02/04/2025
ATQ’ and CEO of Services Australia (Privacy) [2025] AICmr 19
The CEO of Services Australia (Agency) has recently been found by the Australian Privacy Commissioner (Commissioner) to have interfered with a customer’s privacy after a series of issues involving the Agency intertwining customer records.
The privacy complaint arose in circumstances where, due to processing errors by Agency staff, the records of two customers were intertwined. The Agency claimed the intertwining of records occurs where two customers share the same or similar personal details, such as name and DOB and the records are incorrectly updated with one of those person’s details. The intertwining of the complainant’s records with another customer occurred on four separate occasions.
The Commissioner found these incidents of intertwining to have amounted to breaches of Australian Privacy Principles (APPs) 11.1, 10.2 and 6.1. In making her findings, the Commissioner considered what constituted ‘reasonable steps’ the Agency was required to take to protect the complainant’s personal information from misuse, interference, loss and unauthorised access modification or disclosure.
In respect of APP 11, the Commissioner observed:
- large Commonwealth agencies holding millions of customer records should expect some of their customers to share common names
- it is not impractical or unreasonably burdensome for large agencies to take reasonable steps to protect information from security risks given the size of and resources available to these agencies
- where instances of similar mishandlings, including unauthorised disclosures are repeated despite measures being taken to protect personal information it indicates that those measures are inadequate and ineffective at protecting personal information
- examples of reasonable steps the Agency could have taken in the circumstances to proactively protect personal information from security risks arising from the intertwining of records includes:
- implementing system alerts and/or escalation processes before customer records can be amended
- requiring additional ID checks for customers at a higher risk of record intertwining for example, requiring them to have a unique password or phrase
- requiring manual review and approval before certain customer records can be amended
- routinely auditing customer intertwinement processes or decisions
- providing additional, regular training and guidance to staff
In making a compensation award for non-economic loss, the Commissioner emphasised:
- multiple interferences with privacy committed by the Agency compounded the distress suffered by the complainant; and
- the complainant was in a vulnerable position because he was required to continue to provide the Agency with his sensitive information in order to access essential government services.
Although the Agency operates in a unique environment, this decision provides some useful guidance to all Commonwealth agencies on what constitutes “reasonable steps” to protect personal information held in customer records and how they can meet their obligations under APP 11.
If you’re concerned or have questions about your agency’s compliance with the APPs or the Australian Government Agencies Privacy Code, please contact our experienced privacy team.