I and Insurance Company [2011] AICmrCN 3 (22 December 2011): Privacy determinatiion about accuracy of personal information, NPP 3

March 16, 2012 |

In I and Insurance Company [2011] AICmrCN 3 the Commissioner considered the operation of NPP 3, which requires an organisation to take reasonable steps to make sure that the personal information it collects, uses or discloses about an individual is accurate, complete and up-to-date.


The complainant was a loss assessor in the insurance industry. In the course of investigating an alleged fraud an insurance company collected the complainant’s personal information from a third party insurance industry database.  The complainant accessed his/her file on the industry database and discovered that the insurance company had made multiple enquiry listings and had inaccurately listed the purpose for the enquiries, stating that the complainant was  a ‘witness’, ‘insured’ and a ‘third party claimant’. The enquiries did not provide any reference number.


The insurance industry database had a field to place a reference number for enquiries but it was not mandatory. The insurance company did not include an enquiry reference number when disclosing the complainant’s personal information to the insurance industry database and did not have a unique enquiry number to search for, and update, the records.

The insurance company submitted that the multiple enquiries about the complainant, recorded on the information service’s system, resulted from inexperienced staff and that  several of the descriptors were inaccurate. The Commissioner found that the insurance company had recorded incorrect descriptors against the complainant’s personal information and was not able to verify why it had made the enquiries, or to find the various entries when it needed to correct the information. As such, the Commissioner formed the view that the insurance company had not taken reasonable steps to ensure the personal information it disclosed was accurate and complete.  In response the insurance company put in place procedures to ensure its staff used a unique reference number for enquiries it makes on the insurance industry database. The insurance company also retrained staff on the appropriate descriptors to be attached to enquiries made with the database and amended the complainant’s personal information held with the insurance industry database so it was accurate. The insurance company also offered the complainant an unconditional apology, which the complainant accepted.

The Commissioner closed the complaint under section 41(2)(a) of the Privacy Act on the ground that the insurance company had adequately dealt with the matter.


As described the breaches were very serious.  Misdescribing a loss assessor who derives his or her income from the insurance industry as a witness or third party claimant is appalling.  The insurance company was either incompetent, their defence, or malicious, an inference that could be drawn. This sort of behaviour warranted sanction and the assessor should have received some form of compensation.  It is quite a disappointing result even with the rectification being made and new processes adopted.




Leave a Reply

Verified by MonsterInsights