E v Insurance Company  PrivCmrA 5
Disclosure of personal information.
National Privacy Principle 2.1 in Schedule 3 of the Privacy Act 1988 (Cth) and section 6 in Part II of the Privacy Act.
The following case was decided by the Privacy Commissioner (the Commissioner) prior to 1 November 2010. On 1 November 2010 all the powers of the Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.
The complainant's car was insured by an insurance company. A relative of the complainant was driving the car and was involved in an accident. The driver of the other vehicle in the accident was also insured by the insurance company and lodged a claim. That claim identified the car and provided some details for the driver of the complainant's car.
The insurance company attempted to identify the driver of the complainant's vehicle and contacted a member of the complainant's family, with similar initials, to ask whether they were the driver. In a conversation with that person, the insurance company revealed details about the complainant's insurance policy including the policy number.
The complainant alleged the insurance company had inappropriately disclosed this information to the family member.
NPP 2.1 says an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception in NPP 2.1(a)-(h) applies.
The Commissioner investigated the matter under section 40(1) of the Privacy Act.
The insurance company provided evidence about the conversation between it and the third party. That evidence supported the view that the insurance company disclosed the complainant's name, policy details and policy number as alleged.
The Commissioner formed the view that the disclosure of the complainant's personal information to the family member, who was uninvolved in either the accident or the insurance claim, was not permitted under NPP 2.1.
The insurance company acknowledged its error, and apologised to the complainant for the way it had handled their personal information.
As there was no evidence that supported a compensation claim by the complainant, the Commissioner was satisfied that the insurance company's response adequately dealt with the complaint and closed the matter on that basis under section 41(2)(a) of the Privacy Act.
Office of the Australian Information Commissioner
3 May 2011