Privacy Law and Policy Reporter
The department conducted a data- matching exercise with the office of the Commissioner of Taxation, matching DSS files of those registered for unemployment benefits against those held by the Commissioner concerning payments made to contractors under the Prescribed Payments Scheme (PPS). Following an apparent match, DSS contacted six clients of the complainant by letter, the contents of which implied that he was collecting unemployment benefits while working. DSS had not contacted the complainant. The apparent match was in fact erroneous, and the unemployed person of the same name lived in Adelaide whereas the complainant lived in NSW. Two other complaints at the same time revealed similar errors as a result of the data- matching exercise. The incidents received wide media publicity.
The matching was not done under DSS's main program which is regulated under the Data-matching Program (Assistance and Tax) Act 1990. It involved one of the many other programs conducted by DSS. The incident occurred after DSS had agreed in principle to observe the Commissioner's draft Data-matching in Commonwealth Administration Guidelines (draft 1990, issued 1992), which are guidelines to compliance with the IPPs made under s 27(1)(e) Privacy Act 1988.
DSS responded by (a) issuing an instruction to staff handling PPS cases to contact the subjects of apparent data matches before making any approaches to third parties for information; (b) revising its data-matching algorithm to reduce the risk of such mismatches (including addition of postcodes); and (c) apologising to the complainant.
The Secretary of DSS also requested the Privacy Commissioner to investigate the matter formally to determine whether there was need for further action by the Department. The Commissioner considered the matter was a potential breach of IPP 8 (failure to take reasonable steps before using information to ensure that the information is accurate, up-to-date and complete) and did not comply with draft data-matching Guideline 16.1, which states that:
16.1 Unless to do so would frustrate the objectives of the program the agency should only take further action as a result of a match, including conducting checking with third parties, after giving the individual an opportunity to consider the information and comment on its contents. If there is a dispute as to the accuracy of the data or as to the proposed administrative action but the agency considers that further action is justified, it should give the individual full opportunity to exercise rights conferred by the Privacy Act to lodge a complaint.
DSS acknowledged that, had it observed the draft guideline, the problem which arose might have been avoided. After negotiations, the department and the complainant settled the matter for payment of compensation, and the Commissioner discontinued formal investigation (s 41(2)(a)).