- About us
- For individuals
- For organisations and agencies
Freedom of information
- For individuals
- For agencies
- Information policy
Consumer Data Right
- For consumers
- For participants
The OAIC can make determinations on privacy complaints where conciliation has not resolved the matter. These are the summary details of privacy determinations made under s 52 of the Privacy Act 1988 since 1 November 2010. The AustLII website provides a comprehensive database of privacy decisions as part of the Australian Information Commissioner (AICmr) series.
Total results: 56.
Remedies: Class members who made submissions and/or provided evidence of their loss or damage (Participating Class Members) and who have demonstrated that they suffered loss or damage as a result of the data breach, are to be paid compensation for non-economic loss under five categories of loss or damage, depending on the severity of the impact. Compensation for economic loss is to be paid on a case-by-case basis. The determination sets out the process to be followed by the Department when assessing and finalising claims from Participating Class Members to be paid compensation for loss or damage arising from the data breach.
Privacy — Privacy Act 1988 (Cth) — Information Privacy Principles — IPP 4 — Data security failure — IPP 11 — Unauthorised disclosure of personal information — Breaches substantiated — s 52(1)(b)(iii) — Compensation awarded — s 52(4)(a) — Manner in which the amount of compensation payable to class members is to be calculated — s 52(5)(b) — Process for determining any dispute regarding the entitlement of a class member to the payment
Update: Notice to class members about an AAT review and stay of a determination in a representative complaint made by the Commissioner on 11 January 2021
Finding: No breach
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 10 — Part IIIA — Credit Reporting Code — Postpaid mobile telephone account — Account opened in complainant’s name by unknown third party — Stolen identity documents used to open a postpaid account — Whether respondent took reasonable steps to ensure the accuracy of the personal information in the circumstances — Whether the respondent complied with the credit reporting provisions — No breach — Complaint dismissed.
Finding: No breach
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 11 — Referral of file to mercantile agent for debt collection activities — Consideration of level of access to case management system — Application of ‘need to know’ principle — Purpose of collection and use — Reasonable expectation and directly related secondary purpose — Complaints information directly related to debt collection activities — Consideration of circumstances relevant to APP 11 — Contractual and legal non-disclosure obligations considered — Volume of cases and extent of activities considered — Reasonable steps taken — No breach.
Finding: No breach
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 11 — Alleged disclosure of health information — Whether reasonable steps taken to protect from unauthorised disclosure — No breach
Must not repeat or continue the conduct.
Issue a written apology to the complainant.
Engage an independent auditor to assess its policies, procedures and systems against the requirements of APP 11.
Pay the complainant $19,980 for loss caused.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 11 — Residential address disclosed to the complainant’s former partner — Complainant had notified of separation from partner — Respondent considered separation unverified — Complainant’s records linked with former partner — Domestic violence history — Whether reasonable steps to ensure accuracy of personal information — Whether reasonable expectation of disclosure — Whether reasonable steps to protect against unauthorised disclosure — Breach of APPs — Economic and non-economic loss — Compensation awarded —Apology required — Audit required.
Must not repeat that conduct.
Must pay the complainant $1,000 for loss caused.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 13 — Disclosure to an external debt collection agency — Breach of APP 6 — Debts overturned — Failure to take reasonable steps to notify another APP entity of debts overturned — Breach of APP 13.2 — Whether failure to accurately record preference for online communication — No breach of APP 10 — Compensation for non-economic loss awarded.
Remedies: Respondent should not repeat or continue that conduct.
Respondent must pay the complainant $2,500 for loss or damage suffered.
Privacy — Crimes Act 1914 (Cth) — Quashed convictions scheme —Disclosure by an individual to a court — Cease and desist letter sent to respondent before disclosure — Respondent reasonably expected to know about application of quashed conviction scheme to the complainant — Section 85ZU breached — Compensation awarded for non-economic loss — Aggravated damages not awarded.
Remedies: Prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles. Appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 11.1 — APP 11.2 — APP 1.2 — Extraterritorial jurisdiction —Unauthorised access to personal information by third party — Whether reasonable steps taken to protect personal information from unauthorised access — Whether reasonable steps taken to delete or de-identify personal information — Whether reasonable steps taken to implement practices, procedures and systems to ensure compliance with the APPs — Breaches substantiated – Requirement to prepare compliant Policies and Programs — Independent review of Policies and Programs