Breach of State & Local Privacy Act by Brimbank Council

Sunshine Residents & Ratepayers Association (SunRRA) has lodged an official complaint with Brimbank City Council on behalf of their members. The official complaint accuses Brimbank Council of breaching the Privacy Act by publishing personal information of SunRRA members and the general public without permission.

SunRRA believes this breach of the Privacy Act has occurred through the medium of Public Question Time held during Ordinary Council meetings. Participants of Public Question Time are required to fill out Brimbank Council's Public Question Form. The Brimbank Public Question Form requires participants name and address and it is this information that has been published on the Brimbank website.

SunRRA has contacted Privacy Victoria, Office of the Victorian Privacy Commissioner, and was told to lodge an official complaint with the CEO Marilyn Duncan. Privacy Victoria told SunRRA they would investigate the case further should the Brimbank City Council fail to respond to the complaint.

SunRRA surveyed sixteen other Melbourne metropolitan council meeting minutes, and found none disclosed the addresses of the individuals asking questions during Public Question time.

SunRRA believes that Brimbank City Council has put their members and the general public, who have had their privacy breached, at risk by publishing their residential addresses on a public website without their knowledge or permission.

The official complaint SunRRA has lodged with the CEO of Brimbank City Council recommends that council rectify this breach immediately and notify all persons who have had their privacy breached by their actions. Anyone who thinks they have had their privacy breached should contact Brimbank City Council or Privacy Victoria.

Attached Document reads:

To whom this may concern,

I am writing to you on behalf of Sunshine Residents and Ratepayer Association members. We would like to lodge a formal complaint regarding what we believe to be a breach of the Privacy Act 2000 and a breach of our member's privacy.
SunRRA has had numerous complaints from our members regarding the publication of their personal information on the Brimbank City Council website. I understand this has occurred through the process of Public Question Time held during Ordinary Council meetings and the publication of these meeting minutes on the Council website.

I believe that the disclosure on your website is a breach of our member's sensitive personal information, being their residential address, and that this disclosure occurred without prior knowledge of our members and all other individuals who have participated in Public Question Time. It appears the public and our members were not informed this information would be used in this manner.

SunRRA has a copy of Brimbank's official Public Question form for Ordinary Council meetings and we have not been able to find anywhere on this document either a disclaimer regarding the privacy of the individual filling out the form or permission for publication of personal details supplied by the individual.

I would like to remind you of your responsibilities regarding the use of private and sensitive information you hold.

According to The Information Privacy Principles -

Principle 1 Collection, 1.3

At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of-

(c) the purpose for which the information is collected: and
(d) to whom (or types of individuals or organisations to which) the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.

***Brimbank's Public Question Form does not disclose any of this information to the individual filling out the form and therefore the public was not made aware personal addresses would be published on Brimbank Council's public website nor was permission asked for.

Principle 2 Use and Disclosure 2.1

An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless-

(b) the individual has consented to the use or disclosure.

***We don't believe consent was given to publish personal residential addresses on Brimbank Council's public website.

Principle 4 Data Security 4.1

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modifications or disclosure.

***We don't believe Brimbank Council have taken reasonable steps to protect our member's personal information from misuse by publishing their residential addresses on a public website. We believe the personal safety and property of members may have been compromised due to the extremely public forum their personal information has been published on.

Principle 8 Anonymity 8.1

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Principle 10 Sensitive Information 10.1

An organisation must not collect sensitive information about an individual unless -

(a) the individual has consented; or
(b) the collection is required under law;

In closing we believe the object of the Information Privacy Act, as stated on the Victorian Privacy Government website (www.privacy.vic.gov.au) are quoted as;

* balance the public interest in the free flow of information with the public interest in respecting privacy and protecting personal information in the public sector; and

* promote the responsible and transparent handling of personal information in the public sector and promote awareness of these practices.

Privacy Victoria must bear in mind these aims at all times.

SunRRA suggests that Brimbank Council is in breach of the Privacy Act and recommends that Council delete the addresses of all individuals who have asked a question, appearing in the section Public Question Time, from all council meeting minutes being displayed on the Brimbank Council website.

We further recommend that Brimbank Council contact and notify in writing each individual whose privacy has been breached of this breach and the number of times and dates their privacy was breached.
SunRRA recommends Brimbank Council supply a new Public Question Form that meets privacy legislation as a matter of urgency and in time for the next Ordinary Council Meeting.
Please note SunRRA has contacted the State & Local Privacy Commission and received instructions to write to the CEO regarding this issue. The Commission representative SunRRA spoke to was concerned and was prepared to investigate this further should a mutual resolution not occur.
We look forward to your response and your urgent attention to this matter.

Darlene Reilly
Treasurer (SunRRA)

{mos_fb_discuss:2}