You’re offline. This is a read only version of the page.
Determination
Case number | 12-00-1030920 |
Financial firm | Resolute Property Protect Pty Ltd |
Case number: 12-00-1030920 15 July 2024
The complainant is a beneficiary under a strata insurance policy arranged by the financial firm (broker). The complainant lodged a claim with the insurer. The broker subsequently assisted the complainant with managing the claim. The complainant says the broker breached her privacy when it collected, used and disclosed her personal information to the owners’ corporation and the insurer.
While the broker’s conduct was not entirely inappropriate, it is not in dispute the broker inappropriately disclosed the complainant’s bank account details to the owners’ corporation. The exchanged information also shows the broker did not appropriately respond to the complainant’s request for her personal information.
Given this, it is fair that the broker pays $500 in non-financial loss compensation to the complainant.
I acknowledge the complainant’s concerns about the collection, use and disclosure of her personal information. The broker’s conduct in relation to the complainant’s personal information was not entirely appropriate. On balance, the insurer’s conduct caused injury to the complainant’s feelings. It is therefore fair for the broker to compensate the complainant for the non-financial loss its conduct caused her.
This determination is partially in favour of the complainant. If the complainant accepts this determination, within 14 days of receiving her acceptance, the broker must pay the complainant $500 in non-financial loss compensation.
While the broker’s conduct was not entirely inappropriate, it is not in dispute the broker inappropriately disclosed the complainant’s bank account details to the owners’ corporation. The exchanged information also shows the broker did not appropriately respond to the complainant’s request for her personal information.
Given this, it is fair that the broker pays $500 in non-financial loss compensation to the complainant.
AFCA’s rules set out the relationship a complaint must arise from (AFCA rule B.2).
Typically, a complaint relating to a general insurance broker arises from the provision of a financial service by the broker, to the complainant. In this case the broker has not provided a financial service to the complainant. The complaint arises solely from the alleged breach of the complainant’s privacy. AFCA has a limited jurisdiction in this case and can review only if the broker has breached the complainant’s privacy.
The Privacy Act 1988 (Act) regulates how Australian government agencies and some other organisations handle personal information. The Act includes 13 ‘Australian Privacy Principles’, which are generally referred to as the APPs. The Office of the Australian Information Commissioner (OAIC) has published guidelines which outline how the OAIC interprets the APPs (APP guidelines). It is not in dispute the broker is an APP entity, and the APPs apply to the broker.
AFCA can decide a financial firm is to compensate a complainant for non-financial loss for a complaint relating to an individual’s privacy rights if, on balance:
The complainant has expressed concern about the way the broker collected, used and disclosed her personal information to the owners’ corporation (including the chair and manager). The complainant says the broker breached the following sections of the APPs:
Apart from the disclosure of the complainant’s bank account details (discussed below), the broker says it did not breach its privacy obligations because:
The privacy policy available on the broker’s public website sets out its practices in relation to the collection, use and disclosure of personal information.
The complainant’s concerns are generally about the broker’s disclosure of information she gave it. Therefore, on balance, it is likely the broker appropriately collected the complainant’s personal information, because the collection was from her.
If it is the case the broker collected personal information from the owners’ corporation or the insurer in the ordinary course of its claims handling, I am not satisfied this fact alone means the broker breached its privacy obligations. This is because the APPs require an APP entity to collect personal information from the individual, unless it is unreasonable or impracticable to so.
The OAIC published APP guidelines which provide guidance on how the APPs are interpreted. The APP guidelines say whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned will depend on the circumstances of the particular case. One relevant consideration is whether the individual would reasonably expect personal information about them to be collected directly from them or from another source.
In these circumstances, I consider the complainant would reasonably expect some personal information may be collected from other sources, such as the owners’ corporation or the insurer. This is particularly the case as the owners’ corporation holds the policy with the insurer.
I do not consider the broker’s collection of personal information from the owners’ corporation or the insurer (if any) to be unreasonable.
The complainant says the broker disclosed her personal information without her knowledge or consent. The APP guidelines say:
APP 6 outlines when an APP entity may use or disclose personal information. The intent is that an entity will generally use and disclose an individual’s personal information only in ways the individual would expect or where one of the exceptions applies.
An APP entity that holds personal information about an individual can only use or disclose the information for a particular purpose for which it was collected (known as the ‘primary purpose’ of collection), unless an exception applies…
I acknowledge the broker’s position that it is necessary for the owners’ corporation to receive information about lot owners’ insurance claims. This is:
In this case, the broker collected the complainant’s personal information for the primary purpose of assisting with her insurance claim. Use and disclosure of this information to the policy holder and/or the insurer is in line with this purpose.
The complainant says the broker breached APP 5 because it did not notify her it intended to collect or disclose her personal information. Subclause 5.1 of the APPs says:
At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
The broker has a privacy policy which is available on its website. It would therefore have been reasonable for the broker to direct the complainant to its privacy policy to notify her of the matters referred to in subclause 5.2 of the APPs around the time it collected her personal information.
It is not in dispute on 16 June 2023 the broker sent the complainant’s bank account details to the owners’ corporation:
While it may be that the owners’ corporation had the complainant’s bank account details, I accept the broker breached its privacy obligations in these circumstances. The exchanged information shows on 16 August 2023 the broker undertook steps to:
The exchanged information also shows on 26 July 2023 the broker apologised to the complainant for its error. However, there is no information to show the broker informed the complainant of the steps it intended to (and eventually did) take to address the error, until the complainant lodged the AFCA complaint. It may have been helpful for the broker to have advised the complainant of these steps at the time, given her concerns.
The complainant has raised issues about the security of her personal information and the broker’s general operations in relation to information security.
I note AFCA is a complaint resolution service offered as a free alternative to the courts. We are not a regulator of the financial services industry. We can consider individual complaints about loss or damage caused by a financial firm’s actions but cannot consider complaints about a financial firm’s general policies, conduct or operations (such as the broker’s general data security practices and procedures). I have therefore not considered the broker’s security practices in this determination.
In these circumstances, I accept the broker did not take reasonable steps to protect the complainant’s personal information from disclosure when it sent her bank account details to the owners’ corporation. I note, however, it may be that the owners’ corporation already had these details.
The complainant asked the broker for details of the information it disclosed to, and collected from, the owners’ corporation. I accept the complainant’s request included personal information.
The broker told the complainant:
Personal information is defined in Chapter B of the APP guidelines as:
Any information or an opinion about an identified individual, or an individual who is reasonably identifiable:
While I do not have a complete copy of the broker’s file, the broker provided a copy of an email it sent the owners’ corporation attaching an email the complainant sent it. I accept this email contained personal information because the complainant was reasonably identifiable from the email. As the broker did not provide a copy of this email to the complainant in response to her request for personal information, I am satisfied it did not comply with APP 12. There does not appear to be an applicable exception to access under APP 12.3.
It is not necessary for me to consider whether the broker held other personal information, which it did not provide the complainant. This is because I am satisfied on the exchanged information the broker did not appropriately respond to the complainant’s request.
I also accept the complainant’s position that the broker’s failure to provide her personal information impeded her ability to exercise her right to have the information corrected. This is because the complainant could not reasonably know whether her personal information needed to be corrected without access to the information.
Where AFCA is satisfied a financial firm has breached the complainant’s privacy, AFCA can require the financial firm to:
Compensation is capped at $5,400 and AFCA cannot award punitive, exemplary or aggravated damages.
AFCA takes a conservative approach to awarding compensation. We do not award compensation because the complainant has suffered some inconvenience and delays. AFCA expects complainants to be moderately robust and to bear the normal degree of inconvenience experienced when a problem occurs and to take reasonable steps to manage the situation.
For the reasons discussed above, I am satisfied the broker’s conduct was not entirely inappropriate. The broker acted generally reasonably when collecting and disclosing information to the owners’ corporation. However, considering the exchanged information, I am satisfied:
This is because the complainant was in a vulnerable position as she was displaced from her home, and it appears the complainant was hurt by the broker’s actions. For this reason, I consider an award of $500 non-financial loss compensation is fair. The broker has already apologised to the complainant for its disclosure of her bank account details, which is appropriate.
I acknowledge the complainant’s concerns about the collection, use and disclosure of her personal information. The broker’s conduct in relation to the complainant’s personal information was not entirely appropriate. On balance, the insurer’s conduct caused injury to the complainant’s feelings. It is therefore fair for the broker to compensate the complainant for the non-financial loss its conduct caused her.
AFCA has determined this complaint based on what is fair in all the circumstances, having regard to:
The respective parties have completed a full exchange of the relevant information, and each party has had the opportunity to address any issues raised. We have reviewed and considered all of the information the parties have provided.
While the parties have raised a number of issues in their submissions, we have restricted this determination to the issues that are relevant to the outcome.
AFCA is not a court of law. We do not have the power to take or test evidence on oath, or to require third parties to give evidence.
When we assess complaints, we consider:
We give more weight to documents created at the time the events occurred. If there are no relevant documents, we will decide what most likely occurred based on the available information.
If there are conflicting recollections and these are evenly weighted, we may find that a claim cannot be established.
