AAB upheld the Privacy Commissioner's decision not to issue an enforcement notice against the bank in failing to comply with a data access request under section 19(1) and the Privacy Commissioner's finding of no contravention of DPP3 in the bank's disclosing of the requestor's data access request to his ex-employer relating to processing of such request.
Cancellation of credit card by bank upon notification of cessation of employment by card holder's employer - data access request by card holder to bank - non compliance with the request - unauthorized disclosure of the request to card holder's ex-employer - section 19(1) and DPP3
The Complaint
The complainant applied and was issued credit card by the bank pursuant to a scheme participated by his employer who under the terms of arrangement was required to notify the bank should its employee who was holder of the credit card cease to be employed. One day, the bank informed the complainant that his credit card would be cancelled, as he was no longer employed by his employer. The complainant then lodged a data access request with the bank requesting access to a copy of the employer's notice to the bank on the cessation of his employment. The bank refused to comply with the request claiming that it was unable to do so as the employer possessed and controlled the use of the document. In the course of handling the request, the bank disclosed to the employer that the complainant had made such a request.
The complainant alleged that the bank had wrongfully refused to comply with his data access request. He further alleged that the bank had disclosed his personal data (that he had made a data access request) to the employer without his consent.
Findings of the Privacy Commissioner
The Privacy Commissioner carried out an investigation and found that the notice requested consisted of a covering letter and a list with the names of several ex-employees including the complainant. The bank claimed that at the time when the request was received, they were in possession of the list but not the covering letter. The bank further claimed that consent from the employer was required before it could release the list and for the purpose of seeking consent, it disclosed the complainant's data access request to the employer.
Upon investigation and from evidence gathered, the employer did not prohibit the disclosure of the list requested and no consent was needed before the bank could release the list to the complainant, the Privacy Commissioner found that the bank had contravened section 19(1) of the PD(P)O. As to the allegation on unauthorized disclosure of the complainant's request to the employer, the Privacy Commissioner found that the purpose of disclosure by the bank was directly related to its original purpose of collecting the complainant's personal data, namely, to handle his request. He opined that such disclosure had not contravened DPP3.
Pursuant to the undertakings imposed by the Privacy Commissioner, the bank provided to the complainant a copy of the list with names of third parties deleted and confirmed to the complainant that at the time of the request, it did not hold any other requested document. In view of the compliance with the undertakings by the bank, the Privacy Commissioner opined that the contravention by the bank was not likely to be repeated and therefore exercised his discretion not to issue an enforcement notice to the bank.
The Appeal
The complainant appealed to the AAB on the decision, including that made not to issue an enforcement notice to the bank. The AAB agreed that the Privacy Commissioner had a wide discretion in deciding whether to issue an enforcement notice. The AAB found that the Privacy Commissioner had reasonably concluded that a repeated contravention by the bank was not likely having regard to the fact that this was the first contravention by the bank and to the cooperation of the bank in giving and performing the required undertakings. As to the alleged unauthorized disclosure of personal data to the employer, the AAB took the view that the disclosure of the request by the bank was to enable the complainant to gain access to the data which the bank thought, though erroneously, was in the employer's possession and control and without whose permission could not be released to the complainant. The AAB decided that the disclosure in the circumstances was for a purpose for which the request had been received by the bank or at least for a purpose directly related thereto and thus not contravened DPP3.
AAB's decision
The AAB upheld the Privacy Commissioner's decision and dismissed the appeal.