- About us
- For individuals
- For organisations and agencies
Freedom of information
- For individuals
- For agencies
- Information policy
Consumer Data Right
- For consumers
- For participants
The OAIC can make determinations on privacy complaints where conciliation has not resolved the matter. These are the summary details of privacy determinations made under s 52 of the Privacy Act 1988 since 1 November 2010. The AustLII website provides a comprehensive database of privacy decisions as part of the Australian Information Commissioner (AICmr) series.
Total results: 56. Show all results
1. I find that from 15 June 2020 to 24 August 2021, 7-Eleven Stores Pty Ltd (the respondent) interfered with the privacy of individuals whose facial images and faceprints it collected through its customer feedback mechanism, within the meaning of the Privacy Act 1988 (Cth) (Privacy Act), by: a. collecting those individuals’ sensitive information without consent, and where that information was not reasonably necessary for the respondent’s functions and activities, in breach of Australian Privacy Principle (APP) 3.3 b. failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information, in breach of APP 5.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 3.3 – APP 5 – whether facial images are personal information — whether consent obtained for collection of sensitive information — whether collection of sensitive information was reasonably necessary for entity’s functions and activities — whether reasonable steps were taken to notify of APP 5 matters – breaches substantiated – requirement to destroy faceprints collected through the customer feedback mechanism
Respondent must not repeat or continue that act. Respondent must, within 60 days of the complainant notifying it of their banking details, pay the complainant $3,000 for non-economic loss.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — Disclosure to third party without consent — Whether for related secondary purpose — Whether reasonable expectation of disclosure — Whether reasonable grounds to suspect unlawful activity or serious misconduct — Whether disclosure was reasonably necessary — Breach of APP 6 — Compensation for non-economic loss awarded.
Finding: No breach.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 11 — CCTV footage of retail pharmacy — Disclosure to complainant’s employer for identification — Purposes of detecting crime — Whether reasonable steps to prevent authorised disclosure — Size and type of entity considered — No breach — Complaint dismissed.
Remedies: Prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles. Appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 11.1 — APP 11.2 — APP 1.2 — Extraterritorial jurisdiction —Unauthorised access to personal information by third party — Whether reasonable steps taken to protect personal information from unauthorised access — Whether reasonable steps taken to delete or de-identify personal information — Whether reasonable steps taken to implement practices, procedures and systems to ensure compliance with the APPs — Breaches substantiated – Requirement to prepare compliant Policies and Programs — Independent review of Policies and Programs
Remedies: Respondent must not repeat or continue that conduct.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 10 — APP 13 — Inaccuracies in an Independent Medical Expert report for tribunal proceedings — Whether reasonable steps taken to ensure accuracy — Whether failure to respond to correction request within statutory timeframe — Breach of APP 13.5 — Complaint otherwise dismissed — Acknowledgement of interference with privacy — Inappropriate for any further action to be taken.
Remedies: Respondent should not repeat or continue that conduct.
Respondent must pay the complainant $2,500 for loss or damage suffered.
Privacy — Crimes Act 1914 (Cth) — Quashed convictions scheme —Disclosure by an individual to a court — Cease and desist letter sent to respondent before disclosure — Respondent reasonably expected to know about application of quashed conviction scheme to the complainant — Section 85ZU breached — Compensation awarded for non-economic loss — Aggravated damages not awarded.
Must not repeat or continue the conduct.
Issue a written apology to the complainant.
Engage an independent auditor to assess its policies, procedures and systems against the requirements of APP 11.
Pay the complainant $19,980 for loss caused.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 11 — Residential address disclosed to the complainant’s former partner — Complainant had notified of separation from partner — Respondent considered separation unverified — Complainant’s records linked with former partner — Domestic violence history — Whether reasonable steps to ensure accuracy of personal information — Whether reasonable expectation of disclosure — Whether reasonable steps to protect against unauthorised disclosure — Breach of APPs — Economic and non-economic loss — Compensation awarded —Apology required — Audit required.
Must not repeat that conduct.
Must pay the complainant $1,000 for loss caused.
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 13 — Disclosure to an external debt collection agency — Breach of APP 6 — Debts overturned — Failure to take reasonable steps to notify another APP entity of debts overturned — Breach of APP 13.2 — Whether failure to accurately record preference for online communication — No breach of APP 10 — Compensation for non-economic loss awarded.
Finding: No breach
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 11 — Alleged disclosure of health information — Whether reasonable steps taken to protect from unauthorised disclosure — No breach
Finding: No breach
Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 10 — Part IIIA — Credit Reporting Code — Postpaid mobile telephone account — Account opened in complainant’s name by unknown third party — Stolen identity documents used to open a postpaid account — Whether respondent took reasonable steps to ensure the accuracy of the personal information in the circumstances — Whether the respondent complied with the credit reporting provisions — No breach — Complaint dismissed.