‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017): APP 3.5 and 12, secret recording of telephone conversation by The Westin
June 14, 2017 |
The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53. The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand. It is a decision that has not been publicised. That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States. It is a practice failing by the Australian Privacy Commissioner.
FACTS
LP booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available. While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].
LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].
On 19 January 2016, LP emailed the General Manager of The Westin about the recording. He stated that the recording had occurred in contravention of the Surveillance Devices Act 2007 (NSW) the Telecommunications (Interception and Access) Act 1979 (Cth) and the Privacy Act. He requested a copy of the call recording. The Westin did not immediately respond to the request [6].
On 22 January 2016 LP made a complaint to the OAIC under s 36 of the Privacy Act claiming that the call recording was ‘an unlawful breach of NSW law’ and his privacy, and that the respondent had not provided him with a copy of the call recording on request [7].
DECISION
The complaint
The Commissioner summarised, at [8], the subject matter for determination, the relevant acts and practices, as:
- The Westin’s act of recording the telephone call of 17 January 2016 without the complainant’s knowledge;
- The Westin’s failure to provide the complainant with a copy of the call recording on request in a timely manner.
The Commissioner found that the Westin is an organisation for the purposes of the Privacy Act. It is an APP entity and the APPs apply to it [12].
Issue 1 – collection by ‘lawful and fair’ means (APP 3)
The Commissioner noted that APP 3.5 says that ‘[a]n APP entity must collect personal information only by lawful and fair means.’ [15]
The Privacy Commissioner noted, at [16], that Personal information is defined in s 6 of the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not’.
The Commissioner rejected the LP’s allegations that the information collected in the call recording including ‘sensitive information’ as defined in s 6 of the Privacy Act information ‘relating to philosophical opinions (about fair trade and deceptive practices) … and medical information (disability was disclosed, in relation to why another floor was not acceptable)’ [18]. The Commissioner did find, however, that Westin collected the complainant’s personal information [19].
Was the collection unlawful
The Commissioner, at [20], referred to The Australian Privacy Principle Guidelines regarding what constitutes lawful and unlawful stating:
[3.60] The term ‘lawful’ is not defined in the Privacy Act. … Unlawful activity does not include breach of a contract.
[3.61] Examples of collection that would not be lawful include:
- collecting in breach of legislation, for example: …
- collecting using telephone interception or a listening device except under the authority of a warrant (For example, Telecommunications (Interception) Act 1979 (Cth) s 7; Surveillance Devices Act 2004 (Cth) s 14) …
[3.62] A ‘fair means’ of collecting information is one that does not involve intimidation or deception, and is not unreasonably intrusive. Whether a collection uses unfair means will depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with a fraud investigation. …
Regarding the New South Wales Surveillance Act the Commissioner stated:
- the Act prohibits the use of certain surveillance devices and the recording of ‘private conversations’ without the knowledge of the participants in the conversation [22].
- ‘Private conversation’ is defined in s 4 of the NSW Act, and provides that the call must be made ‘in circumstances that may reasonably be taken to indicate that [either call participant] desires the words to be listened to only … by themselves … [or] by some other person who has the consent, express or implied, of all of those persons to do so’ [22].
- the conversation itself was of an innocuous and transactional nature which did not constitute a private or confidential discussion. As such he was not satisfied that the call was a private conversation for the purposes of the Act [23].
Regarding the Telecommunications (Interception and Access) Act 1979 the Commissioner stated:
- The Act prohibits the ‘interception’ of telecommunications passing over a telecommunications system [24].
- Section 6(1) provides that ‘interception of a communication passing over a telecommunications system consists of listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication’ [24].
- Section 6 of the Act defines ‘interception’ to mean only the listening to or recording of a communication ‘in its passage’ over a telephone communications system. Judicial decision-makers have stated on a number of occasions that a purpose of the TIA Act in seeking to regulate the interception of a communication is to protect against a third party invading the privacy of that communication between caller and receiver [25].
The Westin argued that
- the recording of the communication was not made in its passage over the telephone communications system, but rather was created using equipment installed on The Westin premises and could therefore have only occurred once the transmission was received.
- the communication was not ‘in its passage’ over a telecommunication system and the recording would therefore not constitute ‘interception’ [26].
The Commissioner found that as the recording occurred in a PABX telephone system under The Westin’s control there was no ‘third party’ intrusion into the communication between respondent and complainant and there has been no ‘interception’ of the call for the purpose of the TIA Act [26]. As such he regarded the collection as lawful.
Was the collection fair?
The Commissioner stated that even if the collection was lawful, it may not have been fair and, subject to some exceptions, it would usually be unfair to collect personal information covertly without the knowledge of the individual [27].
LP argued that recording conversations covertly goes against accepted community values, and is ‘unethical and a substantial impropriety’ [28] .
The Westin, at [29], submitted that it had taken numerous steps to inform LP that The Westin would collect his personal information and that happened with the phone call of 17 January 2016. It referred to and relied upon its Privacy Statement and the registration card stating:
- in the Privacy Statement that it … informs individuals of the collection of their personal information including, if applicable, information for ‘fulfilling reservations or information requests’ and ‘accommodating your personal preferences’.
- in the Privacy Statement a notification that personal information may be used to provide services such as making reservations or processing another type of transaction;’ …
- LP made an online reservation, on 9 January 2016, for the 17 January 2016 stay … . To make that reservation, and was again presented with the Privacy Statement in the course of confirming his reservation. …
- that the registration card:
You authorise Starwood Hotels & Resorts Worldwide Inc. and its affiliated and subsidiary companies to collect, process and use information collected in conjunction with your stay for lawful Starwood Group business related purposes, to store your Guest Information at and transmit your Guest Information to various locations throughout the world, either directly or through its third party vendors, as the Starwood group deems appropriate, whether within your country of residence, the United States or elsewhere. To learn more about our data collection and usage practices, please see our Privacy Statement at starwoodhotels.com.
The Westin submitted, at [30], that in light of the above notices the collection of the complainant’s information was unlawful or unfair because:
- none of the personal information the subject of the complaint was collected without notice,
- the personal information was used in a manner consistent with those notices.
- it was not intrusive or unusual for a hospitality company like The Westin to retain records of its communications with guests which directly relate to the service provided.
- at no point did it misrepresent the purpose or effect of collection to LP or suggest that The Westin would not retain a record of the complainant’s instructions about room selection. .
The Commissioner accepted LP’s argument that according to ordinary Australian community standards, participants in a telephone call would generally expect to be notified if the call will be recorded. As such, if notification is not given, call participants can reasonably expect that a call will not be recorded [32].
The Commissioner found, at [34], that when considering whether a collection such as this is ‘unfair’ for the purposes of APP 3.5 all the circumstances must be considered including
- issues going to the sensitivity or secrecy of the conversation,
- the reasonable expectations of participants,
- the ease with which the participants could be informed that a recording was being made.
The Commissioner found that:
- it would not have been difficult for The Westin to alert LP that it was recording the call and there was no apparent reason why The Westin did not notify him. Although the nature of the conversation was not sensitive or secret, LP had a reasonable expectation that the call would not be recorded without his knowledge [34].
- as The Westin recorded LP’s call without his knowledge and in all the circumstances of the call that was constitutes a collection by unfair means [36] and was a breach of APP 3.5 [37].
Issue 2 – request for access to personal information (APP 12)
On 19 January 2016, LP requested a copy of the call recording held by The Westin. On 22 January 2016, he complained to the OAIC that The Westin had not responded to that request [38].
APP 12.1 provides:
‘If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.’ If the entity is an ‘organisation’ (which The Westin is), then APP 12.4(a)(ii) requires that access must be provided ‘within a reasonable period after the request is made’.
The Commissioner noted that the APP guidelines state ‘as a general guide, a reasonable period should not exceed 30 calendar days’ [40]. The Westin provided the recording to LP through the OAIC on 8 March 2016, in the course of responding to his privacy complaint [42].
The Commissioner, at [43], relying on the guidelines regarded the relevant factors as including:
- the scope and clarity of the request,
- the location of and access to the requested information,
- how quickly the information can be assembled for disclosure to the requestor, and
- whether any consultation is required with the individual or other parties.
The Commissioner found that:
- the request was very specific;
- the recording very accessible.
- The Westin may have needed to take the additional step of transforming the call into a readily accessible format
- it was also open to The Westin to impose a charge for providing access, and some time might be justified in deciding whether or not to charge, and if so, calculating an appropriate charge.
- The Westin might also have considered whether any of the exceptions in APP 12 applied (although it ultimately decided that the recording could be released to the complainant in full).
in finding that there was any significant delay in responding to the and that on general administrative terms, three days is not indicative of a delay [45]. As a consequence The Westin did not breach APP 12.4(a) [46].
Damages and other remedies
LP sought $35,000 in total for non economic loss ($20,000) and aggravated damages ($15,000) [60] and provided a number of statements, including an expert opinion from a clinical psychologist, a letter from his general practitioner, and a statement from a friend who was present with LP during his stay at The Westin [61].
As the Commissioner was satisfied that the procedural and technical measures put in place by The Westin in response to this complaint should ensure that future recordings are not made by The Westin without the knowledge of the other call participant in breach of APP 3.5 he declined to make a declaration that The Westin take steps to ensure the relevant conduct is not repeated under s 52(1)(b)(ia) [63].
Based one the evidence the Commissioner found that the APP 3.5 breach has adversely affected LP and that some award of compensation was appropriate [64]. The Commissioner had regard to the principles relevant to the assessment of damages summarised by the Administrative Appeals Tribunal in EQ and Office of the Australian Information Commissioner (Freedom of information) and Rummery and Federal Privacy Commissioner.
In assessing non economic loss the Commissioner considered:
- the nature of the personal information;
- the effect of its unfair collection had on LP
- how The Westin has responded to the complaint and conducted itself throughout the investigation process.
The Commissioner found, at [68], that the breach in this case does not command damages in the higher range the rationale being:
- the breach was evidently an oversight,
- the breach was not intended to upset LP in any way
- the call was of a transactional nature and the information collected was relatively innocuous.
The Commissioner cited Rummery in assessing damages having regard to LP’s reaction and not by the perceived reaction of the majority of the community or of a reasonable person in similar circumstances. and relied upon:
- ‘S’ and Veda Advantage Information Services and Solutions Limited which involved an award of $2,000 for the stress and anxiety caused by reason of Veda’s failure to take reasonable steps to ensure that the information contained in the complainant’s credit file was accurate, up-to-date, complete and not misleading.
- ‘IQ’ and NRMA Insurance Australia Limited where an award of $2,000 was made for the improper disclosure of IQ’s personal information to his spouse and daughter, which caused the complainant in that matter ‘huge stress and anxiety’
in awarding $1,500[68].
The Commissioner declined, at [71], to award aggravated damages, citing, at [69], the relevant principles as:
- Aggravated damages may be awarded where the respondent behaved ‘high-handedly, maliciously, insultingly or oppressively in committing the act of discrimination.’
- The ‘manner in which a defendant conducts his or her case may exacerbate the hurt and injury suffered by the plaintiff so as to warrant the award of additional compensation in the form of aggravated damages.’
The Commissioner made the following declarations:
- the complaint was substantiated in part in accordance with s 52(1)(b) of the Privacy Act, on the basis that the respondent collected LP’s personal information by unfair means [72].
- in accordance with s 52(1)(b)(ii) of the Privacy Act that the respondent must issue a written apology to the complainant acknowledging its interference with the complainant’s privacy within 60 days of the date of this determination [73]
- in accordance with s 52(1)(b)(iii) of the Privacy Act that the respondent must pay the complainant the amount of $1,500 for non-economic loss caused by the respondent’s interference with the complainant’s privacy within 60 days of the date of this determination [74].
ISSUE
This is a valuable decision in addressing the issue of recorded telephone calls without consent. The analysis of unfair practices under APP 3.5 provides some clarity on what are the relevant principles. The analysis of unlawful is less persuasive and cursory. It should be regarded with caution. It is interesting to note that The Westin took a very expansive view of what notice and consents were contained within its Privacy Policy and registration card. It’s reliance on those documents to permit an employee to record a telephone call without prior notice was reckless.
It was reasonable for the Commissioner to reject the complaint about a breach of APP 12. The guidelines provide for 30 days. LP made a complaint to the Privacy Commissioner 3 days after having his critical conversation with the Westin staff.
The Privacy Commissioner’s analysis of the principles binding him on the question of damages continues to be disappointing. The analysis in this case is both cursory, superficial and likely to be erroneous. The AAT decisions cited have limited precedential weight and are increasingly at odds with the approach taken by the Federal Court and State courts in discrimination and cases involving distress and humiliation. The awards in those cases have increased markedly. Yet the Privacy Commissioner is frozen in time in his analysis. It is important to note that damages are matters of discretion. It is erroneous analysis to, as the Privacy Commissioner consistently does, to measure a prospective award against some form of tariff, set by previous decisions, that binds him. The award of $1,500 in this case is risible on any assessment. Recording one’s telephone conversation is an egregious act, particularly by a large organisation that should know better. The analysis of aggravated damages is cursory and not representative of all the relevant factors. The time is long overdue that the issue of damages be considered by the Federal Court. This is probably a good case to have tested in the Federal Court with LP now having a right under sub section 55A(1)(a) of the Privacy Act 1988. Under sub section 55A(5) it is a hearing de novo. There is a reasonable chance that the tentative, restrained and deeply conservative approach will not be followed, particularly regarding damages.
[…] ‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017) […]
The “unfair” finding is consistent with a similar case from the Information Commissioner’s Case Notes – P and Retail Company [2011] AICmrCN 10 (22 December 2011) http://www.austlii.edu.au/cgi-bin/sinodisp/au/cases/cth/AICmrCN/2011/10.html
In that matter, the Retail Company presented similar arguments to those of the Westin Sydney as to implied consent for recording of calls, which the Information Commissioner rejected in that case too.
The implication is that the more “intrusive” the collection (and recording of telephone conversations is generally held to be quite intrusive), the more necessary that adequate disclosure be given, at time of collection (and that generalised and non-specific notifications will be inadequate).
Given the Information Commissioner’s rejection of any legal relevance of the TIAA in LP, it is interesting that a different view was held by the Information Commissioner in P, where he stated:
In considering whether the collection was by fair and lawful means, the Commissioner had regard to the relevant industry standards and telecommunications recording laws. The Telecommunications (Interception and Access) Act 1979 (Cth) specifies that all parties in the telephone conversation must have actual knowledge that the conversation will be monitored and this notification must occur prior to the activity taking place for both inbound and outbound calls.