Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Complaint Determination No 4 of 2004

Federal Privacy Commissioner April 2004 Complaint Determination No. 4 OF 2004Parties to the complaint Complainants Respondent HistoryBackground, allegations and remedies soughtThe LawInvestigation processGeneral considerationsFindings Small business provisions Collection necessary for functions and act...

pdfComplaint Determination No 4 of 2004

Federal Privacy Commissioner April 2004

    Complaint Determination No. 4 OF 2004Parties to the complaint

    HistoryBackground, allegations and remedies soughtThe LawInvestigation processGeneral considerationsFindings

    Small business provisions

    Collection necessary for functions and activities

    Collection issues

    Use and disclosure of personal information

    Determination

    Complaint Determination No. 4 of 2004

    1. Made under the Privacy Act 1988 (Cth) (the Privacy Act) section 52.

    Parties to the Complaint

    Complainants

    2. The Tenants' Union of Queensland Inc, Tenants' Union of NSW Co-op Ltd; and

    Respondent

    3. TICA Default Tenancy Control Pty Ltd.

    History

    4. This determination relates to a complaint lodged by the Tenants' Union of Queensland Inc (TU QLD) in February 2003 under section 36 of the Privacy Act.

    5. The respondent to the complaint is TICA Default Tenancy Control Pty Ltd (TICA). As set out below (see [10]) TICA's business activities involve the collection, use and disclosure of personal information. It is complained that certain acts and/or practices of TICA may be an interference with the privacy of individuals.

    6. The complaint is a representative complaint, lodged pursuant to section 38 of the Privacy Act. TU QLD has identified the class of members to the representative complaint as those people:

    • applying to rent a house through a real estate agency that is a member of TICA and if successful, will be listed on the tenancy agreement; or

    • who will be or are living in a house rented through a real estate agency that is a member of TICA, but their names appear on the tenancy agreement as 'occupants' rather than 'tenants'.

    7. I also received a complaint made by the Tenants' Union of NSW Co-op Ltd (TU NSW). The individual who is the subject of that complaint fell within the class of members identified by TU QLD and, accordingly, that complaint was dealt with as a part of the representative complaint brought by TU QLD1.

    8. I decided to investigate the relevant acts and practices of TICA pursuant to section 40 of the Privacy Act, being satisfied that there was an act or practice which may have been an interference with the privacy of an individual and that the complaints received were validly made under section 36 of the Privacy Act.

    9. I am also satisfied that the requirements for the making of a representative complaint, set out in section 38 of the Privacy Act, have been met.

    1. I note that section 38C of the Privacy Act gives me the power to amend a complaint so that it can be dealt with as a representative complaint. In the event that it is necessary to amend the complaint received from TU NSW so as to make it a part of the wider representative complaint, I would do so pursuant to s 38C of the Privacy Act.

    Background, allegations and remedies sought

    10. TICA is one of a number of organisations that operates what is known as a tenancy database. Its Tenancy History Database holds personal information about many thousands of Australians relating to alleged defaults on tenancy agreements, including failures to pay rent or damaging property. It also holds personal information about applicants for tenancies in what is known as the Enquiries Database. TICA collects personal information about tenants and applicants from property managers that are 'members' of TICA and makes the personal information it holds on its database available to its members for a fee.

    11. The complainants allege that the collection of personal information from prospective occupants is unnecessary for the functions and activities of TICA and consequently a breach of National Privacy Principle (NPP) 1.1 (set out below at 18). They argue that the collection of information concerning the 'enquiries' made by real estate agents, as a result of an individual's tenancy application, is unnecessary for any of TICA's functions and that this allows TICA to become a 'history database' rather than a record of defaults.

    12. Further, the complainants question TICA's collection process, including the forms of notice and consent used, and they argue that if these are inconsistent with the Privacy Act then TICA is also using and disclosing personal information in ways that are inconsistent with the Privacy Act.

    13. As required by section 38(2) of the Privacy Act, TU QLD set out in its complaint the remedies it is seeking. These are a declaration by the Privacy Commissioner that:

    • TICA will cease to use its current forms, known as Privacy Act Acknowledgment for Tenants and Privacy Act Acknowledgment for Occupants Only and will develop new forms to meet its obligations under NPP 1.5;

    • will prevent TICA from collecting personal information about tenancy applications in its Enquiries Database; and

    • will prevent TICA from collecting personal information about people who are listed as occupants on a tenancy agreement.

    The law

    14. The NPPs in Schedule 3 of the Privacy Act outline standards for handling personal information that legally bind organisations, as defined by section 6C(1) of the Privacy Act.

    15. Section 13A of the Privacy Act specifies that an act or practice of an organisation is an interference with the privacy of an individual if the act or practice breaches an NPP in relation to personal information that relates to that individual.2

    16. The issues in this complaint are whether TICA is: collecting personal information that is not necessary for one or more of its functions or activities; relying on an invalid form of consent when collecting personal information from tenants and occupants; failing to fully comply with the notice requirements in NPP 1.5; and using and disclosing personal information for secondary purposes that are not related to the purpose of collection and would not be 'reasonably expected' by the individual concerned and is therefore breaching NPP 2.1(a).

    17. NPP 1 deals with the collection of personal information. It limits collection of personal information to that which is necessary, specifies how personal information may be collected and requires organisations to provide information that will assist individuals to make informed choices about whether to provide personal information or at least to be aware, to the extent that is reasonable, that information about them has been collected.

    18. NPP 1.1 states that:

    An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

    2. TICA is not bound by an approved privacy code in terms of section 13A(b)(ii) of the Privacy Act.

    19. NPP 1.2 states that:

    An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

    20. NPP 1.3 states that:

    At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

    1. the identity of the organisation and how to contact it; and
    2. the fact that he or she is able to gain access to the information; and
    3. the purposes for which the information is collected; and
    4. the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
    5. any law that requires the particular information to be collected; and
    6. the main consequences (if any) for the individual if all or part of the information is not provided.

    21. NPP 1.4 states that:

    If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

    22. NPP 1.5 states that:

    If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

    23. NPP 2 allows organisations to use or disclose personal information freely for the purpose for which it was collected but limits secondary uses and disclosures to specified circumstances including those the individual would expect. This is set out in NPP 2.1(a).

    24. NPP 2.1(a) states that:

    An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection: unless

    1. both of the following apply:
    1. the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary;
    2. the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose.

    25. Section 6D(1) of the Privacy Act defines a small business as one with an annual turnover of '$3,000,000 or less'. Sections 6D(3) to 6D(9) of the Privacy Act provides for a small business to be classed as 'a small business operator' and therefore not subject to the Privacy Act except in specified circumstances, including where an organisation trades in personal information.

    26. The Privacy Act also provides that small businesses which are subject to the Privacy Act would not be subject to the provisions of the NPPs until 21 December 2002. Consequently, when investigating this complaint I have been restricted to examining evidence relating to the acts and practices of TICA which occurred after 21 December 2002 except where the Privacy Act provides otherwise.

    27. In this regard with respect to small businesses:

    • section 16D(2) of the Privacy Act provides that NPP 1 only applies to personal information collected after 21 December 2002; and

    • section 16D(4) of the Privacy Act provides that NPP 2 applies to personal information collected after 21 December 2002.

    28. Section 52 of the Privacy Act provides that after I have investigated a complaint I may make a determination:

    • dismissing the complaint; or

    • finding the complaint substantiated and making a declaration that:

    the conduct should not continue or not be repeated; and/or

      the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant; and/or

      the complainant is entitled to compensation for any loss or damage - including injury to the complainant's feelings or humiliation suffered by the complainant.

      29. It is also within my powers under section 27 of the Privacy Act to make recommendations which will promote compliance with the NPPs.

      Investigation process

      30. Section 40(1A) of the Privacy Act provides that I must not investigate a complaint where the complainant has not first complained to the respondent, unless I consider that it was not appropriate for the complainant to have done so. In the present case, I am aware that TU QLD has had ongoing contact with TICA in relation to a number of privacy issues arising out of its activities and that this contact may be considered to be by way of 'complaint'. To the extent that the present complaint falls beyond those 'complaints' made to the respondent, which I note have not resulted in the resolution of these matters, I am satisfied that the complex nature of the issues raised and their significance for the rights of the people concerned makes it inappropriate for them to be the subject of direct complaint to the respondent.

      31. My Office's investigation of this complaint involved the following:

      • formally advising the parties that I was opening an investigation into the complaint under section 40(1) of the Privacy Act and inviting the parties to respond;

      • gathering evidence and considering information provided by TU QLD, TU NSW, the individual complainants and TICA in submissions or in response to matters raised by my staff or the complainants;

      • providing the respondent and complainants with opportunities to comment on an initial preliminary view on the complaint in September 2003;

      • visiting TICA's premises to discuss the issues raised in the complaint, to observe its database in practice and gather additional information about the operation of the database;

      • providing the parties with the current Office position on the complaint in February 2004 following changes in some aspects of the draft decision since the preliminary view of September 2003 and extending an invitation to make oral and/or written submissions before a determination was made;

      • holding a hearing on 3 March 2004 affording the parties the opportunity to appear before me - TU QLD and TU NSW accepted the invitation to appear at the hearing;

      • considering written and oral submissions and gathering information to clarify claims made by the parties;

      • providing the primary representative complainant (TU QLD) and TICA with the opportunity to see information and submissions provided by the other party;

      • pursuant to section 43(5) of the Privacy Act and the principles of procedural fairness, providing the parties with a revised preliminary view in relation to the complaint in March 2004 and a final opportunity to comment before I finalised the determination;

      • holding a further hearing on 8 April 2004 affording the parties the opportunity to appear before me - TICA accepted the invitation to appear at the hearing; and

      • providing TICA and TU QLD with copies of the submissions, excluding some material that involved personal information of third parties, made by the other party in response to the March preliminary view.

      General considerations

      32. Before setting out my findings and reasons in relation to this complaint I will make some general comments about the context in which this complaint is made.

      33. Housing is essential for all people and is one of the basic human rights set out in the Universal Declaration of Human Rights.3 The operation of tenancy databases is controversial because of their perceived impact on the ability of individuals listed on the databases to obtain housing. On the other hand tenancy databases, such as TICA, can be seen as a legitimate risk minimisation tool for property managers.

      34. A number of the NPPs relevant to this complaint require an assessment of 'reasonableness' (for example, the 'reasonable steps' required of an organisation under NPP 1.3). I take the view that in making an assessment of 'reasonableness', it is appropriate to take into account the purposes for which personal information is collected and the consequences for the individuals concerned. In this case my conclusion is that tenancy databases, such as the one operated by TICA, do have an impact on an individual's ability to obtain housing; my understanding is that this is part of the intention when establishing such databases.

      35. However, this is only one factor I will take into account. I will consider the overall intention of the Privacy Act including that business needs to be able to operate efficiently and effectively and that the NPPs are high level principles and are not prescriptive in how they apply.

      36. In this complaint I need to consider TICA's functions, activities and purposes of collecting, using and disclosing tenancy application and tenancy history information and decide if it can lawfully collect information about tenants and approved occupants and for what purposes that information may be used or disclosed. I also need to assess its collection processes with respect to NPP 1.

      37. It is relevant to note that this complaint is against TICA, not its members. Accordingly, I will not consider how the NPPs apply to the acts and practices of its members. That would be the subject of separate investigation should such a complaint be made against a member. I acknowledge TICA's request in its submission in response to the March preliminary view that it be advised about practices of its members that may be breaches of the Privacy Act so that it can assist to address these practices.

      38. I have set out below issues that this complaint raises together with information, evidence and discussion about the application of the law that I consider relevant to the question of whether TICA complies with its obligations under NPPs 1 and 2.

      3. Article 25 Universal Declaration of Human Rights available at http://www.un.org/Overview/rights.html.

      Findings

      Small business provisions

      39. I find that TICA is an 'organisation' as defined by section 6C(1) of the Privacy Act, and is accordingly bound by the NPPs.

      40. TICA does not fall within the exemption to the Privacy Act which applies to 'small business operators'.4 TICA is a 'small business' in terms of the Privacy Act, in that it's annual turnover is '$3,000,000 or less'. However, as TICA trades in personal information, it does not fall within the definition of 'small business operator' by virtue of section 6D(4)(c) of the Privacy Act. 5

      41. Because of the delayed application of the NPPs to small business, it is open to TICA to decide that it will use and disclose personal information collected before 21 December 2002 without taking account of NPP 2. However, if it adopted that approach it would need to have in place practices to distinguish between listings that are not subject to the Privacy Act and those that are. I understand that in practice TICA does not make a distinction between personal information collected pre and post 21 December 2002.

      4. I note that TICA was asked to make any submissions or provide any material to me in relation to this exemption. I did not receive any submissions or material in relation to this issue. 5. I note that section 6D(4)(c) of the Privacy Act does not prevent a body corporate from being a 'small business operator' only because it discloses personal information with the consent of the individual, or as required or authorised under legislation. I am not satisfied that TICA has the consent of all of the individuals whose personal information appears on their database (in particular, those individuals whose personal information was collected before 21 December 2002) and is disclosed to TICA's members. I note that TICA has not claimed that it does have such consent, although it was given the opportunity to do so.

      Collection necessary for functions and activities

      42. As noted above (see [10]) TICA holds two separate databases of personal information (to be referred to as 'the database'). The Enquiries Database lists tenancy applications made by prospective tenants and prospective approved occupants. The Tenancy History Database is a record of the tenant's behaviour during the tenancy. The Enquiries Database contains identifying information about the individual and the name of the member with which the prospective tenant lodged the application. Once the TICA member has searched the Tenancy History Database the prospective tenant's details are automatically updated to the Enquiries Database.

      43. TICA states its functions and activities include the facilitation of 'proper assessment of risk by landlords and agents and the determination of the suitability of an individual for tenancy of a premises'.

      44. TICA has advised that it is 'a tenancy history database that allows its members to store and recall information about tenants and their tenancy history. Members are able to list tenants on the TICA database for various categories both good and bad'.

      Collection of personal information - risk management

      45. The complainants allege that the collection of information about prospective tenants and prospective occupants is not necessary to TICA's functions or activities, as required by NPP 1.1. Further, the complainants deny that the Enquiries Database is a legitimate risk assessment tool and argue that the Enquiries Database has limited utility in assessing the risk of prospective tenant and that the main method of assessing risk is via the Tenancy History Database. The complainants also state that 'the only possible reason we can see for TICA arguing that the Enquiries Database is consistent with the primary purpose of assessing the risk of a prospective tenant, is if the database is used as a positive reporting mechanism'.

      46. TICA states that the Enquiries Database also enables its members to assess the validity of tenancy applications. It advises that members' searches of the Enquiries Database are used as a risk management tool to confirm the accuracy of information provided on the tenancy application form. TICA states that the Enquiries Database was established in 1998 and contains more than 13 times the number of records contained in the Tenancy History Database. TICA states that the collection of information about tenancy applications is vital to TICA's operation because it forms part of the risk management service TICA provides to its members. TICA claims that the Enquiries Database helps in the following risk situations:

      • where individuals who have made a large number of tenancy applications may have done so because they have an adverse tenancy history and this is an indication that robust reference checking and rental history validation may be required;

      • where a person has a default and the next tenancy is taken out in their partner's name - this may come to light when members search for listings in relation to the prospective tenant's partner or other family members; and

      • where applicants attempt to falsify information, for example about where they have been living.

      47. I acknowledge the complainants' argument that a history of numerous applications does not automatically mean an individual is a bad tenancy risk. The listing of numerous applications may be as a result of other factors or considerations such as a tight rental market. It may also indicate that an individual wanted to 'shop around' for a property and make applications at a number of locations. However, these limitations to the utility of the database do not mean that it cannot be considered to be a legitimate 'risk management' tool.

      48. The meaning of the word 'necessary' in the context of NPP 1.1 has not been judicially considered. I note, however, the comments of Gummow J in General Newspapers Pty Limited and Others v Telstra Corporation (1993) 117 ALR 629 (considering the meaning of 'necessary' within section 236(1) of the Telecommunications Act 1991):

        The term 'necessary' will take its colour from its context; in ordinary usage it may mean, at one end of the scale, 'indispensable' and at the other end 'useful' or 'expedient': Re an Inquiry under the Company Securities (Insider Dealing) Act 1985 [1988] AC 660 at 704.

        49. I find that the use of the word 'necessary' in the present context falls between the two ends of the scale identified by Gummow J. In my view it does not require that the information be indispensable to an organisation, in that, without such information, it would be impossible to carry on its business. It will not, however, be sufficient to show that the information is merely 'useful' or 'expedient'. Rather, determining whether or not the collection of personal information is 'necessary' requires consideration of whether or not it is clearly appropriate and relevant to the functions or activities of the organisation.6 In my view, information that is only of marginal relevance to the functions or activities of an organisation is more likely to be considered unnecessary for the purposes of NPP 1.1. It will also be relevant to consider whether or not the functions or activities of the organisation can be reasonably performed in a manner which does not require the collection of personal information. It may also be relevant to consider whether the information is of a sensitive nature such that it may be considered to be more invasive of a person's privacy.

        50. In the present case, I find that, on balance, the collection of personal information for the purposes of the Enquiries Database is clearly appropriate and relevant to the functions and activities of TICA. I do not believe that the information could be said to be of only marginal relevance, nor do I find that the functions or activities of the organisation could be performed in a manner which does not require the collection of this personal information, as it would diminish the utility of the service provided by TICA. I therefore find that the collection of the information is 'necessary' for the purposes of NPP 1.1.

        51. I note that concern has been raised by TU QLD in its submissions in response to my March 2004 preliminary view as to a statement made by TICA in relation to the use to which it puts the information contained in its Enquiries Database. The statement made by TICA is that the information is also used for purposes including to pursue tenants who have absconded owing money, or to argue against a tenant's claim in a tribunal that they cannot obtain accommodation elsewhere. TU QLD states its concern that the database is being used for a completely different purpose to that of prospective risk assessment.

        52. This concern appears to me to be well founded. TICA agrees its primary purpose in collecting information is for the purpose of risk assessment and it would appear that the use of the information in the manner described by TICA may be a breach of NPP 2 which limits the ability to use information for a secondary purpose. I would strongly recommend that TICA gives very careful consideration to this aspect of its operations. However, I do not proceed to make any finding on this issue at present as it was not a matter which was fully canvassed in the course of my investigation, which concerned itself primarily with the question of whether or not the Enquiries Database was 'necessary' for TICA's functions under NPP 1.1.

        6. I note, for example, that in the context of the Income Tax Assessment Act 1936 (Cth), under which it is necessary for a loss or outgoing to be 'necessarily incurred in carrying on a business' for it to be an allowable deduction, it has been held that 'necessarily' means 'no more than "clearly appropriate or adapted for"': Ronpibon Tin NL v Federal Commissioner of Taxation (1949) 78 CLR 47, 56.

        Collection of non-negative personal information and including information about occupants in the Tenancy History Database

        53. The complainants argue that risk assessment only needs an examination of defaults. They claim that in their experience any listing with TICA will have an adverse affect on an individual and as such, any argument that it is a 'history database' is misplaced; the public perception is that it is a 'default database' and contains the details of 'bad' tenants. The complainants allege that the 'default database' perception is reinforced by its name, TICA Tenancy Default [their emphasis] Control Pty Ltd.

        54. On this basis the complainants argue that as TICA is a default database it should be precluded from collecting personal information about individuals that is not negative in nature as this is not necessary to the default function. In particular they argue against any collection of personal information about tenancy applications. They also argue that information about occupants should not be included on the Tenancy History Database.

        55. In this regard, TICA has advised that it currently does not allow any listings about occupants in its Tenancy History Database. It offered the clarification that in States other than Queensland, an approved occupant who by their actions, for example continuing to pay rent after the actual tenant left or attending periodical inspection, had in effect become the tenant could be listed on the Tenancy History Database. TU QLD claims that it has knowledge of an occupant being listed on the Tenancy History Database however it has not provided evidence of this and at this stage I have no other evidence to suggest that occupants are listed on the Tenancy History Database. I am satisfied that TICA does not now accept listings about approved occupants except in the circumstances noted above and I have therefore not considered the question as to whether NPP 1.1 would allow information about occupants to be included in the Tenancy History Database. Nonetheless, I believe it would be reasonable for TICA to conduct an examination of the Tenancy History Database to ensure that all individuals listed on the database were tenants, not occupants and to remind members that occupants cannot be listed on the Tenancy History Database.

        56. I also note in respect of this issue that the Privacy Act Acknowledgment for Occupants Only that TICA's members use to meet their own obligations under NPP 1.3 and TICA's obligation under NPP 1.5 does state that the details of an approved occupant may be included in TICA's database where there has been a breach of a tenancy agreement. I consider that the current wording is a misstatement of TICA's purpose in collecting information about occupants. I consider that, amongst other things, it is poor privacy practice to allow a document that may be misleading to be in circulation. In its April 2004, submission in response to the March preliminary view, TICA acknowledged that the form was incorrect and advised that it would rectify this matter.

        57. In this complaint, about NPP 1.1, I need to consider the nature of an organisation's functions and activities, not how they are represented to the public; although this is an issue in terms of NPPs 1.3 and 1.5 which require organisations to advise the 'purposes for which the information is collected'.7 NPP 1.1 allows an organisation to collect personal information where it is necessary for 'one or more of its functions or activities'. I have considered above what is, in my view, the proper meaning of the word 'necessary' in this context (see 48-49).

        58. I do not consider that a business name limits what can be considered as an organisation's functions and activities for the Privacy Act. While an organisation's name is one factor I can take into account in forming a view about the nature of an organisation's functions or activities, it is not the only factor. I must also consider what the organisation says it does and what it actually does. TICA advises that it allows its members to 'list various categories both good and bad'. It also advises that the Enquiries Database is used as a risk management tool.

        59. As noted above, my conclusion is that TICA can include personal information about applicants in its Enquiries Database as this can be considered necessary to its risk management function. The NPPs require the collection of personal information to be necessary for 'one or more of its functions or activities', not for each of its functions. However for completeness I make the following comments about the question of whether TICA operates a default database or a tenancy history database or both.

        60. With the exception of Part IIIA, the Privacy Act does not prevent an organisation to which the Privacy Act applies from establishing a database of positive information about individuals although such a database would need to be operated in accordance with the NPPs. TICA asserts that its functions or activities include collecting 'good' listings - that is that it operates a history database as well as a default database. I am satisfied that TICA's processes are meant to allow positive listings and that this is relevant to a proper assessment of risk - they may, of course, balance negative comments. I am also satisfied that the database does contain some positive listings. While TICA advises that its members do not often use the facility, this is not determinative.

        61. On balance, I find the collection of non-negative personal information is relevant to the functions and activities of TICA. I do not believe that positive information about individuals could be said to be of only marginal relevance. I therefore find that the collection of the information is 'necessary' for the purposes of NPP 1.1.

        7. TICA's use of the listing 'Tenancy History only' is considered in Determination No.3 of 2004

        Findings in relation to NPP 1.1

        62. For the reasons set out above I find that the compilation of both the Enquiries Database and the inclusion of non-negative comments on the Tenancy History Database are 'necessary' to one or more of TICA's function and activities and consequently that TICA has not breached NPP 1.1. I find that with respect to this part of the complaint that the complaint is not substantiated.

        Collection Issues

        63. The complainants allege that TICA is relying on consent that is given in unfair and possibly coercive circumstances and is therefore not valid consent for the purposes of the Privacy Act. They also allege that TICA's NPP 1.5 notice is inaccurate and possibly misleading.

        64. The allegations are based on the information set out in the Privacy Act Acknowledgment for Occupants Only and Privacy Act Acknowledgement for Tenants that prospective tenants and prospective occupants are required to sign when applying for a tenancy through a TICA member organisation. I find that these forms were developed by TICA and that TICA asks its members to use the forms to assist TICA to meet its NPP 1.5 obligations. I also note that the complainants' advice that these forms are also used by other participants in the accommodation sector.

        Consent and Method of Collection

        65. The complainants have observed that potential tenants and approved occupants are required to sign the Privacy Act Acknowledgement for Tenants or the Privacy Act Acknowledgment for Occupants Only as appropriate. The complainants claim that a tenancy application will often not proceed unless the forms are signed. Consequently, individuals cannot make an application without agreeing to have their details included on the Enquires Database or agreeing to have reports of their behaviour as tenants listed on the Tenancy History Database.

        66. The complainants have therefore queried the nature of the consent that might be gained by tenants' or occupants' signatures on these forms and in particular if it is an acceptable form of consent for TICA to rely on when collecting personal information or when using or disclosing personal information for particular purposes.

        67. I note the point made by the complainants that 'consent' is given in circumstances where a failure to 'consent' is likely to result in a person's application for tenancy being, in effect, refused. TICA in its April 2004 submission argues that a failure to give consent results in applications simply not proceeding, rather than being refused (which would only happen after an application is assessed). Either way, I note that NPP 1 does not explicitly require organisations to seek consent to the collection of personal information. The requirement imposed by NPP 1.2 is that organisations must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

        68. In the present case, the collection of personal information is being conducted by TICA's members, not TICA. That information is then provided by the members to TICA for inclusion in the relevant database. While the 'Privacy Act acknowledgement forms' were developed by TICA, and it is TICA that requires its members to use the form, this does not alter the fact that the collection of information is carried out by TICA's members rather than by TICA. Any complaint in relation to the manner of collection of personal information from tenants by TICA's members should therefore be made against those members and would be the subject of a separate investigation should such a complaint be made to me. I therefore find that TICA is not in breach of NPP 1.2 in relation to this complaint.

        69. In the event that I am wrong on this point, and TICA can be said to be responsible for collecting personal information from tenants for the purposes of NPP 1.2, my view is that there has been no breach of that principle. I acknowledge there may be negative consequences for not completing the 'Privacy Act acknowledgement form' (namely that a tenant's application will not be processed). I do not, however, consider that this renders the collection process 'unfair' or 'unreasonably intrusive' in terms of NPP 1.2. While, for the reasons below, I believe that the 'Privacy Act acknowledgement forms' used by TICA's members are deficient, my conclusion is that they are not so inadequate as to make the collection of personal information unfair.

        Notice when collecting from third parties

        70. NPP 1.5 is applicable when organisations are collecting personal information from third parties; that is when they are asking someone other than the individual concerned to provide information about that individual. NPP 1.5 requires organisations to take reasonable steps to ensure that an individual has been made aware of the matters set out in NPP 1.3.

        71. The complainants have taken the Privacy Act Acknowledgement for Tenants or the Privacy Act Acknowledgment for Occupants Only to be a notice provided by TICA to meet its obligations under NPP 1.5 and allege that the notices breach NPP 1.5 in the following respects:

        • the notices address more than one purpose;

        • they mention disclosures to debt collectors and other unspecified databases which appears to be contrary to TICA's privacy policy which states that it provides information to individuals or companies only for the purpose of assessing a tenancy application;

        • they imply that removal of information from TICA's database is entirely at TICA's discretion and does not acknowledge the requirements of the Privacy Act in this regard;

        • they imply that listings will only occur if there is a breach of a tenancy agreement, whereas listings may occur for other reasons, for example when the individual enters into a payment arrangement or becomes bankrupt;

        • they require individuals to 'agree, acknowledge and understand' that there is a specific cost in making phone calls to TICA; and

        • the forms cover matters that are not required by NPP 1.3, for example in relation to cost of calls and the removal of information from the database, and these matters should be excluded from the forms.

        72. Neither NPP 1.3 nor NPP 1.5 specifies how notice of the matters set out in NPP 1.3 is to be given. In particular, there is no limitation in the Privacy Act as to what information may be given to an individual (either generally or particularly in relation to the collection of their personal information). It is, in my view, permissible to set out more than one 'purpose' on a form - in this case collecting personal information for inclusion in an Enquiries Database and a Tenancy History Database - provided that the NPP 1.3 matters are properly addressed for each of the purposes. This is clear from the wording of NPP1.3(c) which refers to 'the purposes for which the information is collected' (emphasis added).

        73. However, the difficulty with seeking to rely on a form to satisfy a number of purposes is that its terms may become prone to misinterpretation. In the present case, it would appear that the 'Privacy Act acknowledgement forms' aim to advise individuals both about the collection and use of their information by TICA's members, and subsequently by TICA itself. My understanding is that disclosures made to debt collectors or other tenancy databases are generally made by property managers, rather than TICA. TICA in its April 2004 submission confirms this view and also argues that this is clear from the form, which says

          '...the database member discloses that in addition to any information being supplied to a database company other organisations may receive information from time to time. Other organisations may include debt collection agencies, insurances companies, government departments and other landlords or agents.'

          74. I am not satisfied that the form makes the distinction between disclosures by members and disclosures by TICA clear and consequently I consider that those individuals who are reading the forms may find this information ambiguous or may be misled into thinking that TICA will disclose their personal information to other database operators or to debt collectors.

          75. Ultimately, the question I need to consider here is whether TICA has taken reasonable steps to ensure that individuals are aware of the matters set out in NPP 1.3. I find that the use of forms which are ambiguous and appear to be inconsistent with other published information about TICA's usual disclosures, constitutes a failure to take reasonable steps to inform individuals about the matters listed in NPP 1.3(d). I therefore find that TICA has breached NPP 1.5. 8

          76. The complainants also argue that the forms do not properly describe the nature of the personal information that TICA will collect; for example the acknowledgement does not mention payment arrangements or bankruptcies. Under NPP 1.5, TICA must take reasonable steps to ensure individuals are made aware of the matters listed in NPP 1.3.9 In my view, to be found to have taken 'reasonable steps' to ensure the necessary level of 'awareness' required by NPP 1.3, it is necessary that the relevant personal information be properly identified (or identifiable).

          77. The information about the nature of the personal information that TICA collects from its members (over and above the information contained in the tenancy application forms themselves) is found on the acknowledgement forms which state:

            I/we understand that TICA... is a database company that allows its members access to information accumulated from members about tenants who have breached their tenancy agreements.

            8. As I have previously noted, the issue of whether or not TICA's members are breaching NPP 1.3 by using the Privacy Act Acknowledgment forms is beyond the scope of this determination. 9. There is an exception to NPP 1.5, namely that there is a threat to life or health, which is not relevant here.

            78. In my March preliminary view I noted that TICA currently provides over 20 possible categories to report on tenants' behaviour only one of which is specifically mentioned, namely a breach of a tenancy agreement. I accept TICA's clarification in its April 2004 submission that the 'breach of tenancy agreement' is in fact a summary of a number of listing categories that describe particular breaches of a tenancy agreement rather than a reference to the particular category 'broke tenancy agreement'. However, I am also satisfied that the term 'breaking tenancy agreement' is not an accurate summary of all the circumstances in which TICA's members may list individuals. In particular, in my view it does not encompass the listings for:

            • bankruptcy;
            • entered into a payment arrangement;
            • satisfactory payment history;
            • current tenant;
            • recommended tenant; or
            • rental bond claim.

            79. I also note TICA's assertion in its April 2004 submission that information about listing categories, other than the reference in the 'Privacy Act acknowledgement form', is available to Tenants. TICA was concerned that the discussion in the preliminary view did not refer to these other sources of information which are:

            • TICA Privacy Statement for Tenants;
            • Courtesy letter to a Tenant;
            • What is a default with TICA; and
            • Checklist Before you Consider Approving a Tenant or Occupant.

            80. My Office was aware of the forms listed above. As I noted at paragraph [72] above, neither NPP 1.3 nor NPP 1.5 specify how the obligations are to be met and it is open for information to be provided in different forms or in different locations. However, in my view, if an organisation provides the information required to meet its obligations on different forms or in different locations it would generally need to alert individuals to the fact the other information was available. I note here that there is no reference in the 'Privacy Act acknowledgement form' to the availability of the other documents mentioned. I understand that the 'TICA Privacy Statement for Tenants' is generally made available to tenants and occupants when they complete a tenancy application. However, TICA advised in its submission to me of 6 May 2003 that the document 'What is a default with TICA' is available on its web site and that 'a number of its members actually provide these statements to tenants on upon tenancy application being made'. The document 'What a tenant needs to know about TICA' is also available on TICA's web site. I have not been given evidence about the extent to which the 'courtesy letter to tenants' is made available to tenants or prospective tenants.

            81. Taking into account all of the circumstances, I find that TICA has not taken reasonable steps to properly identify for individuals the personal information which it collects, so as to enable an individual to be adequately made aware of the matters listed in NPP 1.3. Consequently, I find that TICA has breached NPP 1.5.

            82. In making this finding, I encourage TICA to continue to develop and provide detailed information, about the Privacy Act and TICA's obligations, for its members and for individuals who are or may become tenants or approved applicants. If, as is currently the case, some of the information is critical to whether TICA is meeting its obligation under NPP 1.5, it should seek to ensure that there are appropriate references to that information in the primary form.

            83. I have also considered the question of whether TICA has taken reasonable steps under NPP 1.5 to ensure that individuals are made aware of the particular matters set out in NPP 1.3(a) and NPP 1.3(b), which require organisations to advise individuals how to contact them and that they are able to seek access to personal information that organisations hold about them. In considering whether the steps are reasonable I have considered:

            • the steps TICA has taken;
            • the potentially serious consequences for individuals who are listed with TICA ;
            • the role that access plays in ensuring listings are accurate;
            • the requirements in NPP 6 to provide access and for charges not to be excessive; and
            • the advice from the complainants that many of those listed with TICA are in poor financial circumstances.

            84. The current acknowledgement form does advise individuals that TICA can be contacted via its 190 number and that there will be charges involved. However the forms do not advise individuals that they may access personal information about them that TICA holds, nor do they advise that the 190 number is a channel for access. TICA also provides access by responding, for a charge, to written requests. The forms do not currently advise that this channel is available or that this is generally the less expensive channel.

            85. TICA argues in its April 2004 submission that it does meet NPP 1.3(a) by providing its 190 contact number. I accept that TICA does provide individuals with one means to contact it. However, the requirement in the principle is for organisations to take 'reasonable steps'. In view of the nature of TICA's business and the impact that it may have on individuals' ability to gain housing, I consider it would be reasonable for TICA to also provide a mailing address. Consequently, I find that TICA has breached NPP 1.3(a).

            86. TICA's April 2004 submission did not dispute my preliminary view that it does not advise individuals, as required by NPP 1.3(b) that he or she can gain access to the personal information held by TICA in relation to them. I find that TICA has breached NPP 1.3(b). I also noted in my preliminary view that TICA had not provided information about how to gain access to the information. TICA does put the view in its April 2004 submission that there is no requirement in NPP 1.3 to provide individuals with information about how to gain access. In my view, the effect of NPPs 1.3(a) and 1.3(b) is to require that individuals are advised about how to gain access.

            87. Depending on the circumstances of collection, the information about how to contact organisations will usually be sufficient to satisfy the obligations. However, in my view there are a range of factors that indicate that more steps are needed in this case. These are: the fact that TICA does have two access channels with varying costs; the important role that access provides in allowing individuals to exercise their privacy rights; the impact that a listing with TICA may have on ability to gain housing; and the poor economic circumstances of many of the individuals about whom TICA holds personal information.

            88. I therefore find, on balance, that TICA has not taken reasonable steps to ensure individuals are aware of the matters set out in NPP 1.3(a) and 1.3(b). Consequently, I find that TICA has breached NPP 1.5 in this regard.

            89. The complainants also argue that the 'Privacy Act acknowledgement form' should not include the reference to TICA's telephone contact charges as this requirement is not included in NPP 1.3. As noted above (see [72[), I do not consider that the inclusion of this information is a breach of NPP 1.3 or NPP 1.5, neither of which prevent such references.

            90. The complainants also consider that the current statement in the 'Privacy Act acknowledgement form' to the effect that removal of the personal information from TICA's database is at TICA's discretion should not be included as it is not one of the matters included in NPP 1.3 and it appears to be inconsistent with TICA's obligations to handle personal information in accordance with the NPPs. I do not consider that this statement is a breach of NPP 1.3 or other NPPs. I also note the advice TICA provided about this issue in its April 2004 submission to the effect that it does take account of the NPPs in deciding on its approach to removing personal information from its database. However, I do consider the statement on the form to be potentially misleading and I encourage TICA to remove this statement from the acknowledgement.

            Findings in relation to NPPs 1.2 and 1.5

            91. In summary my findings in respect to the complaint about TICA's collection practices are as follows:

            • the complaint that TICA is breaching the NPPs by relying on improper consent to collect personal information is not substantiated;
            • the complaint that TICA is collecting personal information by unfair or unreasonably intrusive methods in breach of NPP 1.2 is not substantiated;
            • the complaint that TICA is breaching NPP 1.5 by including unrelated information in a form that addresses the requirements of NPP 1.3 is not substantiated;
            • the complaint that TICA has breached NPP 1.5 by not taking reasonable steps to ensure individuals are aware of the matters set out in NPP 1.3, in particular in relation to the identification of the personal information it will collect, the organisations to which it will usually disclose and that individuals may gain access to personal information, is substantiated.

            Use and disclosure of personal information

            92. The complainants allege that TICA is failing to meet to the requirements of NPP 2.1(a) when it uses and discloses personal information from the Enquires Database in that the individuals concerned would not 'reasonably expect' that information about their unsuccessful tenancy application would be disclosed to TICA and stored on its database.

            93. However, the provision in the principles that limits uses or disclosures to those which individuals would reasonably expect only comes into play in relation to secondary purposes. NPP 2 does not limit the use and disclose of personal information for the primary purpose for which it was collected.

            94. As indicated above (see [50]), I am satisfied that the collection of personal information about tenancy applications, whether successful or not, is necessary for TICA's activity of providing a risk management service. It is also my view that the primary purpose of the collection of personal information about tenancy applications by TICA is to provide this risk management facility to TICA's members.

            95. TICA's members will need to consider if their disclosures to TICA are for a secondary purpose and if so if those disclosures meet the requirements of NPP 2.

            96. In the course of this investigation TICA also advised that it discloses personal information for a number of secondary purposes. As I discussed above (see [51-52] above) it would appear that the use of the information in the manner described by TICA may be a breach of NPP 2. However, as I noted above, I do not proceed to make any finding on this issue at present as it was not a matter which was fully canvassed in the course of my investigation.

            Findings in relation to NPP 2

            97. I find that disclosing the personal information of tenants and occupants for the purpose of permitting members to use the database to check an individual's application and tenancy history as part of a risk management activity is consistent with the primary purpose of collection by TICA. As such, I find that is there is no breach of NPP 2 which relates to 'secondary purposes' of collection in relation to this complaint.

            Determination

            98. In accordance with section 52(1)(a) of the Privacy Act, I determine that the complaint that TICA has breached NPP 1.1 by collecting personal information about tenancy applications that is unnecessary for any of TICA's functions is unsubstantiated and is therefore dismissed.

            99. In accordance with section 52(1)(a) of the Privacy Act, I determine that the complaint that TICA has breached NPP 1.1 by operating or claiming to operate a 'history database' rather than a database of defaults is unsubstantiated and is therefore dismissed.

            100. In accordance with section 52(1)(a) of the Privacy Act, I determine that the complaint that TICA has breached NPP 1 by collecting personal information without proper consent is unsubstantiated and is therefore dismissed.

            101. In accordance with section 52(1)(a) of the Privacy Act, I determine that the complaint against TICA which alleges that TICA has breached NPP 2.(1)(a) by using or disclosing personal information in ways that individuals would not reasonably expect is unsubstantiated and is therefore dismissed.

            102. I find that TICA has breached NPP 1.5 by failing to take reasonable steps to ensure that individuals are made aware the matters listed in NPP 1.3. I therefore find this element of the complaint substantiated and declare in accordance with section 52(1)(b)(i)(B) of the Privacy Act that TICA has engaged in conduct constituting an interference with the privacy of individuals who are members of the class identified in the complaint, I declare that TICA should not repeat or continue such conduct.

            103. The complainants have asked me to make a declaration requiring TICA to develop new forms to meet its obligations under NPP 1.5. I am not satisfied that I should do so. While I have declared that TICA should not repeat or continue conduct which constitutes an interference with the privacy of an individual, I do not, in my view, have the power under section 52(1)(b)(i)(B) to otherwise generally prescribe how TICA should act.

            104. I am also of the opinion that section 52(1)(b)(ii) does not provide the basis for making a declaration of the type sought by the complainants as to the future conduct of TICA. I am not, on the information presently before me, satisfied that there has been any identifiable loss or damage suffered by the complainants that would be redressed by a course of conduct required by such a declaration.

            105. However, I do consider the suggestion made by TU QLD to be helpful in assisting TICA to meet its NPP 1.5 obligations, promoting 'best practice' under the Privacy Act and allowing the members of the class upon whose behalf this complaint has been brought to be better informed about matters which are of potentially great significance to their rights.

            106. I would therefore encourage TICA to develop a revised acknowledgement form that more clearly sets out the matters specified in NPP 1.3 with particular reference to the nature of the personal information collected, how individuals may gain access to personal information about them and to whom TICA usually discloses personal information. If TICA wishes to use other documents or locations to provide some of the information, or more detailed information, it may be able to do this if there is appropriate cross-referencing between documents and sources of information.

            107. I also note that if TICA wishes to prepare the acknowledgement form in such a way that it may also be used as a collection notice by property managers, the form needs to be clear about whether the information relates to an obligation of TICA or an obligation or the property manager. I recommend that the acknowledgement form should also include:

            • information to clearly identify the personal information that is to be collected and used;
            • information about how individuals may resolve disputes about the accuracy, completeness or currency of TICA listings; and
            • information about individuals' right to complain to my Office if they are not satisfied with the outcome of the dispute resolution process.

            Malcolm Crompton Federal Privacy Commissioner

            Dated 16 April 2004