier services an unsafe option because of that.

Requiring a signature on delivery would have provided some extra proof of delivery, but I was not convinced it was an essential safeguard in this case. The agency regularly sends credit reports through the mail, so it had already taken extraordinary precautions by using a courier. In the circumstances, I was satisfied that reasonable steps had been taken to protect the information against loss.

For these reasons, I formed the opinion that the complaint did not have substance.

April 1998

Indexing terms: Storage and security - Credit reporting agency - Requester did not receive a credit report sent by courier - Whether using a courier was a reasonable security safeguard - Information privacy principle 5