|
Facts
The complainant
applied and was issued credit card by the bank pursuant to a scheme
participated by his employer who under the terms of arrangement
was required to notify the bank should its employee who was holder
of the credit card cease to be employed. One day, the bank informed
the complainant that his credit card would be cancelled, as he was
no longer employed by his employer. The complainant then lodged
a data access request with the bank requesting access to a copy
of the employer's notice to the bank on the cessation
of his employment. The bank refused to comply with the request claiming
that it was unable to do so as the employer possessed and controlled
the use of the document. In the course of handling the request,
the bank disclosed to the employer that the complainant had made
such a request.
Complaint
and findings by Privacy Commissioner
The complainant
alleged that the bank had wrongfully refused to comply with his
data access request. He further alleged that the bank had disclosed
his personal data (that he had made a data access request) to the
employer without his consent.
The Privacy Commissioner
carried out an investigation and found that the notice requested
consisted of a
covering letter and a list with the names of several exemployees
including the complainant. The bank claimed
that at the time when the request was received, they were
in possession of the list but not the covering letter. The
bank further claimed that consent from the employer was
required before it could release the list and for the purpose
of seeking consent, it disclosed the complainant's
data
access request to the employer.
Upon investigation
and from evidence gathered, the
employer did not prohibit the disclosure of the list
requested and no consent was needed before the bank
could release the list to the complainant. The Privacy
Commissioner found that the bank had contravened
section 19(1) of the PD(P)O. As to the allegation on
unauthorized disclosure of the complainant's request
to
the employer, the Privacy Commissioner found that the
purpose of disclosure by the bank was directly related to
its original purpose of collecting the complainant's
personal data, namely, to handle his request. He opined
that such disclosure had not contravened DPP3.
Pursuant to the
undertakings imposed by the Privacy Commissioner, the bank provided
to the complainant a copy of the list with names of third parties
deleted and confirmed to the complainant that at the time of the
request, it did not hold any other requested document. In view of
the compliance with the undertakings by the bank, the Privacy Commissioner
opined that the contravention by the bank was not likely to be repeated
and therefore exercised his discretion not to issue an enforcement
notice to the bank.
The
appeal
The complainant
appealed to the AAB on the Privacy Commissioner's
decision not to issue an enforcement notice to the bank. The AAB
agreed that the Privacy Commissioner had a wide discretion in deciding
whether to issue an enforcement notice. The AAB found that the Privacy
Commissioner had reasonably concluded that a repeated contravention
by the bank was not likely having regard to the fact that this was
the first contravention by the bank and to the cooperation of the
bank in giving and performing the required undertakings. As to the
alleged unauthorized disclosure of personal data to the employer,
the AAB took the view that the disclosure of the request by the
bank was to enable the complainant to gain access to the data which
the bank thought, though erroneously, was in the employer's
possession and control and without whose permission could not be
released to the complainant. The AAB decided that the disclosure
in the circumstances was for a purpose for which the request had
been received by the bank or at least for a purpose directly related
thereto and thus not contravened DPP3.
AAB's
decision
The AAB upheld
the Privacy Commissioner's decision and
dismissed the appeal.
|