Case Citation:O v Large Retail Organisation [2004] PrivCmrA 2

Subject Heading: Disclosure of customer email addresses

Law:National Privacy Principle 2 and section 40(2) of the Privacy Act 1988 (Cth)

Facts: The Office became aware that a large retail organisation had sent a marketing offer to some of its customers by email with the email addresses of hundreds of the organisation's customers contained in the 'copy to' field. The Commissioner decided to conduct an investigation into the potential interference with privacy under section 40(2) of the Privacy Act.

The investigation revealed that the organisation had experienced technical difficulties while sending the email and that an inexperienced IT support technician had suggested the solution was to split the addresses between the 'copy to' and the 'blind copy' fields. On becoming aware of the error, the organisation identified all customers affected and issued individual emails apologising for the error and in some instances it personally telephoned customers to discuss their concerns.

Issues: National Privacy Principle 2 sets the standards for organisations using or disclosing personal information for secondary purposes. Organisations may use or disclose personal information for the primary purpose for which the information was collected. They may also use or disclose it for secondary purposes in specified circumstances including where:

• the personal information is not sensitive and the use or disclosure is for a related purpose that the person would reasonably expect;
• the person has consented to the use or disclosure;
• the information is not sensitive and it is impracticable to gain the consent of the person, the use or disclosure is for the purpose of direct marketing and the person is provided with specified information and is given the opportunity to 'opt-out' of further offers.

In this case, the organisation agreed that none of the exceptions applied. This meant that the disclosure of customer details to other customers was a breach of National Privacy Principle 2.

Outcome:

In response to the Commissioner's investigation the organisation advised that it was taking a range of steps to resolve the issue and to prevent a reoccurrence of the problem. These included:

• reminding staff of the procedures when communicating with multiple customers, including seeking approval from a designated senior person and always using the 'blind copy' field for customer addresses;
• ensuring that suitably qualified technical support is always available to assist with queries; and
• developing a series of templates for emails to multiple recipients that make use of the automated recipient list process, removing the need to include multiple customers' email addresses within a single email.

The Commissioner was satisfied that the organisation had taken appropriate steps in the circumstances to rectify this situation and decided to close the investigation under section 41(2)(a) of the Privacy Act. The Commissioner commended the organisation on its prompt response to the problem.

OFFICE OF THE PRIVACY COMMISSIONER January 2004