In the 2012-13 financial year, the Compliance Branch of the
Office of the Australian Information Commissioner (OAIC) received
1496 privacy complaints, an increase of 10% over the 1357 received
in 2011-12. In addition, the OAIC dealt with 13 own motion
investigations and 61 voluntary data breach notifications. Here is
one case (misuse of a mobile phone number by a bank to direct
market a bank related insurance product) that may be of
The case was based on an alleged breach by the bank where it
used or disclosed personal information about an individual for a
purpose other than the primary purpose of collection.
The complainant was a customer of a financial institution which
required the complainant to provide a mobile phone number when it
set up internet banking. The financial institution told the
complainant that the mobile phone number would only be used in
providing security identification for internet banking.
Five years later a direct marketing company made several calls
to the complainant to sell insurance products on behalf of the
The bank tried to justify use of the mobile number on the basis
that it had sent the complainant a letter about its insurance
products a week before the complainant received the telephone
calls. A notice in fine print at the back of the letter stated that
the financial institution would send the complainant's mobile
phone number to the financial institution's contract company,
to call the complainant, unless the complainant contacted a
specified number to advise they wanted to be excluded.
The financial institution sought to rely on NPP 2.1(a), claiming
that as the complainant had not responded to the letter by calling
to advise they did not want to participate, the institution was
entitled to assume that its disclosure of the complainant's
personal information, including mobile phone number, was within the
complainant's reasonable expectations.
The Commissioner found that to satisfy NPP 2.1(a):
In accordance with NPP 2.1(a)(i), the disclosure must be
related to the primary purpose for which the personal information
In this case the complainant had provided their mobile phone
number for security identification purposes. The Commissioner took
into account the context in which the mobile phone number was
collected and took the view that the primary purpose of collection
was to provide extra security protection for banking transactions,
and that disclosing the mobile phone number for the secondary
purpose of enabling the direct marketing company to contact the
complainant was not related to the primary purpose of
In accordance with NPP 2.1(a)(ii), the individual must
reasonably expect the organisation to use or disclose their
information for the secondary purpose.
In this case the Commissioner's view was that the complainant
would not have reasonably expected their mobile phone number to be
passed to a third party to conduct direct marketing, and that the
complainant was unlikely to have closely read the correspondence as
the letter sent by the financial institution was about a service
that the complainant was not interested in receiving from that
The Commissioner also found the option to 'opt out' was
not clearly and prominently presented and easy to take up. It was
in fine print on the reverse of a letter. The Financial institution
could not establish consent to a use or disclosure where it wishes
to rely on a failure to object to such a use or disclosure.
Additionally, NPP 2.1(c), permitting use of personal information
for the purposes of direct marketing, did not apply as the
financial institution did not use the information itself for the
purpose of direct marketing, but rather disclosed it to a third
party for that purpose.
The parties conciliated the matter, and the complainant accepted
a letter of apology and assurances from the financial institution
that the complainant would not be included in any future marketing
campaigns. The financial institution also undertook to conduct a
review of its marketing campaign procedures. The Commissioner was
satisfied that the matter was adequately dealt with and closed the
Some may say that the financial institution got off lightly. But
businesses should be aware that possible outcomes of privacy
A change to the respondent's practices or procedures;
Taking steps to address the matter, for example providing
access to personal information, or amending records;
Non-financial options, for example a complimentary subscription
to a service; and/or
Compensation for financial or non-financial loss – and
from March 2014 these will increase to $350,000 for individuals and
$1.7 million for companies.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).