29 November 2002

The Office of the Privacy Commissioner has concluded an investigation into The Source web site finding that the Privacy Act was breached by the Department of Family and Community Services, which manages the site. The breaches have now been adequately addressed by the Department and measures are now in place to prevent similar breaches occurring again.

"Staff who are responsible for The Source web site acted quickly and took appropriate action when it became obvious that they had made unauthorised use of their web site visitors' email addresses," said Deputy Privacy Commissioner, Timothy Pilgrim

"The Web Site Editor apologised immediately to the people involved and no further marketing emails were sent to them," he said.

During April 2002 the Department ran 34 online "Win Free Stuff" competitions which attracted thousands of entries. In June 2002 the Web Site Editor of The Source was approached and agreed to send marketing emails to the "Win Free stuff" entrants on behalf of RMIT students who were running a project to send spiders into space with NASA.

"At the time of the breach, the Editor of The Source web site was new to the role. The Editor had not attended a privacy awareness training session and didn't check their actions with staff in the Administrative Law Unit regarding the Commissioner's Guidelines for Federal and ACT Government Websites. However, once the new Editor began receiving complaints from The Source visitors about the marketing emails they acted quickly and appropriately," said Mr Pilgrim.

"In addition to the above actions, the Department has undertaken to implement a number of measures to ensure that this sort of breach doesn?t happen again, including:

• completing a privacy audit of their web sites;
• changing their web site privacy statements to make them clearer;
• destroying the database with the web site visitor details;
• clearing up links so visitors can be sure which site they are supplying information to;
• conducting privacy awareness training for all staff and ensuring that the training will be repeated regularly;
• appointing their privacy contact officer to their Change Management Committee.

"The Office of the Privacy Commissioner received no formal complaints regarding the marketing emails but decided to use its own motion investigation powers to investigate the issue.

"The Office sent two audit staff to conduct a physical audit of The Source web site premises and its practices including interviewing the staff and managers involved. The auditors checked the Department's practices against the Information Privacy Principles (IPP) in the Privacy Act and also against the Commissioner's Guidelines for Federal and ACT Government Websites.

The auditors found that the web site operators had breached Information Privacy Principle 10.1 which, in summary, states that:

A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one of a number of exceptions apply.

"It is clear that in this case none of the exceptions apply and therefore the web site operators breached the Act," said Mr Pilgrim.

"This is a cautionary tale for all web site operators, not only those who operate government sites, that they must respect the privacy of their visitors' personal information."

"I'd like to acknowledge the Department's fast response to this issue and their commitment to ensuring that this doesn't happen again.

For further information please go to the following links: Information Privacy PrinciplesGuidelines for Federal and ACT Government WebsitesThe Source web siteJoin Federal Privacy email list