Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy Commissioner responds to media claims about Medvet investigation – Letter to the editor of The Australian newspaper from Australian Privacy Commissioner, Timothy Pilgrim

26 July 2012

A recent article in The Australian by Hedley Thomas infers that my own motion investigation into Medvet Science Pty Ltd was not rigorous or independent (‘Rigorous’ probe rubber-stamps audit praising lab that broke rules’, The Australian 26 July 2012). I strongly reject this inference, and stand by my finding that Medvet was in breach of the Privacy Act.

Mr Thomas brought the Medvet matter to my attention in July 2011. These allegations were serious and that is why I opened an investigation. I gathered and considered information from a number of sources, including the independent forensic report completed by Deloitte’s on behalf of SA Health and information from the ‘industry figure’ referred to in Mr Thomas’ article. After considering all the information, I found that the company had breached the Privacy Act. I concluded that the accessibility of address information on the internet constituted unlawful disclosure of personal information. I also found that Medvet did not have reasonable steps in place to protect personal information.

The Deloitte report includes detailed information highlighting the three separate failings of the Medvet system and how these occurred and were addressed. The report substantiated the information provided to me by the ‘industry figure’. However, I did not agree with Deloitte’s findings that customers could not be identified because no names were released.  Contrary to this, I formed the view that in this case, the exposed address information could be enough to identify an individual. This is a significant difference between the Deloitte report and my investigation. It was also the basis of my finding that Medvet had breached the Privacy Act.

This case sends a warning to all businesses that they need to seriously consider the privacy impact of new systems as customer trust can be seriously eroded if a privacy breach like this occurs.