CONTACT US: 
Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
Own Motion Investigation v Direct Marketer [2008] PrivCmrA 23
pdf (77.62 KB)
Case Citation:
Own Motion Investigation v Direct Marketer [2008]PrivCmrA 23
Subject Heading:
Improper disclosure of personal information and failure to keep personal information secure
Law:
National Privacy Principles 2.1 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)
Facts:
An individual notified the Privacy Commissioner that the direct marketer sent out a promotional email which displayed the email addresses of all recipients. The Commissioner considered that where an email address amounted to 'personal information' in that the identity of the individual is apparent or can reasonably be ascertained, the privacy of a number of individuals may have been interfered with. While this Office did not receive any individual complaints, the Commissioner decided to conduct an investigation into the incident under section 40(2) of the Privacy Act.
Issues:
NPP 2.1 provides that personal information collected for a primary purpose must not be used or disclosed for a secondary purpose unless one of a number of exceptions in NPP 2.1(a)-(h) applies.
NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Outcome:
The direct marketer responded promptly to the Commissioner's investigation and the incident. The direct marketer explained that individuals provide it with their email address specifically to receive information about upcoming promotions. The direct marketer provided its promotional email list to a third party organisation to issue the promotional email. As a result of human error, the third party organisation distributed to everyone who was on the email list an email showing those individuals' email addresses, rather than using the blind carbon copy or 'BCC' email function. The third party organisation did not follow its usual data quality control procedures in this circumstance.
The third party organisation counselled the individual responsible for the error and staff undertook refresher training in its quality control procedures. These procedures were also updated to prevent a similar incident in the future.
The direct marketer acted quickly to contact all individuals who were on the promotional email list to apologise and explain what happened. The direct marketer also committed to report to appropriate authorities any misuse of the email addresses including issuing spam emails.
Based on the information gathered during the investigation the Commissioner decided to cease her investigation into the incident. In relation to NPP 4.1, the Commissioner noted that the parties had steps in place to ensure the security of the personal information and the incident appeared to have occurred as a result of a one-off error. In relation to the disclosure under NPP 2, the Commissioner also considered that the steps the parties were taking to remedy the situation were adequate in the circumstances.
The Commissioner noted that while her investigation had been closed, any complaints from individuals that she may receive about the incident will be dealt with on their merits.
OFFICE OF THE PRIVACY COMMISSIONER
November 2008
Get RSS feeds