Traps for the unwary
The Federal Privacy Commissioner has released several further case notes this month dealing with complaints received by the Commissioner and other investigations concerning private organisations and government agencies.
Case 1: Consent to disclosure of personal information
A person was asked to complete a standard claim form by an insurance company. The form included a broadly drafted clause stating that the person agreed that the company "may disclose to anybody any information about you".
The person notified the Commissioner that the form may not comply with the Privacy Act and the Commissioner agreed to investigate the matter. The Commissioner's view was that if the insurance company were to rely on the consent given under that clause, this would not comply with the Privacy Act. In response, the insurance company claimed that it would ordinarily rely on other, more specific consents in the form rather than the broadly worded clause. The company, however, agreed to remove the offending clause from its form.
This case indicates that the Commissioner is taking a very active approach in monitoring privacy statements upon receiving complaints, even where companies have not yet sought to rely upon the terms of those statements. It also serves as a useful reminder to companies generally of the requirements for valid consent for use and disclosure of personal information and the need to ensure that their privacy policies are current and properly drafted to reflect their actual practices.
Case 2: Direct marketing
A charitable organisation outsourced its direct marketing activities to a third party contractor. A person who received one of the direct marketing letters complained to the Commissioner that the charity should not have collected and used their information.
The Commissioner investigated and found that: (1) the contractor had used its own database of customers for direct marketing activities; and (2) the charity had not been provided with the database. The Commissioner concluded that in these circumstances, the charity had not breached the Privacy Act as it had not collected or unlawfully used the person's personal information.
The Commissioner did, however, notify the person that they could make a complaint against the contractor although it is unclear based on the facts whether the person took that step.
This case illustrates that an organisation which engages a contractor for direct marketing purposes may not be liable for the contractor's conduct where the contractor uses information which the contractor has collected. This would not prevent a claim being made against the contractor regarding their conduct.
Case 3: Default credit listing
A person failed to pay an outstanding balance on their account with a telecommunications company. The company then listed a payment default on the person's consumer credit file. The person claimed that the debt was not owed and that the listing was incorrect.
The Commissioner's investigation confirmed that the debt was outstanding. However, during the course of the investigation, the company acknowledged that the amount of the outstanding debt had been incorrectly listed on the person's consumer credit information file. The Commissioner held that the company had complied with the Privacy Act regarding the listing of the payment default even though the company had listed the incorrect amount.
The company agreed to remove the default listing and cancel the debt, and in light of those actions, the Commissioner ended her investigation.
Case 4: Security of personal information in presence of journalists
A "person of interest" in a compliance activity conducted by a Commonwealth agency was asked questions and to complete forms in the presence of agency staff and journalists. The agency sent background information to the journalists after this session. The person complained that the agency had inadequately secured their personal information.
The Commissioner found that there was a genuine risk that the journalists could have overheard personal information and that the agency failed to adequately safeguard the individual's personal information against unauthorised access. The agency acknowledged that it had disclosed the individual's personal information in breach of the Information Privacy Principles.
The matter went to conciliation, which resulted in the agency issuing a formal apology and paying compensation to the person. The agency also changed its privacy regime and conducted additional training for its officers.
Case 5: Legal action against a private school
A private school was involved in a dispute with a person which may have resulted in legal action. Prior to commencing any action, the person sent an unsolicited copy of their intended legal claim to the school. The person was subsequently contacted by a third party, who claimed that the school had advised them that court proceedings were imminent and that the third party may be required to attend court as a witness.
The Commissioner investigated at the request of the person and found that the school had in fact discussed the intended claim with the third party before it was lodged at court.
The school alleged that the National Privacy Principles under the Privacy Act did not apply, because the information was unsolicited and therefore not "collected" by the school. The Commissioner denied this claim, finding that the National Privacy Principles applied to both solicited and unsolicited information and hence applied to the school's collection and disclosure of the document.
However, according to the Commissioner, the school had not breached the Privacy Act by retaining the legal claim and discussing it with the third party. In reaching this decision, the Commissioner found that the "primary purpose" of the school collecting and disclosing the information was to defend or avoid any legal action brought by the person. The retention of the information by the school was consistent with this primary purpose and the third party disclosure was also made for this purpose.
The Commissioner also commented that even if the disclosure was for a secondary purpose, it would still have been consistent with the Privacy Act because it was a "directly related" secondary purpose and it was within the reasonable expectations of the person that the school would test the intended legal claim by contacting potential witnesses.
This case clarifies that organisations may have "collected" information within the meaning of the Privacy Act even where the information is unsolicited. Such organisations will then need to consider the purpose of collection and the operation of the Privacy Act prior to any subsequent use or disclosure of the information.
Case 6: Disclosure to Consumer Trader and Tenancy Tribunal
There was a dispute before the NSW Consumer Trader and Tenancy Tribunal between a person and their health service provider. Upon request by the Tribunal, the health service provider had given details of the person's Medicare benefits and other personal information to the Tribunal prior to the hearing.
An organisation is permitted under the Privacy Act to disclose personal information if required by or authorised under law. The Commissioner conducted a preliminary investigation and found that the Tribunal had given a formal direction to the provider to disclose the person's personal information. In these circumstances, the Commissioner held that the Tribunal's direction meant that the provider was authorised under law to disclose the information in accordance with the Privacy Act.
Case 7: Repeated requests for information
A finance company refused a person access to their personal information on the basis that the request was "frivolous and vexatious", which is a ground for refusing access under the Privacy Act. The person had made several requests over the previous 4 years for access to their account statements held by the company. The company had provided the person with access to that information at least twice during that time.
The Commissioner found that the person's repeated requests for access were "substantially, if not solely" motivated by a desire to revisit earlier court litigation and to pursue an unrelated complaint. As a result, the Commissioner held that the request was vexatious and that the company was entitled to deny the person access to the requested information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.