Commissioner found CBA improperly used Complainant’s personal financial information to advance a Fair Work Commission case.
Commissioner found CBA data security practices were not sufficient in circumstances.
Commissioner ordered CBA to pay compensation of $10,000 to Complainant for non-economic loss.
On 25 November 2016, Australian Privacy Commissioner Timothy Pilgrim gave his determination regarding the case of a former employee (Complainant) who asserted that a principal of Commonwealth Bank (CBA) (being both her bank and her former employer) accessed her financial information without a legal primary purpose in order to advance their case against her in the Fair Work Commission.
CBA was found to have breached its obligations under two of the National Privacy Principles (NPP), being:
- NPP 2 – Use and Disclosure; and
- NPP 4 – Information Security.
Use and Disclosure
Under the NPP, use and disclosure of personal information about an individual for the primary purpose of managing a customer’s banking business is not a breach.
CBA argued that the numerous accesses by the principal to the Complainant’s financial information were related to assessing the Complainant’s home loan application and the provision of information to CBA’s security department.
The Complainant questioned, and the Commissioner agreed that, given the surrounding circumstances of the Fair Work Commission proceedings between CBA and the Complainant which involved the principal, the principal was not an appropriate person to conduct such investigations, and amounted to improper use.
Under the NPP, a business holding personal information must take reasonable steps to protect the information from misuse, loss, and from unauthorised access, modification, use or disclosure.
Because CBA’s information security practices had allowed the improper use to occur, the Commissioner was satisfied that CBA ought to have had other practices in place to protect the Complainant’s information from such misuse, and the data security practices were not reasonable.
Damages and Determination
The Complainant sought compensation for economic loss, non-economic loss together with aggravated damages.
Though the Commissioner was not satisfied that there was a basis for awarding compensation for economic loss or aggravated damages, the Commissioner considered it appropriate to award the Complainant compensation for non-economic loss on the basis of the type of information breached, and the resulting distress suffered by the Complainant.
The Commissioner made the following orders:
- A written apology to be issued to the Complainant within 6 weeks of the determination;
- CBA to review its information handling policies, particularly in respect of acknowledged or potential conflict of interest; and
- The Complainant is entitled to compensation of $10,000 for the non-economic loss suffered.
Although the facts in this case are a little unusual it is a timely reminder to employers that their obligations to protect the privacy of information they hold about an employee, which does not fall within the employee records exemption, continues after the employment ends, and in circumstances such as this matter extra measures may need to be taken to ensure the security of that information.
Post by Jack Guthrie, Sarah Jones and John Kell