Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Organisations such as banks and GPs have access to a lot of personal information about their clients and patients. Unfortunately, sometimes employees with access to this information overstep the line. In recent years, we have received many complaints about situations where that line has been crossed.
One recent complaint came from a customer who had given her contact details to a department store in expectation of a delivery. Shortly later, the delivery person contacted her asking if she was single. In another case our Office received a complaint about a health professional sending inappropriate messages to a young, female patient. This left her feeling scared and uncomfortable. We investigated and found the health professional used his patient’s contact information, which had been collected in his professional capacity, to contact the patient in his personal capacity – asking her about the clothes she had been wearing during her appointment.
Principle 10
As well as being unprofessional and creepy, this sort of contact can raise issues under the Privacy Act. Our Office considered the health agency’s use of the patient’s contact information breached principle 10 of the Privacy Act. Principle 10 says agencies must not use personal information for purposes other than for which it was collected. The health agency had an obligation to use the information obtained to provide their patients’ health services and for nothing more. There are certain situations when an exception to principle 10 applies – but asking a patient inappropriate questions would not be one of them!
Principle 5
Inappropriate access of this type of personal information is often closely linked with employee browsing cases (in which employees’ search for people’s information they have no legitimate right to) where the agency might also be investigated under principle 5 of the Privacy Act. Principle 5 says an agency that holds personal information should ensure the information is protected from loss, access, use/or misuse, modification or disclosure by reasonable security safeguards.
This topic has attracted significant media attention, such as when a Police Officer “brought shame and embarrassment to the police” with his unsanctioned and unlawful use of the national intelligence application police database (NIA) to stalk women he found attractive. Or in the case where a customer received unsolicited text messages about her looks from a mechanic.
Recommendations
Firstly, we recommend agencies ensure their employees undertake privacy training and regular refresher courses. Secondly, we recommend that on a regular basis they review their policies on using personal or health information in a legal and professional way. Thirdly, audit employee access from time to time and if staff members are accessing client records two or multiple times without obvious cause, ask why. Finally, we recommend agencies consider whether they have reasonable safeguards in place to protect their customer’s health and personal information. As a customer, you have a right to have your personal information only be used for the purpose you supplied it for and for it be protected from misuse.
What to do if your data has been misused
If you feel your personal information has been misused causing you to fear for your safety, in the first instance you should contact Police. If you wish to make a further complaint and think the conduct has breached you privacy you can find our complaint form here.
