Complainant AY v Public Sector Employer [2013] VPrivCmr 02

April 12, 2013 |

In Complainant AY v Public Sector Employer [2013] VPrivCmr 02 the Victorian Privacy Commissioner considered a serious complaint about a breach of privacy by a public sector employer.


In approximately 2006, the Complainant forwarded an unsolicited email application to an employee of the Respondent for a job. This application contained a covering letter and details about the Complainant’s qualifications.

Subsequently, this application was uploaded to a personal blog website by an employee of the Respondent. The uploaded information contained extracts of the Complainant’s application together with  unfavourable remarks about the Complainant’s qualifications and the application.

The website was available online and without any restrictions as to who could view it. Additionally, other unidentified individuals had made further negative statements in the ‘comments’ section of the website about the Complainant’s application and qualifications.  In June 2012, the Complainant became aware of the website when he was directed to it by a friend.

The Respondent conceded that a breach of the Complainant’s privacy had occurred. It  provided a written apology to the Complainant, instructed the employee to remove the material from the website and that employee was directed to attend privacy training. The Respondent argued that the organisation was unaware of the employee’s actions until the complaint was raised and was therefore unable to take reasonable steps to protect or secure the Complainant’s personal information. The Respondent argued that it had adequately dealt with the complaint under section 29(1)(h)(i) of the Act and requested the Acting Commissioner exercise his discretion to decline the complaint.


The Acting Commissioner found the Respondent had not taken reasonable steps to protect the personal information it held from misuse and disclosure (IPP 4.1) or inaccuracy (IPP 3.1). There also appeared no grounds under IPP 2 that supported the disclosure.

The Commissioner also found that actions of an employee are generally attributable to an organisation (here, the Respondent) and that the Respondent had not provided evidence to support what steps the Respondent had taken to educate the employee on their responsibilities under the Information Privacy Act.

The Commissioner considered that there was merit in referring the complaint to conciliation to resolve the matter.


The Privacy Commissioner was correct to reject the Respondent’s claim that it could not be responsible for the breach as it was not aware of the posting.  Once the application came into the possession of the employee of the Respondent it was the Respondent’s responsibility to maintain proper record of the document and ensure it was secured adequately.  That an employee could take it and upload it onto a web site and have other members of the public comment on it is a very serious breach of privacy.

It is an indictment on the structure of reportage that the department or agency is not named.  That is the best way of rectifying poor management and poor insight.  That the respondent agency/department could somewhat argue that it was not ultimately responsible for the breach is indicative of arrogance, a lack of understanding of the Information Privacy Act or breathtakingly incompetent legal representation.  Or a combination of all three factors.



Leave a Reply