The Privacy Commissioner recently issued three new Privacy Guides on:
- interaction between the Privacy Act and the Spam Act,
- internal investigations of privacy complaints
- handling personal information security breaches.
Interaction between the Privacy Act and the Spam
During Privacy Awareness Week (24 – 30 August 2008), the Privacy Commissioner released Privacy Sector Information Sheet 26 – Interaction between the Privacy Act and the Spam Act. The Guide is designed to assist organisations who engage in electronic marketing to understand their obligations under the Privacy Act and the Spam Act. Since the penalty for breaching the Spam Act 2003 (Cth) is up to $1.1 million per day and there can be serious consequences for breaching the Privacy Act 1988 (Cth), organisations should ensure that their electronic marketing is compliant with the law.
The Spam Act prohibits sending unsolicited commercial electronic messages via emails, instant messaging, SMS and MMS (text and image-based mobile messaging). It applies to any commercial electronic message with an Australian link, regardless of the size of the business that sent the message, and includes emails sent to anonymous email addresses where the identity of the individual cannot reasonably be ascertained.
Some messages are exempt from the Spam Act including messages that contain purely factual material or messages from government bodies, registered political parties, religious organisations, registered charities or educational institutions.
The Spam Act requires that commercial electronic messages be sent with the consent of the recipient, the sender must be identified and a functional unsubscribe mechanism which allows the recipient to opt-out must be included in the message.
The Privacy Act will apply where the recipient of the electronic message has been identified from a list containing that person's personal information, unless the organisation has a turnover of less than $3 million and is not otherwise covered by the Act.
If the Privacy Act applies and the electronic message includes personal information, under the National Privacy Principles the message can only be sent if it is:
- for the primary purpose for which the information was originally collected
- related to that purpose (secondary purpose) and this is within the recipient's reasonable expectations or
- with the individual's express or implied consent.
Consent can often cause uncertainty, especially when an organisation is subject to both Acts since each contains different consent provisions.
If the electronic message is subject to the Spam Act, the organisation must seek consent before sending the message, regardless of any exemptions under the Privacy Act.
If the electronic message is exempt from the Spam Act, the organisation may still need to comply with the Privacy Act if it fits within the definition of 'organisation' and if the electronic message uses personal information. However, under the Privacy Act the message can be sent without consent if it is for the primary purpose for which the information was originally collected or a related secondary purpose within the recipient's reasonable expectations.
The Guide expresses the view that the direct marketing exception (NPP 2.1(c)) will not apply since it requires consent to be 'impracticable' to obtain and, as it is easy and incurs relatively negligible cost to contact individuals electronically, it is unlikely to be 'impracticable' to obtain an individual's consent.
Internal investigations of privacy
The Privacy Commissioner also released detailed step-by-step Guides to assist organisations and agencies to investigate and attempt to resolve internal privacy complaints. The two information sheets, which contain a series of questions and answers, are:
- Private Sector Information Sheet 27 – A step-by-step guide to internal investigations of privacy complaints by organisations, which applies to organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses
- Public Sector Information Sheet 2 – A step-by-step guide to internal investigations of privacy complaints by Australian and ACT government agencies, which applies to Australian and ACT government agencies covered by the Privacy Act 1988 (Cth).
The Privacy Act provides that if an individual believes that his
or her privacy has been interfered with by an organisation or
agency they should direct their complaint to the organisation or
If the complainant believes the matter has not been resolved, they can complain to the Privacy Commissioner. The Commissioner may then investigate and attempt to conciliate the matter and, if it is not resolved by the parties, make a determination. The Commissioner can decline to investigate in a number of circumstances including where it is clear privacy has not been interfered with, or where the matter has been 'adequately dealt with' by the organisation or agency.
The Commissioner encourages organisations and agencies to ensure that individuals are able to make complaints. This may involve an enquiries line, complaint forms in printed and electronic formats, internal processes that address the complaint and respond to the individual, and regular review of complaint handling procedures.
Personal Information Security Breaches
In response to public concerns about personal information security breaches, and a global trend towards breach notification, the Privacy Commissioner issued a final version of the Guide to Handling Personal Information Security Breaches. The Guide assists organisations and agencies to prevent and respond effectively to breaches of personal information security.
Under the Guide, a personal information security breach occurs when personal information is released to, used or modified by unauthorised individuals. Currently, there is no obligation under the Privacy Act 1988 (Cth) for organisations and agencies to notify affected individuals in the event of a personal information security breach.
The key points in the Guide remain unchanged from an earlier Draft released in April 2008, which was discussed in Privacy Update June 2008. It does however give examples of personal information security breaches:
- lost or stolen laptops with removable storage devices
- disposal of computer hard drives without erasing contents
- hacking of databases containing personal information by outside individuals
- mistakenly addressed emails containing personal information
- incidents of deception where personal information was improperly released
- illegal access of personal information by employees.
The Privacy Commissioner, Karen Curtis, stated that 'while the guide is voluntary, it represents good practice in handling breaches, and I would urge all organisations and agencies to read it and consider its use'. Since the Australian Law Reform Commission recommended that the Privacy Act be amended to include a data breach notification provision, it is possible that part of this Guide (if not all of it) will become law in the future. However, this is unlikely to occur for some time as this item is not on the government's agenda for the first tranche of privacy reform.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.