A and Financial Institution  AICmrCN 1 (1 May 2012)
Disclosure of personal information
National Privacy Principle 2.1 in Schedule 3 of the Privacy Act 1988 (Cth)
The complainant was a customer of a financial institution. The financial institution required the complainant to provide their mobile phone number when it set up internet banking for the complainant. The financial institution told the complainant that it would only use the mobile phone number to provide security identification for internet banking. Five years later, a direct marketing company made several calls to the complainant to sell insurance products on behalf of the financial institution.
National Privacy Principle (NPP) 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception in NPP 2.1(a)–(h) applies.
NPP 2.1(a) permits the use or disclosure of personal information for a secondary purpose where that purpose is related to the primary purpose of collection, and the individual would reasonably expect the disclosure.
NPP 2.1(b) permits a use or disclosure of personal information with the individual's consent.
NPP 2.1(c) permits the use of personal information that is not sensitive information for the purposes of direct marketing if various conditions are met.
The Commissioner investigated the matter under section 40(1) of the Privacy Act.
The financial institution advised that it sent the complainant a letter about its insurance products a week before the complainant received the telephone calls. A notice in fine print at the back of the letter stated that the financial institution would send the complainant's mobile phone number to the financial institution's contract company, to call the complainant, unless the complainant contacted a specified number to advise they wanted to be excluded from the calling program.
The financial institution sought to rely on NPP 2.1(a). The financial institution considered that, because the complainant had not responded to the letter by calling to advise it did not want to participate in the calling program, it was entitled to assume that its disclosure of the complainant's personal information, including the mobile phone number, was within the complainant's reasonable expectations.
To satisfy NPP 2.1(a), the disclosure must first, in accordance with NPP 2.1(a)(i), be related to the primary purpose for which the personal information was collected. The financial institution did not deny the complainant's claims that the complainant had provided their mobile phone number for security identification purposes. The Commissioner considered the context of the collection of the mobile phone number, and took the view that the primary purpose of collection was to provide extra security protection for banking transactions. The Commissioner took the view that disclosing the mobile phone number for the secondary purpose of enabling the direct marketing company to contact the complainant was not related to the primary purpose of collection.
Additionally, NPP 2.1(a)(ii) requires that the individual reasonably expect the organisation to use or disclose their information for the secondary purpose. The Commissioner took the view that the complainant would not have reasonably expected their mobile phone number to be passed to a third party to conduct direct marketing. The Commissioner accepted that the complainant was unlikely to have closely read the correspondence as the letter sent by the financial institution was about a service that the complainant was not interested in receiving from that organisation.
Further, the Commissioner noted that the information aimed at advising the recipient of the intention to disclose the mobile number for direct marketing purposes was included as part of additional information located on the back of the correspondence. This information entitled ‘Important Information', was not only on the back of the correspondence but was also in extremely small font which could seem contrary to it being important information.
Therefore, the Commissioner took the view that the disclosure was not authorised by NPP 2.1(a) and the financial institution had interfered with the complainant's privacy.
Consideration was also given to whether other provisions of NPP 2.1 may have been applicable in the circumstances.
The financial institution did not seek to rely on NPP 2.1(b) by suggesting that the complainant had implicitly consented to the disclosure by not responding to the letter. However, the Commissioner expressed the view that this provision would not have been applicable. In this regard, the Commissioner took into consideration the NPP Guidelines issued by the OAIC which note that an organisation would have difficulty in establishing consent to a use or disclosure where it wishes to rely on a failure to object to a use or disclosure when the option to opt out was not clearly and prominently presented and easy to take up.
Further, NPP 2.1(c), the direct marketing provisions, did not apply as the financial institution did not use the information itself for the purpose of direct marketing, but rather disclosed it to a third party for that purpose.
The parties conciliated the matter. To resolve the matter the complainant accepted a letter of apology and assurances from the financial institution that the complainant would not be included in any future marketing campaigns. The financial institution also undertook to conduct a review of its marketing campaign procedures.
Satisfied that the matter had been adequately dealt with, the Commissioner closed the matter under section 41(2)(a) of the Privacy Act.
Office of the Australian Information Commissioner