2008 - Complaint Case Note 23

	Federal Privacy Law
		Privacy Act
		Privacy Act Regulations
		Public Interest Determinations
		Guidelines
		Complaint Case Notes & Determinations
		Audits
		Information Privacy Principles
		National Privacy Principles
		Private Sector Codes and Opt-in Registers
		Credit Reporting
		Health
		Telecommunications
		Tax File Numbers
		Spent Convictions
		Data-matching
		Privacy Advisory Committee
		Private Sector Review 2005
		ALRC Privacy Inquiry 2006 - 08
		Privacy Law History
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

2008 - Complaint Case Note 23

View printable version of this page

PDF, Word

Case Citation:

Own Motion Investigation v Direct Marketer [2008] PrivCmrA 23

Subject Heading:

Improper disclosure of personal information and failure to keep personal information secure

Law:

National Privacy Principles 2.1 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

An individual notified the Privacy Commissioner that the direct marketer sent out a promotional email which displayed the email addresses of all recipients. The Commissioner considered that where an email address amounted to 'personal information' in that the identity of the individual is apparent or can reasonably be ascertained, the privacy of a number of individuals may have been interfered with. While this Office did not receive any individual complaints, the Commissioner decided to conduct an investigation into the incident under section 40(2) of the Privacy Act.

Issues:

NPP 2.1 provides that personal information collected for a primary purpose must not be used or disclosed for a secondary purpose unless one of a number of exceptions in NPP 2.1(a)-(h) applies.

NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The direct marketer responded promptly to the Commissioner's investigation and the incident. The direct marketer explained that individuals provide it with their email address specifically to receive information about upcoming promotions. The direct marketer provided its promotional email list to a third party organisation to issue the promotional email. As a result of human error, the third party organisation distributed to everyone who was on the email list an email showing those individuals' email addresses, rather than using the blind carbon copy or 'BCC' email function. The third party organisation did not follow its usual data quality control procedures in this circumstance.

The third party organisation counselled the individual responsible for the error and staff undertook refresher training in its quality control procedures. These procedures were also updated to prevent a similar incident in the future.

The direct marketer acted quickly to contact all individuals who were on the promotional email list to apologise and explain what happened. The direct marketer also committed to report to appropriate authorities any misuse of the email addresses including issuing spam emails.

Based on the information gathered during the investigation the Commissioner decided to cease her investigation into the incident. In relation to NPP 4.1, the Commissioner noted that the parties had steps in place to ensure the security of the personal information and the incident appeared to have occurred as a result of a one-off error. In relation to the disclosure under NPP 2, the Commissioner also considered that the steps the parties were taking to remedy the situation were adequate in the circumstances.

The Commissioner noted that while her investigation had been closed, any complaints from individuals that she may receive about the incident will be dealt with on their merits.

OFFICE OF THE PRIVACY COMMISSIONER

November 2008