Outcomes - Selected Case Summaries



Health Clinic Gathers Credit Card Data in Contravention of Data Security Standards

Informal Resolution | 02 November 2020

A complainant expressed concerns about the personal data handling practices of a health clinic. The registration form required patients to provide their personal data, including full cardholder details and signature, which was then sent as a PDF over unsecured email.

The clinic explained that their registration form was implemented temporarily during the COVID-19 lockdown to provide emergency care to patients following advice from the Health Practice Commission that a contactless method of collecting information and payment should be used.

The data handling practices of the clinic contravened the Payment Card Industry Data Security Standard (PCI DSS), which requires that card numbers are masked anywhere they are stored and sensitive cardholder data, such as CVVs, PINs and magnetic stripe data, is not retained after payment authorization. Processing such data in this manner would place individuals at risk of financial fraud or identity theft in the event of a personal data breach or some other misuse of the data, and contravenes the seventh data protection principle. In addition, the clinic’s privacy notice (included in the registration form) did not meet the requirements of the first data protection principle.

We provided the clinic with guidance on choosing an appropriate legal basis for processing personal data and ensuring that its privacy notice complies with the DPL. We also advised it to securely destroy the cardholder data already collected. The clinic stopped using the registration form. The complainant was satisfied and the case was closed.