Under s 33E of the Privacy Act 1988 (Cth)
This undertaking is offered to the Australian Information Commissioner by:
Organica Skin Clinic Pty Ltd (trading as Organica Cosmetic and Laser Clinic) ACN 603 086 013 of 1 Brygon Creek Drive, Upper Coomera, Qld 4209
Brygon MC Pty Ltd (trading as Brygon Medical Centre) ACN 151 799 905 of 1 Brygon Creek Drive, Upper Coomera, Qld 4209
1 Definitions and interpretations
In addition to terms defined elsewhere in this undertaking, the following definitions apply:
‘APP’ means Australian Privacy Principle.
‘Brygon’ means Brygon MC Pty Ltd ACN 151 799 905.
‘Commissioner’ means the Australian Information Commissioner.
‘Enforceable Undertaking’ means a written undertaking under s 33E of the Privacy Act given by an entity that the entity will:
- in order to comply with the Privacy Act, take specified action
- in order to comply with the Privacy Act, refrain from taking specified action, or
- take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual
‘OAIC’ means the Office of the Australian Information Commissioner.
‘Organica’ means Organica Skin Clinic Pty Ltd ACN 603 086 013.
‘Privacy Act’ means the Privacy Act 1988 (Cth).
‘Spam Act’ means the Spam Act 2003 (Cth).
The ‘ACMA’ means the Australian Communications and Media Authority.
Unless the contrary intention appears, terms defined in the Privacy Act have the same meaning in this enforceable undertaking as they have in the Privacy Act.
2.1 Organica and Brygon are both health service providers, and therefore organisations within the meaning of s 6C of the Privacy Act. As such, they are APP entities under the Privacy Act and are required to comply with the Privacy Act and the APPs.
2.2 Organica and Brygon have the same owners.
2.3 Preliminary inquiries
2.3.1 In November 2015, a third party contacted the OAIC and alleged that Brygon had disclosed patients’ personal information to Organica for direct marketing purposes without notifying those patients or obtaining their consent. Organica subsequently used that information to direct market to patients via SMS without obtaining their consent.
2.3.2 On 26 November 2015, the OAIC wrote to Organica and Brygon about the allegations. On 10 December 2015, Organica and Brygon provided a joint response to the OAIC that acknowledged that Organica and Brygon had failed to meet their obligations under the APPs. The response also advised that Organica and Brygon were taking steps to:
- ensure that there was no repeat of the conduct
- ensure Organica and Brygon staff members are aware of, and comply with privacy obligations
2.4 Relevant APPs
2.4.1 APP 3.3 provides that an APP entity must not collect ‘sensitive information’ about an individual unless the individual has consented, or an exception applies. Section 6(1) of the Privacy Act defines ‘sensitive information’ as including health information. Health information includes personal information collected to provide a health service.
2.4.2 APP 6.1 provides that an APP entity must not use or disclose personal information collected for a particular purpose for another purpose unless the individual has consented, or an exception applies.
2.4.3 APP 7 provides that organisations must not use or disclose personal information for direct marketing except in particular circumstances. However, it does not apply to the extent that the Spam Act applies. The Spam Act provides that commercial electronic messages, such as SMS, must be sent with the recipient’s consent.
3 Acknowledgement of breach by Organica and Brygon
3.1 Organica has acknowledged to the Commissioner that they have breached APP 3.3 by collecting patients’ personal information, which is health information and therefore sensitive information, from Brygon without those patients’ consent.
3.2 Organica also acknowledges that it has breached the Spam Act by sending direct marketing material via SMS to patients without those patients’ consent.
3.3 Brygon has acknowledged to the Commissioner that they have breached APP 6.1 by disclosing their patients’ personal information to Organica without their patients’ knowledge or consent.
3.4 To address these breaches and to prevent similar incidents occurring in the future, Organica and Brygon offer this enforceable undertaking under s 33E of the Privacy Act.
4 Regulatory outcome
4.1 Under s 29 of the Privacy Act, the Commissioner must have regard to the objects of the Act (set out in s 2A of the Privacy Act) in performing the Commissioner’s functions, and exercising the Commissioner’s powers, conferred by that Act.
4.2 The OAIC has also published its Privacy regulatory action policy which explains the OAIC’s powers and its approach to using its privacy regulatory powers and making related public communications.
4.3 The Commissioner acknowledges that Organica and Brygon have cooperated with the OAIC and responded to our preliminary inquiries, including acknowledging that they have breached APP 3.3 and APP 6.1, and quickly acting to address that breach once it was drawn to their attention.
4.4 Accordingly, having regard to the objects of the Privacy Act and the Privacy regulatory action policy, the Commissioner formed the view that the acceptance of this enforceable undertaking from Organica and Brygon would be an appropriate regulatory outcome for this matter.
4.5 At the time that Organica and Brygon offered and the Commissioner accepted this enforceable undertaking, Organica and Brygon had already commenced the actions outlined in paragraphs 6.2 and 6.3.
5 Commencement date
5.1 This undertaking comes into effect when:
- the undertaking is executed by Organica and Brygon; and
- the executed undertaking is accepted by the Commissioner
(the ‘commencement date’).
6.1 General obligations when handling patient personal information
6.1.1 Organica and Brygon undertake to handle personal information in accordance with their obligations under the Privacy Act.
6.2 Establish policies and procedures
6.2.2 Organica and Brygon each undertake to, within 2 months of the commencement date, establish written patient information handling policies and procedures including policies and procedures about how patient information can be used or disclosed.
6.3 Privacy training for staff
6.3.1 Organica and Brygon undertake to each:
- develop and finalise, within 2 months of the commencement date, privacy training for their staff members including:
- training about how they can use and disclose personal information including sensitive information
- training on how their privacy obligations apply to staff members’ roles, for example, by including scenario-based training
- testing of staff members’ understanding at the completion of the training
- require all staff members to complete the privacy training of subparagraph 6.3.1(a) within 4 months of the commencement date
- require all new staff members to complete the privacy training of subparagraph 6.3.1(a) within a reasonable time from when they commence employment
- require all staff to complete refresher privacy training at least annually
- retain appropriate records of the privacy training all staff have completed or are required to complete
6.4 Destruction of patient information
6.4 Organica undertakes to, within 2 weeks of the commencement date, destroy any patient information it collected from Brygon in contravention of APP 3.3.
6.5 Provision of information to the OAIC
6.5.1 Organica and Brygon undertake to provide the OAIC with a copy of their finalised privacy policies within 1 week of publishing them on each of their respective websites.
6.5.2 Organica and Brygon undertake to provide the OAIC with confirmation of and supporting information about their fulfilment of the terms of this enforceable undertaking within 5 months of the commencement date.
6.5.3 Organica and Brygon will comply with any reasonable request from the OAIC for access to information or documents made for the purpose of assessing compliance with the terms of this enforceable undertaking.
6.6 Other matters
6.6.1 Organica and Brygon will pay the costs of their compliance with this enforceable undertaking.
6.6.2 Organica, Brygon and their officers, employees or agents, will not make any statement, orally, in writing, or otherwise, which conveys or implies anything inconsistent with the content of this enforceable undertaking.
7.1 Organica and Brygon acknowledge that the Commissioner:
- may from time to time publicly refer to this undertaking, including any breach of this undertaking by Organica and/or Brygon; and
- will publish this undertaking as well as a summary of the undertaking, on the OAIC website
7.2 Organica and Brgyon acknowledge that:
- the Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate, or pursue other enforcement options available to the Commissioner in relation to any contravention not the subject of the background section of this enforceable undertaking, or arising from future conduct
- this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct
Organica Skin Clinic Pty Ltd ACN 603 086 013
Joy Fe Lim, Director
Date: 6 May 2016
Brygon MC Pty Ltd ACN 151 799 905
Joy Fe Lim, Director
Date: 6 May 2016
Accepted by Timothy Pilgrim, Acting Australian Information Commissioner, under s 33E of the Privacy Act:
Date: 16 May 2016