Disclosure of sensitive information by a law firm

A law firm needed to serve legal documents relating to a divorce suit on a party to the proceedings. It made arrangements with the intended recipient for the documents to be delivered to her at her office by a messenger. The documents were placed inside a sealed envelope, but there was a duplicate for the recipient to sign to acknowledge receipt, which was not covered in any way. When the messenger arrived at the office he placed both sets of documents on the reception desk and took a seat to wait for the recipient. The contents of the duplicate documents were read by the receptionist and could be read by any person passing by. The recipient was upset that her involvement in divorce proceedings had been disclosed to others in the office. She complained to the PCPD.

In reply to the PCPD's inquiry, the law firm argued that the personal data on the front page of the duplicate documents were merely the suit number of the divorce proceedings and the names of the parties. It pointed out that such data were accessible to the public at the court registry.

The Commissioner's views on the matter

DPP4 provides that a data user must take all practicable steps to safeguard the security of personal data, having regard to the harm that could result from any unauthorized or accidental access or other use of the data. Although the information in question was accessible in public records and hence not confidential in the strict sense, it was still of a sensitive nature to the data subject, particularly in her workplace. In this case such information was unnecessarily brought to the notice of persons who in all likelihood would not otherwise have had knowledge of it and this had caused distress to the complainant. Accordingly, in the opinion of the Privacy Commissioner, DPP4 had been breached. This opinion was accepted by the law firm and the case was settled by mediation.