Intrusive collection of personal information is a no-fly zone

In a recent determination, the Privacy Commissioner confirmed that intrusive gathering of personal information in a public forum may constitute a breach of privacy.

Philippa Hore and Marc Hertz, Maddocks Lawyers

---

Overview

The Office of the Australian Information Commissioner (OAIC) received a complaint by an individual against Aerocare Pty Ltd (AeroCare) about the collection and disclosure of his sensitive personal information.

The Privacy Commissioner held that AeroCare interfered with the privacy of the complainant by publicly asking him questions about his medical condition in the departure lounge.

The facts

The complainant is blind and uses a sighted guide and a seeing eye dog. He had undergone surgery for cancer and had to wear a medical device as part of his recovery. He had chosen not to disclose the details of his medical condition to anyone, as he wanted to keep it private.

AeroCare provides passenger services for Virgin Australia at the Sunshine Coast airport. The complainant booked a flight with Virgin Australia, travelling from the Sunshine Coast to Melbourne. He was carrying a letter from his treating hospital which stated that he had to wear the medical device.

In the departure lounge, an AeroCare staff member asked the complainant a series of questions about his medical condition, including the type of cancer he had and the location of the wound from the surgery. These questions were asked in the presence of the complainant's sighted guide and in close proximity to a number of passengers.

The issues

It was alleged that AeroCare had interfered with the passenger's privacy by:

• collecting his personal medical information in an unreasonable and intrusive manner;
• failing to advise him of the reason for the collection of his personal information; and
• disclosing his personal information to third parties in the departure lounge.

AeroCare responded, claiming that:

• it had not interfered with the complainant's privacy;
• the letter from the hospital did not contain the necessary medical information and so the staff member had to ask questions to determine whether it was safe for him to fly;
• the questions were asked at the departure lounge in order to minimise the complainant's inconvenience in moving to another location; and
• there was no evidence that other passengers had heard the complainant's answers.

The determination

The OAIC determined that AeroCare interfered with the complainant's privacy.

Specifically, the OAIC found that AeroCare had breached:

• NPP 1.2 (the equivalent of APP 3 — collection of solicited information), by collecting the complainant's information in an unreasonably intrusive way.
• NPP 1.3 (the equivalent of APP 5 — notification of the collection of personal information), by failing to take reasonable steps to ensure the complainant was aware of its identity or the reason it was collecting the information. AeroCare could not assume the complainant understood the information was being collected to determine his fitness to fly, and Virgin Australia's Conditions of Carriage and Privacy Policy did not provide the necessary details.
• NPP 4 (the equivalent of APP 11 — data security), by failing to take reasonable steps to protect the complainant's sensitive personal information from unauthorised disclosure.
  
  (Note: The determination was made while the National Privacy Principles (NPP) were still in force. From March 2014, these have been replaced with the Australian Privacy Principles (APP))

The Privacy Commissioner determined that it was not relevant whether other passengers actually heard the information and, in any event, the Complainant's sighted guide certainly heard it. He held that AeroCare should have offered the complainant a more private location in which to question him about his medical condition and, because it did not, AeroCare's actions caused the complainant significant distress and humiliation.

The result

To redress the matter AeroCare was required to:

• apologise in writing to the complainant and pay him $8,500 in compensation for the injured feelings, humiliation and distress he suffered; and
• review its training of staff in the handling of sensitive information and advise the OAIC of the results of that review within six months of the determination.

Key Message

Businesses that collect personal information from individuals in public places need to ensure their staff are aware of the need to be discreet.

In any event, businesses should be constantly mindful of APP 11 and the need to protect sensitive personal information from unauthorised disclosure at all times.

Privacy Commissioner, Tim Pilgrim, said in relation to this case:

• "This determination is particularly relevant to organisations that need to collect or discuss information about people in public places like medical practices, banks and Government service centres. Organisations that operate in this environment need to ensure that they take reasonable steps to protect the privacy of their customers. What is reasonable will depend on the particular circumstances, but it is an issue that needs to be actively considered and managed. As we saw in this case it can cause the individual considerable distress and embarrassment and may be a breach of the Privacy Act." ^[1]

More information from Maddocks

For more information, contact Philippa Hore in the Maddocks Commercial Group on (03) 9258 3555.

More Cleardocs information on related topics

You can read earlier ClearLaw articles concerning the privacy reforms and a wide range of other topics.

Order Cleardocs company packages

• Company Registration
• Registration Documents Only
• Sole Director Package
• Change to Constitution
• Division 7A Loan Agreement
• Company Name Reservation
• Public Company Limited by Guarantee
• Deed of Confidentiality
• Company Minutes & Resolutions Package