The Privacy Commissioner has released a  determination, A and Financial Institution [2012] AICmrCN 1. The NPPs considered were  NPP 2.1, an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception applies.

Facts

The complainant was a customer of a financial institution. The financial institution required the complainant to provide a mobile phone number when it set up internet banking. It told the complainant that the mobile phone number would only be used in providing security identification for internet banking.

Five years later, a direct marketing company made several calls to the complainant to sell insurance products on behalf of the financial institution. The financial institution sent the complainant a letter about its insurance products a week before the telephone calls. A notice in fine print at the back of the letter stated that the financial institution would send the complainant’s mobile phone number to the financial institution’s contract company, to call the complainant, unless the complainant contacted a specified number to advise they wanted to be excluded from the calling program.

Decision

The financial institution relied on NPP 2.1(a) claiming that because the complainant had not  advised it did not want to participate in the calling program, it was entitled to assume that its disclosure of the complainant’s personal information, including the mobile phone number, was within the complainant’s reasonable expectations.

The Commissioner found that to satisfy NPP 2.1(a), the disclosure must first be related to the primary purpose for which the personal information was collected. The complainant had provided a mobile phone number for security identification purposes. The Commissioner considered the context of the collection of the mobile phone number, and took the view that the primary purpose of collection was to provide extra security protection for banking transactions and that disclosing the mobile phone number for the secondary purpose of enabling the direct marketing company to contact the complainant was not related to the primary purpose of collection.

The Commissioner found that NPP 2.1(a)(ii) required the individual to reasonably expect the organisation to use or disclose the information for the secondary purpose. The complainant would not have reasonably expected the mobile phone number to be passed to a third party to conduct direct marketing. The complainant was unlikely to have closely read the correspondence as the letter sent by the financial institution was about a service that the complainant was not interested in receiving from that organisation.

The Commissioner found that the information aimed at advising the recipient of the intention to disclose the mobile number for direct marketing purposes was included as part of additional information located on the back of the correspondence in extremely small font.  The Commissioner found that the disclosure was not authorised by NPP 2.1(a) and the financial institution had interfered with the complainant’s privacy.

The Commissioner considered whether other provisions of NPP 2.1 may have been applicable in the circumstances even though the financial institution did not seek to rely on NPP 2.1(b) in suggesting that the complainant had implicitly consented to the disclosure by not responding to the letter. The Commissioner expressed the view that this provision would not have been applicable having regard to the NPP Guidelines issued by the OAIC which provides that an organisation would have difficulty in establishing consent to a use or disclosure where it wishes to rely on a failure to object to a use or disclosure when the option to opt out was not clearly and prominently presented and easy to take up.  NPP 2.1(c), the direct marketing provisions, did not apply as the financial institution did not use the information itself for the purpose of direct marketing but rather disclosed it to a third party for that purpose.

The parties conciliated the matter. To resolve the matter the complainant accepted a letter of apology and assurances from the financial institution that the complainant would not be included in any future marketing campaigns. The financial institution also undertook to conduct a review of its marketing campaign procedures.

Issue

On an objective analysis the financial institution engaged in egregious privacy breaches and sought to justify its behaviour by relying upon a notice on the back part of a letter in small print.  Passing a mobile phone number onto a third party without consent is a serious breach of privacy.  That is all the more so when the mobile phone was provided for security identification.  While conciliation is a good option it is an anemic, half way house form of outcome.  Unfortunately that is not surprising.  It was a breach sufficient to warrant an award of damages.  That was within the Commissioner’s power.