H and Registered Club [2011] AICmrCN 2 (22 December 2011)

Subject heading

Collection of information and security of personal information

Law

National Privacy Principles 1.1, 1.3 and 4.2 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts

The complainant alleged that a registered club interfered with their privacy by scanning their driver licence and, in doing so, recording unnecessary information. The complainant conceded that the club was required to collect their name, address and signature. However, the complainant considered the collection of the other information on the licence, including their date of birth, driver's licence number, driver's licence type and photograph to be unnecessary.

The complainant also raised concerns that the registered club's notice and security procedures were insufficient.

Issues

NPP 1.1 states that an organisation must not collect an individual's personal information, unless that information is necessary for one of more if its functions or activities.

NPP 1.3 provides that at or before the time (or if that is not practicable, as soon as practicable after) an organisation collects an individual's personal information, it must take reasonable steps to ensure an individual is aware of a number of factors, including the purposes for which the information is collected.

NPP 4.1 states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome

The Commissioner investigated the matter under section 40(1) of the Privacy Act and attempted to conciliate this matter under section 27(1)(ab) of the Privacy Act.

As part of the conciliation process, the complainant accepted the registered club's offer to delete their personal information from its database, on the condition that the complainant would provide it with a statutory declaration setting out their name, address, and the date they entered the registered club as a visitor.

The registered club explained it had obligations under section 31 of the Registered Clubs Act 1976 to retain certain personal information for five years and it had a procedure in place to delete the information after that time. It would not agree to cease or alter its identity scanning practices. Instead, it explained it would continue to offer its patrons the alternate option of manually completing and signing the register. The registered club also offered that, if a patron changed their mind after having their identification scanned; it would endeavour to delete this information in a similar way to the complainant.

In terms of notice, the registered club advised that a privacy statement is displayed at the entrance to the club informing patrons about the collection and handling of their personal information and is also displayed to patrons on the terminal when their identification is scanned. This statement refers patrons to the registered club's privacy policy.

The club also agreed to destroy any personal information it had collected from patrons for five years, rather than retaining it for seven years as it had done previously.

The Commissioner considered the registered club's proposal to deal with the complaint, including the offer by the club to delete the complainant's personal information from its identity card scanning machine. In particular, he took into account the registered club's legal obligations to collect certain identifying information, and the fact that the registered club would continue to offer patrons the option of manually signing in as an alternative to having their identity cards scanned.

Where it is considered that a respondent has taken adequate steps to deal with a complaint, it is open to the Commissioner to decide to close a complaint under section 41(2)(a) of the Privacy Act on the basis that the respondent has adequately dealt with the complaint.

The Commissioner decided that the offer of deletion coupled with the alternative option of manual sign-in adequately dealt with the collection issues in the complaint. The Commissioner also considered the security procedures and notice at the entrance of the club adequately dealt with that aspect of the complainant's complaint.

For these reasons the Commissioner closed the compliant under section 41(2)(a) of the Privacy Act on the grounds that the registered club had adequately dealt with the matter.

Office of the Australian Information Commissioner
December 2011