Travellers’ driver licence, credit card details left exposed

Travellers’ driver licence, credit card details left exposed

Holidaymakers from across Australia and overseas have had their credit card and driver licence details exposed in what one legal professional called an “extraordinarily inappropriate” breach of privacy.

But the angry travellers, from as far away as New South Wales, Victoria, South Australia and even Germany, may not have any legal protection outside of a costly civil suit thanks to a limitation of the Commonwealth Privacy Act.

Booking details of more than 100 travellers who booked with were found unredacted in the bin room of a 514-room Brisbane apartment complex earlier this month, prompting outrage from some visitors.

The bin room is in a car park not technically accessible to the public, but hundreds of residents of and visitors to the apartment complex have access.

“They’ve got to be exposed for it. They really do,” Melbourne chef Maria Rivera said when warned her details had been left lying around.

“People who haven’t stayed there need to know there’s a risk.”

Ms Rivera stayed at Cathedral Place, in inner-city Brisbane’s Fortitude Valley, in August 2015 for the nationally recognised BigSound Live Music festival.

The 35-year-old remembered a great few days, other than some trouble getting her deposit back, until now.

“This is ridiculous,” she said.

More than a hundred documents were found with personal details in a Cathedral Place bin room.

Hers was one of more than 100 booking forms sighted by Fairfax Media, which included mobile numbers, addresses, credit card details and, in many cases, scans of driver licences.

Unredacted tenancy agreements were also disposed of in the bin.

Cathedral Place Management manager Kathleen Chan blamed the failure to properly shred and dispose of the documents on a “communication issue” with tradesmen, who were renovating the admin office.

“We have three group of tradesmen doing the renovating for us,” Ms Chan said.

“Because they’re helping us to dump the things and they, maybe they’re just thinking those boxes are the one they should be (getting rid of) and to dump it.”

Cathedral Place Management runs holiday rentals out of the address. Ms Chan said she had reported the removal of the documents from the bin room to police.

A police spokeswoman could not find any record of the complaint on Tuesday.

Her colleague, relationship manager Farheen Zehra, later called Fairfax Media to claim contacting the holidaymakers whose details had been exposed could be a “criminal offence on your part”.

The Privacy Act requires organisations to “take reasonable steps to destroy or de-identify” personal information when they no longer need it.

The Office of the Australian Information Commissioner can force companies to pay compensation, apologise or change their practices, with civil penalties up to $2.1 million available for serious or repeated breaches.

But with the exception of some business categories, including health care providers and commonwealth contractors, businesses with annual turnovers less than $3 million are exempt.

Ms Chan said the company did not make anywhere near that figure and she would try to contact affected guests.

Queensland Law Society president Christine Smyth said a law change could be appropriate “if there’s evidence this is occuring at a significant rate”.

Port Macquarie man David Campbell, who also stayed at the apartment complex in late 2015, said the disposal showed a lack of care and responsibility.

“I’ve run a business for the last seven years,” he said.

“I know how we keep all of our records and when they’re disposed of they are shredded.”

The documents were removed from the bin room by a concerned resident, who told Fairfax Media they found them in the bin, a nearby filing cabinet and scattered on the floor.

They planned to hand them in to police.

Ms Smyth said the disposal of the documents was “extraordinarily inappropriate”.

“That information has been released and released in an unauthorised manner,” she said.

“It’s just not good enough to be tossing it in the rubbish bin.”

A spokesman said the company made protection of customer data a “top priority” and would co-operate with any authorities and potentially remove the property from the site.

“If a property holds data outside of’s secure, password-protected system, it is the property’s responsibility to comply with applicable legislation relating to that data,” he said in a statement.

This News was originally covered by below channels