Finding:

Breach

Privacy — Privacy Act 1988 (Cth)

Finding:

1. I find that from 15 June 2020 to 24 August 2021, 7-Eleven Stores Pty Ltd (the�respondent) interfered with the privacy of individuals whose facial images and faceprints it collected through its customer feedback mechanism, within the meaning of the�Privacy Act 1988�(Cth) (Privacy Act), by:

collecting those individuals� sensitive information without consent, and where that information was not reasonably necessary for the respondent�s functions and activities, in breach of Australian Privacy Principle (APP) 3.3 failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information, in breach of APP 5.

Privacy —�Privacy Act 1988�(Cth) — Australian Privacy Principles — APP 3.3 — APP 5 — whether facial images are personal information — whether consent obtained for collection of sensitive information — whether collection of sensitive information was reasonably necessary for entity�s functions and activities — whether reasonable steps were taken to notify of APP 5 matters — breaches substantiated — requirement to destroy faceprints collected through the customer feedback mechanism

Privacy — Privacy Act 1988 (Cth) — Information Privacy Principles — IPP 4 — Data security failure — IPP 11 — Unauthorised disclosure of personal information — Breaches substantiated — s 52(1)(b)(iii) — Compensation awarded — s 52(4)(a) — Manner in which the amount of compensation payable to class members is to be calculated — s 52(5)(b) — Process for determining any dispute regarding the entitlement of a class member to the payment

Update: Notice to class members about an AAT review and stay of a determination in a representative complaint made by the Commissioner on 11 January 2021

Further information here

b. failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information, in breach of APP 5.

Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 10 — Part IIIA — Credit Reporting Code — Postpaid mobile telephone account — Account opened in complainant's name by unknown third party — Stolen identity documents used to open a postpaid account — Whether respondent took reasonable steps to ensure the accuracy of the personal information in the circumstances — Whether the respondent complied with the credit reporting provisions — No breach — Complaint dismissed.

b. interfered with the privacy of Australian individuals, by failing to:

Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 11 — Referral of file to mercantile agent for debt collection activities — Consideration of level of access to case management system — Application of 'need to know' principle — Purpose of collection and use — Reasonable expectation and directly related secondary purpose — Complaints information directly related to debt collection activities — Consideration of circumstances relevant to APP 11 — Contractual and legal non-disclosure obligations considered — Volume of cases and extent of activities considered — Reasonable steps taken — No breach.

i. collect sensitive information about an individual only where the individual consented to the collection (and the information was reasonably necessary for one or more of the entity�s functions or activities) (APP 3.3) in circumstances where no other exceptions applied to permit the collection (APP 3.4)

Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 11 — Alleged disclosure of health information — Whether reasonable steps taken to protect from unauthorised disclosure — No breach

Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 11 — Residential address disclosed to the complainant's former partner — Complainant had notified of separation from partner — Respondent considered separation unverified — Complainant's records linked with former partner — Domestic violence history — Whether reasonable steps to ensure accuracy of personal information — Whether reasonable expectation of disclosure — Whether reasonable steps to protect against unauthorised disclosure — Breach of APPs — Economic and non-economic loss — Compensation awarded —Apology required — Audit required.

ii. collect personal information only by lawful and fair means (APP 3.5)

Privacy — Privacy Act 1988 (Cth) — Australian Privacy Principles — APP 6 — APP 10 — APP 13 — Disclosure to an external debt collection agency — Breach of APP 6 — Debts overturned — Failure to take reasonable steps to notify another APP entity of debts overturned — Breach of APP 13.2 — Whether failure to accurately record preference for online communication — No breach of APP 10 — Compensation for non-economic loss awarded.