Privacy and Your Clients: An Agenda for Every Business
Wednesday 25 September 2013 / by Tal Williams posted in Business, Corporate & Commercial Technology Law

In the 2012-13 financial year, the Compliance Branch of the Office of the Australian Information Commissioner (OAIC) received 1496 privacy complaints, and increase of 10% over the 1357 received in 2011-12. In addition, the OAIC dealt with 13 own motion investigations and 61 voluntary data breach notifications. Here is one case (misuse of a mobile phone number by a bank to direct market a bank related insurance product) that may be of interest…

The case was based on an alleged breach by the bank where it used or disclosed personal information about an individual for a purpose other than the primary purpose of collection.

Facts

The complainant was a customer of a financial institution which required the complainant to provide a mobile phone number when it set up internet banking. The financial institution told the complainant that the mobile phone number would only be used in providing security identification for internet banking.

Five years later a direct marketing company made several calls to the complainant to sell insurance products on behalf of the financial institution.

The bank tried to justify use of the mobile number on the basis that it had sent the complainant a letter about its insurance products a week before the complainant received the telephone calls.  A notice in fine print at the back of the letter stated that the financial institution would send the complainant’s mobile phone number to the financial institution’s contract company, to call the complainant, unless the complainant contacted a specified number to advise they wanted to be excluded.

Decision

The financial institution sought to rely on NPP 2.1(a), claiming that as the complainant had not responded to the letter by calling to advise they did not want to participate, the institution was entitled to assume that its disclosure of the complainant’s personal information, including mobile phone number, was within the complainant’s reasonable expectations.

The Commissioner found that to satisfy NPP 2.1(a):

In accordance with NPP 2.1(a)(i), the disclosure must be related to the primary purpose for which the personal information was collected.
In this case the complainant had provided their mobile phone number for security identification purposes. The Commissioner took into account the context in which the mobile phone number was collected and took the view that the primary purpose of collection was to provide extra security protection for banking transactions, and that disclosing the mobile phone number for the secondary purpose of enabling the direct marketing company to contact the complainant was not related to the primary purpose of collection.

In accordance with NPP 2.1(a)(ii), the individual must reasonably expect the organisation to use or disclose their information for the secondary purpose.
In this case the Commissioner’s view was that the complainant would not have reasonably expected their mobile phone number to be passed to a third party to conduct direct marketing, and that the complainant was unlikely to have closely read the correspondence as the letter sent by the financial institution was about a service that the complainant was not interested in receiving from that organisation.

The Commissioner also found the option to ‘opt out’ was not clearly and prominently presented and easy to take up. It was in fine print on the reverse of a letter. The Financial institution could not establish consent to a use or disclosure where it wishes to rely on a failure to object to such a use or disclosure.

Additionally, NPP 2.1(c), permitting use of personal information for the purposes of direct marketing, did not apply as the financial institution did not use the information itself for the purpose of direct marketing, but rather disclosed it to a third party for that purpose.

The parties conciliated the matter, and the complainant accepted a letter of apology and assurances from the financial institution that the complainant would not be included in any future marketing campaigns. The financial institution also undertook to conduct a review of its marketing campaign procedures. The Commissioner was satisfied that the matter was adequately dealt with and closed the matter.

Some may say that the financial institution got off lightly. But businesses should be aware that possible outcomes of privacy complaints include:

  • An apology;
  • A change to the respondent’s practices or procedures;
  • Staff counselling;
  • Taking steps to address the matter, for example providing access to personal information, or amending records;
  • Non-financial options, for example a complimentary subscription to a service; and/or
  • Compensation for financial or non-financial loss – and from March 2014 these will increase to $350,000 for individuals and $1.7 million for companies.

Tal Williams, Partner 
P:  +61 2 9390 8331
E: tal.williams@holmanwebb.com.au

Joann Yap, Graduate Lawyer
P: +61 2 9390 8340
E: joann.yap@holmanwebb.com.au


Recent Posts