New and “improved” duties – social media obligations and opt-outs: OAIC releases second tranche of the Australian Privacy Principles Guidelines Part One

The Office of the Australian Information Commissioner (OAIC) has released the second tranche of the draft Australian Privacy Principles Guidelines (Guidelines) for public consultation.  It deals with Australian Privacy Principles (APPs) 6 to 11 which:

  • assist organisations in determining when they can make use of and disclose the personal information they have collected;

  • encourage organisations to refrain from using personal information for direct marketing purposes (unless permitted to do so where an exception applies) and to develop “opt-out” mechanisms for consumers and/or their customers;

  • oblige organisations who operate on a global scale to observe the APP’s overseas and to ensure their contractors/agents do the same; and

  • prevent organisations from making use of or disclosing government related identifiers; and ensure organisations keep their personal information collection up-to-date, accurate and secure.

APP 6 outlines when an organisation can only use or disclose personal information for the purpose for which it was collected (known as the primary purpose), or for a secondary purpose if an exception applies.  The Guidelines advise, by way of a simply touchstone, that an organisation will normally be able to use or disclose personal information in ways that an individual would expect.

The main exceptions apply where the individual consents to the secondary use or disclosure, or the individual would reasonably expect that organisation to use or disclose their personal information for the secondary purpose and that secondary purpose relates to the primary purpose of collection.

“Use” and “disclose”

To comply with these new and updated powers and policies, it is necessary for you and your organisation to:

1.  Ensure that when determining what personal information you can and cannot disclose, you and your organisation understand what is meant by the terms primary purpose and secondary purpose.

Although these terms do not appear problematic at first glance, neither is defined in the Privacy Act 1988 (Cth) and the Guidelines provide that each term is to be given its normal dictionary meaning.  An organisation “uses” information where personal information is handled, or an activity is undertaken with the information, within the organisation. 

Examples include:

  • accessing and reading personal information;

  • searching records containing information;

  • making decisions based on the information; and

  • passing the information from one part of an organisation to another.

Similarly, an organisation “discloses” information where it permits that information to become known outside the organisation and releases it from its effective control.

The primary purpose

The Guidelines advise that the “primary purpose” of collection should be determined on a case-by-case basis” and that generally the term should “be construed narrowly”.

The secondary purpose
The Guidelines provide that a secondary purpose is “any purpose other than the primary purpose for which the APP entity collected the personal information

An organisation may use or disclose information for a secondary purpose where the individual:

  • has consented to the use or disclosure of the information (APP 6.1(a)); or

  • would reasonably expect the organisation to use or disclose the information for that secondary purpose (APP 6.2(a)).

In determining whether an individual would “reasonably expect” an organisation to use or disclose information for a specific secondary purpose:

  • the organisation will need to put itself in the shoes of a person with no particular knowledge of the industry or activity involved;

  • consider whether that person would expect the organisation to use only part of the document or file for a secondary purpose (for example, if someone filed a complaint against a member of an organisation, they may expect their name to be released to the accused, but not their address and other contact details); and

  • consider whether there is a sufficient relationship between the primary and second purpose (there needs to be more than a mere tenuous link).

2.  Ensure you do not use personal information for direct marketing purposes (unless an exception applies) – even in inadvertent ways such as “internet advertising”

APP 7 states that organisations may not use or disclose personal information for the purpose of direct marketing, unless an exception applies.  Direct marketing is defined as involving “the use and/or disclosure of personal information to communicate directly with a specific individual to promote goods and services”and can be carried out through a wide range of means of communication such as phone calls, mail, SMS or emails.

How information is communicated

The Guidelines are unique in that they make reference to “direct marketing” taking place through online advertising, by an advertisement being displayed on a social media website that a person has logged into, using personal information, including data stored on cookies relating to websites the individual has viewed.  While making use of technology in this way is not overtly complicated, the privacy implications associated with it are not readily recognizable or may be something a company fails to consider when developing its own internal privacy policy.  Organisations will need to take steps to ensure that allof their marketing platforms comply with APP 7.

What are the exceptions?

(A) Where direct marketing is “reasonably expected”

An organisation may use or disclose personal information about an individual for the purpose of direct marketing if:

  • the organisation has collected the information from the individual;

  • the individual would reasonably expect the organisation to use or disclose the information for that purpose;

  • the organisation provides a simple means by which an individual can elect to opt-out of receiving direct marketing communications; and

  • the individual has not elected to opt-out.

When determining whether the individual had a “reasonable expectation”, the following should be considered:

  • whether the organisation’s APP Privacy Policy makes it readily understandable that it collects, holds, uses and/or discloses personal information for the purpose of direct marketing;

  • whether the organisation has taken any steps to notify the individual of the purpose of collection;

  • that an organisation should not merely assume that an individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing merely because it thinks that the individual would “welcome the direct marketing, for example, because of the individual’s profession, interest or hobby”; and

  • that an organisation should assess the reasonable expectations at the time of the proposed use or disclosure, rather than at the time that the personal information is collected.

    (B) Where direct marketing is not “reasonably expected”

An organisation may use or disclose personal information about an individual for the purpose of direct marketing if:

  • the organisation has collected the information from the individual (who would reasonably expect the information to be used or disclosed for that purpose) or from a third party;
  • the individual has consented to use or disclosure for that purpose, or it is impossible or impracticable to obtain that consent;

  • the organisation provides an opt-out mechanism; and

  • the individual has not made an opt-out request.

3.  Give an option to opt-out to those you collect information from or who you market to

Where an exception applies, an organisation must provide individuals with simple, affordable and easy to access opt-out mechanisms and the organisation must comply with requests from individuals to opt-out. 

The Guidelines advise that a straight-forward means for opting-out should include:

  • clear and easy instructions as to how to opt-out;

  • a readily usable process for opting-out;

  • an opt-out process that uses the same communication channel that the organisation used to deliver the direct marketing communication; and

  • a process which is free or involves minimal cost (such as the use of stamps or making a local telephone call).

Organisations can elect to provide individuals with the choice between having full or partial opt-out for instance, so a customer can choose to only receive information relating to certain products or offers.  This provides large companies with the flexibility to maintain their mailing database.

It is equally important that an organisation follow through with any request by an individual to opt-out as soon as possible. 
APP 7 further enables an individual to request that an organisation identify the source of the personal information in the organisation’s possession.  An organisation must comply with any such request, unless it is “impracticable” or “unreasonable” for it to do so.

Lavan Legal comment

You need to review your internal policies regarding the use and disclosure of personal information and produce and/or update any opt-out mechanisms you provide individuals with.  All of this needs to be done before the new privacy laws come into force on 12 March 2014.  Don’t leave it too late.

Lavan Legal can assist you in developing appropriate internal policies for the handling, use and/or disclosure of personal information and/or in identifying any problems with your existing privacy protections and policies.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.