Australia: Privacy alert – Reminders of Our Obligations

Case 1: Damages awarded for breach of privacy rules

The Privacy Commissioner recently imposed the first monetary penalty on an organisation for breaching the requirements of the Federal privacy legislation.

Although the privacy legislation has been in force since 2004, up until now complaints have been conciliated, and either dismissed or settled. The privacy enforcement regime encourages conciliation and most substantiated complaints have been resolved by provision of an apology, improvements to processes to avoid future problems, and by negotiated compensation arrangements in a relatively small number of cases.

The recent case, in which compensation of $7,500 was ordered, involved a couple who were in the process of family law litigation. The complaint arose from the following actions:

• The husband involved had previously had a gambling addiction from 1997-2003, but was over this by 2007 (when the divorce litigation took place).
• During the family law proceedings the ex-wife issued a subpoena to Wentworthville Leagues Club, asking for records of the husband's gambling history.
• The obligation under a subpoena is usually to produce documents to the court, but the club provided the documents to the ex-wife directly (because she asked the Club to), rather than sending them to the court.
• As a result, the documents were not handled in accordance with the rules that would have applied if the court had received them, and the documents had been inspected at court. In fact, the ex-wife showed the documents to friends, family, previous neighbours, parents of children's friends and work colleagues.
• The husband complained to the Privacy Commissioner, claiming substantial compensation for alleged economic loss, and pain and suffering, as a result of the humiliation and stress caused to him.

The Privacy Commissioner found that the Club did breach its obligations, but was not satisfied that the complainant could prove economic loss. Nevertheless, the award of compensation was made because of the humiliation and stress suffered by the complainant. The Club was also ordered to apologise, and to implement privacy and subpoena-handling training

What lessons can we draw from this?

Firstly, if you receive a subpoena you should comply strictly with its terms. This means that you should produce documents to the issuing court, not to one of the parties or the lawyer for one of the parties. Sending the documents to the court meets a legal obligation, which is a defence to any claim of infringement of privacy rights. Giving the documents to somebody else may well be an infringement of privacy rights.

Secondly, this, and other privacy cases, highlight the importance of

• being aware of information collected by and flowing out of your business
• being aware of when it is and isn't OK to use or disclose personal information obtained by your business, and
• devising systems to insure that privacy is protected.

In particular, management and employees need to be aware of areas in which privacy rights might be infringed (such as sending out personal records in answer to a subpoena), and the need to ensure that any risky use or disclosure of personal information is the subject of informed decision making.

Thirdly, it highlights the importance of an early apology and taking steps to rectify the infringement of privacy so far as possible, if a complaint is made. Privacy complaints can usually be nipped in the bud if you respond promptly and, if appropriate, sympathetically.

Case 2: "This call may be monitored for training purposes..."

You may find it tedious to listen to this recorded announcement before being able to get on with the business of your call. However, businesses disclosing that calls are recorded are complying with the requirements of the privacy legislation, because the legislation requires the retention of personal information (in this case the recording of the phone call) to be subject to consent, and the person being recorded needs to know in each instance that their call is potentially being recorded. Businesses cannot rely on a general expectation that this will be the case and dispense with the notification.

A recent case illustrates this. A consumer contacted a retailer, received the notification that the call may be recorded, and proceeded with their enquiry. The enquiry required the business to check and get back to the consumer. The consumer then received outbound calls from the business, discussing the consumer's issue. These calls too were recorded, but the callers from the business did not inform the consumer of this.

The consumer complained about the recording of the outbound calls. The business argued that the follow up calls were covered by the initial notification, but since this did not refer to outbound calls being recorded as well, that argument didn't work. Even if that had been said on the first call, the rules require the person to be told that this call is being recorded, so a warning on some other occasion doesn't work.

The complaint was resolved by the offer of an apology, and the business implementing systems to ensure that calls from the business which would be recorded included reading of a script saying so.

If your business records outgoing calls for training or monitoring purposes, you need to ensure that the recipient is told that fact each and every time, and that they are given the option not to proceed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.