Q and Financial Institution  AICmrCN 11 (22 December 2011)
The definition of personal information and disclosure of personal information
Section 6 and National Privacy Principle 2.1 in Schedule 3 of the Privacy Act 1988 (Cth)
The complainant contracted with a buyer to sell his car, which was under finance to a financial institution. The financial institution had taken an interest in the car as security for the complainant's loan.
The financial institution advised a prospective buyer of his car that it had been under finance but the account had recently been paid in full. The prospective buyer later obtained a letter from the financial institution confirming that it had received funds to finalise the account and, subject to the clearance of these funds, it would release its security interest in the vehicle in ten working days.
In providing this information to the prospective buyer, the financial institution denied disclosing the complainant's personal information because the letter it sent to the prospective buyer only contained details about the complainant's vehicle and did not mention the complainant's name or account number.
'Personal information' is defined in section 6(1) of the Privacy Act as information or an opinion whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
NPP 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception in NPP 2.1(a)-(h) applies.
The Commissioner investigated the matter under section 40(1) of the Privacy Act.
To determine if the financial institution had disclosed personal information about the complainant, the Commissioner considered the particular circumstances in which the financial institution sent the letter to the prospective buyer.
The letter did not contain details such as the complainant's name, address or date of birth. However, it did contain information about the status of the complainant's account with the financial institution, and specifically, that funds had been received to finalise the account and the financial institution's security interest in the car.
At the time the letter was sent, the prospective buyer was aware that the complainant owned the car in question and the car had been under finance. The prospective buyer also had information confirming that the financial institution had a security interest in the complainant's car. However, the fact that the prospective buyer had previous knowledge of these details did not lessen the financial institution's obligation under NPP 2.1 to only disclose an individual's personal information for the primary purpose of its collection, or for a secondary purpose where it can rely on one of the exceptions at NPP 2.1(a) to (h).
The Commissioner formed the view that, in the circumstances, the prospective buyer could have reasonably ascertained that the details in the letter related to the complainant's account with the financial institution. On that basis, the information contained in the letter was personal information about the complainant.
Therefore, the Commissioner found that the financial institution had not complied with NPP 2 as it disclosed personal information about the complainant to the prospective buyer.
While the financial institution did not agree with the Commissioner's findings, it immediately ceased its practice of sending such letters to third parties without the written consent of the account holder.
The financial institution agreed to conciliate the matter under section 27(1)(ab) of the Privacy Act. In addition to its change in practice, it apologised and offered a goodwill payment.
Consequently the Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the ground that the financial institution had adequately dealt with the matter.
Office of the Australian Information Commissioner