G and Parking Services Organisation [2011] AICmrCN 1 (22 December 2011): Determination regarding NPP 1.1, 1.2 and 4.2 of the Privacy Act
March 21, 2012 |
In G and Parking Services Organisation [2011] AICmrCN 1 the Commissioner considered a complaint in the context of NPP 1.1, requiring organisations to only collect personal information if the information is necessary for one or more of its functions or activities, NPP 1.2, that an organisation must collect personal information only by lawful and fair means an not in an unreasonably intrusive way, and NPP 4.2, that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.
FACTS
The complainant alleged that a parking services organisation had no reason to collect personal information and they wanted the organisation to destroy the information. The parking services organisation had a short business relationship with the complainant and believed it was owed money from that relationship. To pursue the debt, the organisation obtained a court subpoena for records held by a state government department. These records contained the complainant’s personal information, relating to the complainant.
The complainant alleged there was a mistake in the organisation’s internal processes, and the complainant was not in debt to the organisation. On that basis, the complainant did not consider it necessary for the organisation to collect their personal information and did not want the organisation to hold information.
DECISION
The organisation argued that at the time it collected the complainant’s personal information it believed the complainant owed it money. The information about the complainant was not obtained by deception but through a court subpoena. The organisation also advised that it later identified that there had been an administrative error and the complaint did not owe a debt. Nonetheless, when the information was collected from the state government department, the organisation believed in good faith that the information was necessary to pursue the non-payment for its services.
The Commissioner found that the organisation did not need the consent of the complainant before it collected the personal information about the complainant and, as such, the collection of the complainant’s information by the parking services organisation was necessary for its activities and was collected by lawful and fair means and not unreasonably intrusively.
While the relationship between the complainant and the organisation had ceased under NPP 4.2, organisations can retain personal information after a business relationship has ended where it has a purpose under NPP 2 for retaining the information. The organisation argued that it was required to keep the complainant’s personal information to meet obligations with other laws, including taxation and corporations law. The organisation wrote to the complainant and outlined why it needed to continue to hold the personal information in its records and the timeframe for destruction. The information provided by the organisation showed that the obligations it had under taxation and corporations law meant it had to keep records for at least five years. On this basis, the Commissioner was satisfied that the organisation had a legitimate reason for retaining the complainant’s personal information.
ISSUE
This is an uncontroversial decision. That said the information kept by an organisation should be the minimum required, not all that obtained.