Key Takeaways From 4 Recent OAIC Determinations

Earlier in 2025, the Office of the Australian Information Commissioner (OAIC) released four determinations covering issues relating to access, use, accuracy and disclosure.

This post covers those determinations and key takeaways for Australian organisations.

Kay Takeaways

• Organisations should have a record management strategy that include both deletion of records and consideration of retaining information where a dispute or litigation is on foot.
• For successful complaints, damages awards are likely to be small.  Compensation will not be awarded for time spent in dealing with name changes etc.
• Organisations should take care to mange responsibility for employee actions and be able to provide evidence of relevant policies, training and general practices.
• It takes a long time from the action giving rise to a complaint to determination.  Some of the complaints considered in the Determinations issued in January 2025 came from actions in 2020 – some 5 years earlier.

Recent Decisions

‘ATU’ and ‘ATX’ (Privacy) [2025] AICmr23 (30 January 2025)

Relevant APP: 12 – Right to Access.

Finding: No breach, complaint dismissed

The issue related to a request to access under APP 12.  Interestingly, the OAIC makes the point that this is a common source of complaints submitted to the OAIC, and that the decision to publish this determination is based in of a belief that ‘there is important educative value in setting out the requirements of the Act with respect to requests for personal information, and the obligations of respondents thereto.’:

 Although the right to access one’s personal information is a critical pillar of the right to privacy, it should not place an unreasonable burden on the respondent to act outside of reasonable administrative and logistical practices.

The case related to a dispute over a building contract which ended with the arrangements being terminated and the respondents filed being deleted.  The complainant disputed that assertion by the respondent and brough a complaint based on refusal to give her access to the contract which contained her personal information.

The OAIC found that the respondent probably had destroyed the relevant files and so found no breach of APP 12.  However, while acknowledging that the respondent had an obligation under APP 11.2 to take reasonable steps to destroy or deidentify personal information it no longer needs, the OAIC questioned whether the respondent it have reasonably believed that it no longer needed records containing the complainant’s personal information, particularly those as significant as the building contract, given the ongoing dispute with the complainant. 

The destruction of the draft building agreement has limited the options available to the complainant to pursue her dispute against the respondent. While I am unable to conclude whether such action was intentional or inadvertent on the evidence available to me, I would expect an entity such as the respondent to have a clearly documented record management policy which outlines retention and destruction requirements. I implore the respondent to review its information retention and destruction practices, procedures and systems in light of this complaint and ensure it is well-equipped to identify and respond to access requests in accordance with its obligations under APP 12.

‘ATQ’ and CEO of Services Australia (Privacy) [2025] AICmr 19 (23 January 2025)

Relevant APP: 6.1 – Use and Disclosure, APP 10.2 Accuracy, APP 11 – Security 

Finding: Breach, Written Apology, Specified Steps

The case related to the ‘intertwining’ of the complainant’s Medicare record with that of other customers (kicked off by an incorrect update of  the  complainant’s Medicare record with the address of another customer). The other customer in one instance had the same first and last name and date of birth as the respondent. The complainant’s file included details of other customers and then the complainant’s information was assigned to another customer’s record.

The complainant complained that there has been an unauthorised disclosure of its information, that Services Australia had failed to ensure the accuracy of the complainant’s information  and there had been unauthorised access and disclosure.

The OAIC found:

• Security breach: The respondent argued that they’d offered mitigations to address the security issues including flagging the file when intertwined. The OAIC determined that other measures could have been taken, including additional identification checks for customers at a higher risk of having their records incorrectly intertwined, such as those who shared common personal identifiers. For example, a unique password or phrase.
• Quality: Again, the respondent argued they had mitigations including Guidelines, policies and procedures. The OAIC did not think these were sufficient.
• Use and Disclosure: There were different instances of disclosure, such as where a third party was sent the complainant’s new Medicare card in the mail disclosing the complainants name, Medicare number, position number and new Medicare card expiry date. And where the complainants information had been assigned to another.

The complainant sought the following remedies:

• $50,629 for non-economic loss, associated with his time dealing with this matter (based on over 300 hours of time spent dealing with the matter);
• $200,000 for non-economic loss, associated with the ‘grief and distress’ caused; and
• $16,879 for economic loss, for the administration associated with changing his name.

The complainant was awarded $10,000 in non-economic loss for distress arising from the privacy breaches.  The OAIC also found:

• There was no evidence that change of name cost $16,879 (filing fees with Birth, Deaths, Marriages is $136.80);
• Compensation could not be awarded for time spent.

‘ATP’ and ‘ATR’ (Privacy) [2025] AICmr 18 (23 January 2025)

Relevant APP: 6.1 – Use and Disclosure, APP 10.2 Accuracy

Finding: No breach, complaint dismissed

This decision related to a complaint about publication of an individual’s  personal information in documents relating to the respondent’s 2020 Annual General Meeting (AGM), which it published on its website.  The respondent is a membership body representing over 136,000 members globally and is a higher education provider accredited by the Tertiary Education Quality and Standards Agency in Australia.  The complainant was a member of the respondent. the complainant and 9 other members sought to requisition 38 special motions (proposed motions) for consideration at the respondent’s 2020 AGM. The proposed motions concerned various issues including the respondent’s accounts and budget, governance structure, overseas offices, overseas travel costs and remuneration of senior executives. 

The respondent’s Board considered that the complainant’s proposed motions were not appropriate to be put to members at the AGM. Instead, the respondent decided to address the general themes of those proposed motions at the AGM and published information about the proposed motions, including the respondent’s details.  The respondent complained that this was an unauthorised disclosure of its personal information.

The OAIC determined that publication of the respondent’s details as part of informing members of the proposed motions was a reasonably expected secondary use and so was not an unauthorised use.

‘ATE’ and ‘ATF’ (Privacy) [2025] AICmr 10 (13 January 2025)

Relevant APP: 6.1 – Use and Disclosure, APP 11 Security

Finding: Breach and No breach, complaint dismissed

The chief issue was the extent to which the respondent was responsible for the disclosures by a senior employee of details about the complainant (including his criminal history) to a journalist.

There was no dispute about the disclosure.  What was in question was whether the acts of the senior employee could be considered part of the performance of his employment duties for which the respondent could be held vicariously liable.  The respondent provided evidence of polices including a Code of Conduct and Employment Guide which included employee confidentiality and privacy obligations. The OAIC noted that there was evidence that on induction the senior employee was provided a copy of the respondent’s employment guide which relevantly stated that the Managing Director was the only person authorised to communicate with the media on behalf of the respondent.  The respondent’s CEO also declared that he cannot recall a time where the senior employee, or any other media communications whether verbal or written, had been issued by the respondent without his authorisation as the CEO. Therefore, not only was the senior employee’s conduct contrary to the respondent’s internal policy, but his conduct did not accord with the respondent’s general practice.

On the evidence, the OAIC decided that the respondent was not vicariously liable for the senior disclosure to the journalist, because that act was not in the performance of his employment duties with the respondent under s 8(1)(a) of the Privacy Act.