4 July 2001
Draft National Privacy Principles (NPPs) Guidelines
This is a submission in response to the consultation paper on the draft National Privacy Principles Guidelines issued by the Office of the Federal Privacy Commissioner ("OFPC").
1. Executive Summary
EFA considers the draft NPP Guidelines provide a very useful guide to understanding the rights and responsibilities set out in the Act and the approach the Commissioner plans to take in the event of complaints concerning breach of privacy.
EFA supports the overall approach proposed in regard to consent, use and disclosure. However, we consider there are a number of areas where greater clarity is necessary and that some additional matters should be addressed. These include:
More guidance should be provided for working out the primary purpose in cases where the collecting organisation collects personal information from a third party instead of from the individual. The primary purpose should remain the purpose for which the individual provided their personal information to an organisation (the original collector), irrespective of any "primary" purpose a third party organisation claims in collecting it from the original collector. We consider that unless this approach is taken, the lack of restriction on use and disclosure for a "primary purpose" will result in individuals having inadequate control of their personal information, notwithstanding warnings against indirect collection.
Information should be provided on the relationship between the sections of the Act covering the private sector and those covering the public sector, for example, in relation to the obligations of of private sector organisations who collect personal information from government agencies. It should be made clear that a private sector organisation cannot avoid providing NPP 1. 5 information on grounds that a government agency claims it had consent to disclose the information, since government agencies are not required to comply with the NPPs which are different to the IPPs, and also that some State and Local Government agencies are not required to comply with any privacy legislation.
The section regarding unfair and intrusive collection practices should be expanded to include indirect collection from sources such as public registers that contain personal information that individuals were compelled by law to provide. Since individuals clearly did not voluntarily consent to provide their information in the first place, indirect collection from these sources is clearly unfair. While the section titled "Unfair Collection and Spam" states that trawling the Internet for email addresses is an unfair collection , collection of personal information from a public register such as the Electoral Roll is an equally if not more unfair means of collecting personal information because individuals did not have the option to decline to provide their information (other than to fail to comply with the law). We recommend the section be retitled "Unfair Collection and Direct Marketing" and address both trawling the Internet for email addresses and collection of personal information from public registers that contain compulsorily provided information.
In relation to direct marketing and NPP 2. 1(c), EFA emphasises that it is never impracticable to seek explicit consent prior to sending direct marketing material by email and it is essential that organisations be required to do so. Information in this regard is contained in Appendix 1.
While the section on direct marketing as a secondary purpose is helpful in understanding permitted uses, the Guidelines should also address the matter of indirect collection and use/disclosure of personal information for the "primary purpose" of "direct marketing" (and with emphasis where relevant on the requirement that collectors provide NPP 1. 5 information). For example, where Organisation A collects personal information for the primary purpose of compiling and renting direct marketing lists (whether collected directly or indirectly), it appears they are not required to obtain the consent of the individuals to disclose the information and can therefore rent or sell their mailing list to Organisation B. Organisation B is clearly required to give NPP 1. 5 information to individuals on the list unless Organisation A has previously given such information to those individuals, but in any case this does not prevent Organisation B from claiming "direct marketing" to be their primary purpose of collection and using such information for direct marketing notwithstanding that the individual has not given consent to any organisation for this use. While the requirement on Organisation B to provide NPP 1. 5 information may increase the barriers (costs etc) to collection and use of personal information without consent for direct marketing by Organisation B, it appears that a change in the services provided by Organisation A could potentially overcome such a barrier. If Organisation A is provided with direct marketing material by Organisation B, and Organisation A sends this marketing material to persons on Organisation A's mail lists, which organisation(s) is using the personal information? We consider that Organisation B would be using the information in a way clearly contrary to the intent of the legislation to provide individuals with control over use of their personal information and this should be made clear in the Guidelines.
The vague concept of "direct marketing" should be more clearly defined in the Guidelines. It should not be able to be regarded as a "primary purpose". Some organisations collect personal information for the primary purpose of selling/renting mailing lists and others do so for the primary purpose of sending directing marketing material. These two different purposes are of importance to individuals in relation to their ability to control use of their personal information in ways for which they have not given their consent.
Guidelines regarding implied consent should be reviewed to remove inconsistencies that on the one hand state consent must be voluntary and the individual should not be disadvantaged in choosing not to provide personal information, but in other sections provide examples of "implied consent" where individuals do not have a choice about providing personal information without being disadvantaged.
We recommend against suggesting that NPP 1. 3 information may be provided in a pop-up screen or box. Often information in such screens cannot be printed or saved. At the least, the Guidelines should emphasise that NPP 1. 3 information must be provided in a manner that can easily be printed (or otherwise saved for future reference) by the individual.
Various paragraphs require improved clarity in relation to references to computer and Internet technologies.
The above and other matters are further discussed below in relation to particular sections of the draft Guidelines. In the following, page numbers refer to the page numbers in the printed copy of the Guidelines distributed by OFPC, not the page numbers in electronic copies of the Guidelines. Paragraphs in italics below are extracts from the Guidelines.
2. Chapter 2 - Explanation of Terms
p27 Direct marketing
"The Privacy Act does not define direct marketing. However, the Commissioner considers that direct marketing includes activities that promote the sale or purchase of products or services or promote charitable fundraising where the individual is approached directly. It includes in-person approaches to peoples houses and approaches by mail, e-mail, telex, facsimile and phone. It includes individually targeted approaches by these means where people are encouraged to buy services at a distance (for example to buy by phone, mail or website) or to visit retail and service outlets or to donate to a cause by one of these means. It also includes automated processes such as Spam e-mail and computer generated voice calls over the phone. "
It is unclear what is meant by "automated processes such as Spam e-mail". Spam is of itself e-mail, but may also be a Usenet message (which is not an email message and is a message sent to a newsgroup not to an individual). We therefore suggest "Spam e-mail" be replaced by "e-mail spam" or "spam sent by e-mail". However, spam is not an "automated process" and e-mail spam may or may not be distributed automatically. E-mail spam may be produced and distributed manually in a similar manner to typing fax numbers onto individual pages and then faxing each page separately, or automatically in a similar manner to programming a fax machine to send one page to numerous pre-programmed fax numbers. From the recipient's point of view it is irrelevant whether an automated production or distribution process was used or not. Spam does not necessarily "promote the sale or purchase of products or services or promote charitable fundraising" and it means different things to different people, for example, junk email, unsolicited bulk email (UBE), unsolicited commercial email (UCE).
We consider that if the term "spam" is to be used in the guidelines it should be defined, although defining the term appropriately in context would be problematic. If the phrase "automated processes such as Spam e-mail" is intended to refer to an automated process by which direct marketing material is sent by email, we recommend reference to spam be deleted and the sentence be replaced with:
"It also includes approaches facilitated by automated processes such as computer generated email and computer generated voice calls over the phone".
"An organisation discloses information when it releases information outside the organisation. "
This definition would be improved by the inclusion of an additional example demonstrating that "outside the organisation" includes to a related organisation.
This paragraph contains a definition of both "individual" and "person". We suggest the definition of "person" also be included under a heading of "Person" in the same chapter.
"...an organisation under the Privacy Act means an individual or..."
This may be confusing given the definitions of "individual" and "person" used in the guidelines.
p30 Personal information
Does this definition include personal information about a deceased person?
Personal information can range from the very sensitive (for example, political beliefs, medical history, sexual preference or medical records) to the everyday (for example, hair colour, address, phone number).
It should be noted that address and phone number may be very sensitive (in the normal meaning of the word) in some individuals' circumstances, notwithstanding that "sensitive information" has a defined meaning in the Act.
Use of personal information relates to the handling of the personal information within the organisation. Examples of uses of information are:
- adding information to a data base;
- forming an opinion based on information collected and noting it on a file.
An additional example should be provided demonstrating that use does not only involve recording or adding information, for example, sending a letter to the individual is a use of the personal information.
3. Chapter 3 - Consent
p35-36 Consent should be informed and specific
Consent forms need to be specific about the matter, act or purpose that is intended with regards to the personal information. Broad and vaguely worded consent clauses such as may disclose to other businesses, as appropriate will not be enough to satisfy the requirement for consent because they do not inform an individual about what they are consenting to. Consent will be ineffective if the act an organisation performs is of a significantly different nature to the act the individual consented to.
The example clause above is too vague and broad to adequately demonstrate the requirement to be specific. For example, the A. C. T. Land Transfer form includes the statement:
"The information collected by this form is authorised by the Land Titles Act 1925 and the Duties Act 1999, will be used for the purposes of those Acts and will be available for search pursuant to sections 65 and 66 of the Land Titles Act. It will also be made available to government agencies for statistical and administrative purposes and to non-government persons and organisations concerned with land. A fee may apply to any or all of the above. "
http://www. rgo. act. gov. au/forms/landtitles/transf.pdf
Some (probably many) property purchasers expect the clause "will be disclosed to organisations concerned with land" means means electrical, water and similar bodies responsible for infrastructure and certainly do not expect that the "organisations concerned with land" will publish the information. However, we understand that the A. C. T. Government has granted a licence to a commercial real estate organisation to make information compulsorily provided on Land Transfer Forms publicly available on the real estate organisation's web site, to the surprise and concern of property purchasers.
Better guidance as to unacceptable consent clauses would be provided by examples that are less broad than may disclose to other businesses, as appropriate. We consider, for example, that "made available to...organisations concerned with land" is far too broad.
p37 Implied Consent
"For example, consent can be implied when a person uses a telephone service for banking services and proceeds after hearing a recorded message that the call may be monitored or recorded for staff training purposes. In these circumstances, the primary purpose is the collection and use of personal information for the provision of banking services and the secondary purpose is staff training. Consent for the secondary purpose is implied by the persons action of continuing with the call"
This example conflicts with other guidelines about consent, e. g. see Chapter 3 "Consent should be voluntary" which states that individuals should not be disadvantaged in making a choice to protect their privacy. While some individuals may have alternative means of receiving banking services, individuals in for example non city areas may have extremely limited, if any, alternatives. Furthermore, this example encourages widespread recording of calls as a non-optional means of collecting personal information, thereby denying individuals the opportunity to make inquiries by telephone unless they are willing to have everything they say recorded.
We recommend this example of implied consent be replaced with one where an individual is clearly free to make a privacy choice without being disadvantaged.
p38 Opt-out procedures and implied consent
"- the consequences of failing to opt-out are harmless (for example, the individual continues to receive offers, but disclosures to another party would not be harmless); and"
It should be noted that continuing to receive offers would not necessarily be harmless. For example when direct marketing material is sent by email the individual bears financial cost of receiving the email.
"- if the individual opts-out later the individual is fully restored to the circumstances he or she would have been if the opt-out had been exercised earlier. "
This point would be improved by noting that if reliance on implied consent would result in disclosure of information to another organisation, it will be impossible to restore the individual to the circumstances that would have applied if he/she had opted out earlier, or, changing the point to, e. g. : "if the individual opts-out later, the individual can and will be fully restored to the circumstances he or she would have been in if the opt-out had been exercised prior to the organisation deciding consent had been implied".
"An example of such an arrangement might be a power company seeking to include direct marketing material with later invoices and including a suitable opt out box on the invoice. However, whether it is acceptable as a way of getting consent may depend on how individuals pay their bills. "
The use of the word "may" in last sentence of the above fails to make it sufficiently clear that individuals must be provided with a means of opting out that is in compliance with the guidelines (e. g. re cost and effort) irrespective of how they pay their bills. For example, it seems unlikely that individuals who pay by BPay would have an effortless means of opting out. We therefore suggest that the last sentence of the above be changed to, e. g. : "However, this would not be acceptable as a way of getting consent in cases where individuals have the option to pay their bills via telephone or electronic methods. Implied consent could not be assumed unless the payment method used by the individual also provided an effortless means of opting out. "
This chapter should also cover the matter of consent being given by an individual on behalf of another individual such as a spouse, joint account holder, etc.
4. Chapter 4 - Collection
p44 Collection is the gateway to protecting privacy
"...In the case of sensitive information, it ensures that consent to collect includes consent to the proposed use and disclosure. "
This sentence appears to imply that consent to collect sensitive information automatically includes consent to disclosure. This should be changed to wording similar to that on page 59, i. e. "Getting express consent from the individual to collect sensitive information about them would also allow the organisation to get the individuals consent for all legitimate uses or disclosures of that information. "
p44 Requires collection to be lawful and fair
"NPP 1. 2 aims to protect unwary individuals by requiring organisations to use only fair and lawful ways to collect information. "
The word "unwary" should be deleted from the above sentence, since there is no reason to believe the law is not intended to also protect wary individuals, and, even if individuals are wary this does not necessarily enable them to protect their privacy. As written, the above sentence implies there would be no need for privacy laws if all individuals were "wary".
p46 Examples of collection include where an organisation:...
Some of the examples in this section are unclear or confusing.
- receives information via an electronic line for processing or further transmission;
- notes down information from a website or downloads information from it;
References to "information" in the above should be replaced with "personal information".
In addition, we consider the example in relation to a website requires further clarification. For example, if an individual has placed personal information about themself on their own web site, the above example would suggest that every person who views the individual's web site and makes a note from it would need to contact the individual to give them NPP1. 3 information. We would not expect this outcome to be the intent of legislation since its purpose is said to be to give individuals control over their personal information and individuals who place information on their own web site have control over what they place there. We suggest the above example should, at least, refer to third party web sites that contain personal information.
- views information from another computer server on a computer screen;
It is doubtful that simply viewing on screen information from another computer server is a collection. While on screen, the information would be temporarily in the person's computer's memory and unless the information is saved, printed, or notes made on paper etc, it would not have been "collected" (except to the extent that it may be temporarily automatically stored in a computer cache). In effect the example as written is the same as saying that merely viewing a page of a newspaper is a collection.
- keeps video tapes of images of its customer from its security cameras in ways that identify them;
This example should deal with the possibility of subsequent identification by e. g. face matching, for example, "keeps video tapes from its security cameras in which individuals are identified or identifiable, or keeps tapes in ways that identify individuals".
- tracks individual movements on the internet using a cookie or web bug;
The above does not necessarily result in collection of personal information. More relevant wording would be: "records an identified or identifiable individual's activities on the Internet using a cookie, web bug or similar technology"
- receives a form or a letter from an individual;
- receives and keeps emails containing personal information.
These examples seem inconsistent and suggest email is to be considered differently from other forms of communication. They could be consolidated in one example such as "receives and keeps a form, letter or email containing personal information"
p48 Meaning of necessary for function
for example, an organisation may breach NPP 1. 1 if it:
it is an Internet Service Provider and collects information about web sites visited by a subscriber when it is not necessary for billing or server management or other administrative reasons;
The above does not appear to take into account a situation where it is technologically problematic not to automatically collect information. We suggest it be changed to ". . or other administrative or technical reasons".
p50 Meaning of fair collection
Fair collection means collecting without tricks, deception or too much pressure. An organisation is likely to breach NPP 1. 2 if, because of its collection practice, it gets information that the individual would not otherwise give it.
Example of unfair collection may include:
This section should address the matter of obtaining information from sources such as public registers containing personal information that individuals were compelled by law to provide. An example such as the following should be added: "- collecting personal information from a public register that individuals were compelled by law to provide, such as collection from an Electoral Roll or a Register of Births Deaths and Marriages. "
p50 Unfair collection and Spam
"An organisation that collects personal information without telling an individual (for example, via a banner on a website or using software that trawls the net for email addresses) for the purpose of sending Spam will be engaging in unfair collection in breach of NPP 1. 2 unless it gives individuals proper notice. "
It is not clear what is meant by "gives individuals proper notice". It is impossible for an organisation that uses software to trawl the Net for email addresses to give an individual notice that the organisation will collect the individual's email address. They could only give notice of collection after they have collected the address by which time they would be in breach of NPP 1. 2 as we assume is intended by the above paragraph. We recommend the paragraph be changed to: "An organisation that collects personal information by using software that trawls the Net for email addresses for the purpose of sending spam will be engaging in unfair collection in breach of NPP 1. 2. An organisation that collects personal information, for example, via a banner on a web site, web bug, cookie or similar technologies, for the purpose of sending spam will be engaging in unfair collection in breach of NPP 1. 2 unless it obtains the individual's consent prior to collection. "
We consider this section should cover the matter of unfair collection and direct marketing in general, rather than solely address collection of personal information from the Internet. Collection of personal information from a public register such as the Electoral Roll is an equally if not more unfair means of collecting personal information for direct marketing purposes because individuals are compelled by law to provide the information for inclusion in the register and do not expect their personal information to be used for any other purpose.
p50 Unreasonably intrusive way of collecting personal information
...ringing an individual without consent in the middle of the night or at meal times to market a product;
Replace "in the middle of the night or at meal times" with "at unreasonable hours".
p52 Ways of making an individual aware of NPP 1. 3 information
If an organisation collects personal information using a cookie, web bug or other tracking software device it should tell the individual in a pop-up notice or statement on the website before it plants the first cookie, or uses the first device.
We recommend against suggesting that NPP 1. 3 information be provided via a pop-up notice for the following reasons:
often the contents of a pop-up box cannot be printed or otherwise saved by the visitor to the site
some browsers enable the Internet user to configure their browser to block the opening of new windows/ pop-up boxes since these are commonly used for advertising. Users who have configured their browser to block advertising in this form may therefore not be aware of the opportunity to view NPP 1. 3 information
a pop-up box will be highly irritating to regular visitors to a site, since this has to be clicked on to remove it from the screen.
p52 Factors in deciding practicability
In deciding whether it is not practicable for the organisation to give NPP 1. 3 details at or before the time of collection the Commissioner would look at all the circumstances in a common sense way. Factors the Commissioner would take into account include:
- whether the individual needs the information to make an informed decision about whether to give that information;
This factor should be deleted because it is irrelevant to what is practicable. NPP 1. 3 requires an organisation to make the individual aware of the information, irrespective of whether the Commissioner or any other person considers the individual needs it.
p54 Deciding what are reasonable steps
...where an organisation collects information using information or communications technology such as the internet, wireless networks or interactive television, it will nearly always be reasonable for the organisation to provide comprehensive but user friendly information for example on the internet, the organisation would need to set out NPP 1. 3 information on the web page or a pop-up screen or a click button on the page where the collecting is happening.
See remarks above about similar pop-up screen proposal on page 52.
p55 Listing types of organisations may be better in some cases
However if listing each organisation is not practicable or informative, listing the types of organisations might be a better way to inform the individual about the circumstances in which an organisation might disclose their information. Examples of descriptions of types of organisations would be debt collectors, State Government Licensing authorities, health insurers and list renters.
This paragraph should state that the "types" of organisations must be clearly and narrowly specified rather than broad types such as "organisations connected with land" as referred to above in relation to p35-36.
p56 Do not need to mention rare disclosures
An organisation does not need to mention disclosures that may happen, but in practice happen only rarely. For example, disclosures under a warrant or to intelligence agencies need not be mentioned; nor would disclosures made in an emergency of the kind set out in NPP 2. 1(e).
The word "rare" should not be used in this context. It incorrectly implies that any type of rare disclosure does not need to be advised, whereas the examples above seem to refer to disclosures without consent that are specifically permitted by the Act.
p56 Disclosures to related bodies corporate
If an organisation is a member of a group of related companies, the organisation must take reasonable steps to tell the individual that the organisation may give his or her personal information to companies that are related to that organisation.
This paragraph should not imply that disclosure to all related organisations is normal practice. It should be changed, for example, to: "If an organisation is a member of a group of related companies and intends to disclose information to a related organisation, ...".
p57 Deciding when it is reasonable and practicable to collect directly
Factors the Commissioner would take into account in deciding whether collection directly from the individual is reasonable include whether:
- whether the information is publicly available and individuals would reasonably expect their information to be collected for the purpose the organisation has collected it for.
We submit that further comment on the matter of "publicly available" and what individuals would reasonably expect should be incorporated in the Guidelines. There appears to be a perception in some marketing circles, for example, that the mere fact that information is "publicly available" means that individuals should/do "reasonably expect" that it will be collected indirectly and used for entirely different purposes from that for which the information was provided. This perception is wrong, especially, in circumstances where it was compulsory to provide personal information such as for inclusion on the Electoral Roll.
In our experience, individuals who contact direct marketing organisations who claim to comply with the ADMA Code and ask for the source of the organisation's information about the individual, are immediately told that the information came from the Electoral Rolls. Often this claim is made so quickly that it is extremely unlikely that record has been checked to ascertain the source. Whether the source was or was not the Electoral Roll, it will remain impossible for individuals to control use of their personal information if indirect collection from compulsory public registers for direct marketing purposes is perceived to be within "reasonable expectations". We consider it should be made clear in the guidelines that it is not. Such a statement may not only limit mis-use of personal information collected from Electoral Rolls, but result in requiring organisations to actually check and advise the source of the personal information they have indirectly collected about an individual, rather than automatically claiming "from the Electoral Rolls".
p58 Someone else can make the individual aware
NPP 1. 5 gives an organisation a number of options to make an individual aware.... Other options might be to advertise in local media or adopt other strategies that achieve the relevant level of awareness.
We recommend deleting the reference to advertising in the local or any other media. The probability that all affected individuals will become aware by advertising is minimal. The reference to "relevant level of awareness" should refer to an individual's level of awareness, so as not to be capable of being interpreted to mean a level of general public awareness.
p58 Deciding what are reasonable steps for NPP1. 5
Factors the Commissioner would take into account in deciding whether steps were reasonable include: ...
- whether it is common practice for an organisation in that kind of industry to collect the information from another organisation and, if so, whether the organisation took steps to ensure that the organisation collecting the information from the individual took reasonable steps to make the individual aware of that usual disclosure;
We consider attention should be drawn to the fact that some State and Local Government entities are not required to comply with any privacy legislation and hence are unlikely to have provided individuals with NPP1. 3 information nor obtained consent to disclosure for secondary purposes, and that this situation does not void the obligations of organisations who collect from such government entities to comply with NPP 1. 5.
Where an organisation running a website collects information about an individual indirectly including from public sources it must make the individual aware of that collection and give the individual a right of access and correction and preferably deletion. However, if an individual makes a complaint in these circumstances and the information relates solely to an official, business or professional capacity, the Commissioner is likely to take into account matters listed in section 29 of the Privacy Act (including other social interests) to decide not to proceed. The Commissioner is less likely to use this discretion if the information is sensitive information such as criminal record information.
We question why the above refers specifically to an organisation running a web site. Is it intended to refer to an organisation that publishes personal information on a web site, or is it a special rule for any organisation that has a web site irrespective of what they publish on it? We submit it should apply to any organisation that collects information indirectly and publishes it. While many individuals are justifiably concerned about the potential for publication of personal information on web sites, it should not be overlooked that traditional media has long used and disclosed information obtained from public sources such as the Electoral Rolls. We understand, for example, that some newspaper organisations obtain personal information from commercially distributed CDs that contain information scanned from printed Electoral Rolls.
This paragraph should be changed to refer to organisations who collect information indirectly or to the media in general. If it is considered necessary to mention web sites specifically this should be done in a manner that does not imply different rules for "an organisation running a website". It should at least be changed to refer to organisations who publish personal information on a web site rather than to any organisation that runs a web site.
p60 Non-profit organisation
...Non-profit organisation is very narrowly defined...
While this refers to a narrow definition of a non-profit organisation, no information is provided on where the definition may be found. We suggest directing the reader to the definition in NPP 10. 5 and/or including same in Chapter 2.
5. Chapter 5 Using and Disclosing
p64 Related and directly related purposes within reasonable expectations
The Commissioner suggests that a sensible approach to NPP 2. 1(a) is to think of it as setting out the circumstances in which it is reasonable for an organisation to expect that if asked, a reasonable individual would have agreed to the use or disclosure.
The above appears to be contradictory to the statements in the section "Purpose to be considered from the individual's perspective" on page 65. Expectations and whether an individual would have agreed to disclosure if asked are two entirely different matters. The NPPs do not appear to grant a right to organisations to use or disclose personal information in a way that the organisation thinks a "reasonable individual" would agree to, but in a way that the particular individual would reasonably expect. This section should therefore recommend the organisation consider what the particular individual would reasonably expect regarding use and disclosure, not what some category of other people (i. e. "reasonable individuals") would agree to if asked.
An organisation discloses personal information when it releases information outside the organisation.
As mentioned above regarding page 27, this definition would be improved by the inclusion of an additional example demonstrating that "outside the organisation" includes to a related organisation.
p67 What is a primary purpose of collection?
The primary purpose is the dominant or fundamental reason for information being collected in a particular transaction.
The primary purpose is determined mainly by looking at it from the point of view of the individual whose information it is. Although it is a little more difficult, an organisation should take this perspective even if it collects information from someone other than the individual.
We submit that this section should provide significantly more guidance for working out the primary purpose in cases where the collecting organisation collects personal information from a third party instead of from the individual. Page 65 states "Individuals usually give their personal information to an organisation for a particular reason (the primary purpose)" and "When considering questions of use and disclosure the NPPs are written from the perspective of the individual and not that of the using or disclosing organisation. ".
However, when an organisation collects from a third party, the individual is not involved in the transaction. This raises the question of whether the primary purpose (relevant to subsequent use and disclosure) is that for which the individual gave the information to the original collector, or for which the second collector collected it from the original collector.
In this regard, the guidelines state that:
... the Commissioner will determine the question of the primary purpose of collection by asking questions that include the following.
- What would a reasonable individual think is the purpose of giving information to the organisation?
- What is the main purpose for which the organisation asked for or recorded the information originally?
Where an organisation "recorded the information" without obtaining it from the individual, there will be no answer to dot point one because the individual did not give the information to the organisation. For example, when individuals give their personal information to the Electoral Office (as they are compelled by law to do) the primary purpose of provision is complying with the law by registering to vote. When a list rental organisation collects this information from the Electoral Rolls, does the primary purpose remain voting related in which case list rental companies who compile direct marketing lists are using the information for a secondary purpose (and hence subject to the limitations of NPP2. 1(c)) or has the primary purpose become compiling and/or selling direct marketing lists?
The original primary purpose of collection should remain the primary purpose notwithstanding indirect collection by other organisations, and this should be made clear in the Guidelines. In the event that the Commissioner does not interpret the law in this way, significantly more prominence should be given to the NPP 1. 5 requirement that organisations provide NPP 1. 3 information to individuals whose personal information is collected from third party sources such as Electoral Rolls and other public registers. See also comments regarding direct marketing and "Use for primary and related purposes" on page 73.
p67 Why primary purpose is important
Although an organisation does not need consent to a use or disclosure for the primary purpose the organisation must take reasonable steps to ensure that the individual is aware of the primary purpose under NPP 1. 3 or NPP 1. 5.
This paragraph should make specifically clear that it applies when an organisation collects personal information from a third party (e. g. from a list rental company), not only to collection of information directly from the individual. We suggest it be changed to:
Although an organisation does not need consent to a use or disclosure for the primary purpose, the organisation must take reasonable steps to ensure that the individual is aware of the primary purpose under NPP 1. 3 (when information is collected from the individual) or under NPP 1. 5 (when collected from another person or organisation).
p69 Related or directly related and within reasonable expectation NPP 2. 1(a)
In applying NPP 2. 1(a) the Commissioner suggests that it may help an organisation if it considers whether a reasonable individual in the circumstances, if asked, would have agreed to the proposed use or disclosure. .
See comments above regarding the same statement on page 64.
p72 Related purpose and NPP 2. 1(a)
A related purpose includes all the purposes that are directly related purposes as well as some additional ones. Related purposes must have some connection to, and arise in the context of, the primary purpose. Uses or disclosures for a related purpose would include uses or disclosures for:
- giving a person information closely associated with a particular product or service a person receives from an organisation;
The first four dot points above refer to "giving a person" etc. It appears the word person should be replaced with individual, given the definition of these words in the guidelines.
- using information an organisation has collected when an individual visited its website to tailor it for next time the individual visits.
They would not include the use of information collected about the individuals visits to other web sites.
The last sentence above appears out of place. Perhaps it is meant to be part of the last dot point rather than a separate paragraph? As a separate paragraph it suggests there should be a list of other non-related purposes.
p72-73 What is direct marketing?
The Privacy Act does not define direct marketing. However, the Commissioner considers that direct marketing includes the following circumstances where an organisation contacts an individual directly:
- automated processes such as Spam e-mail and computer generated voice calls over the phone.
See comments above regarding the same statement about spam on page 27.
p73 Use for primary and related purposes
An organisation can carry out direct marketing activities using NPP 2 in a number of ways. In some cases direct marketing may be the primary purpose for collection. In other cases... The question of what is direct marketing only becomes relevant if an organisation has to rely on NPP 2. 1(c) to carry out direct marketing activities.
This section is confusing because having said above that what is direct marketing is only relevant if an organisation is relying on NPP 2. 1(c), the following paragraph says it is also relevant when the primary purpose is direct marketing. We suggest that either the section be split into two sub-sections dealing separately with primary use and related use for direct marketing, or the paragraph below be moved and placed immediately after the sentence "In some cases direct marketing may be the primary purpose".
An organisation should be aware that although NPP 2 might allow an organisation to use information for direct marketing without the individuals consent when it has collected the information for the primary purpose of direct marketing, it might be in breach of NPP 1 if it has not taken reasonable steps to make the individual aware that the organisation has collected the information for this purpose (see Chapter 3 on NPP 1. 5). It might also be in breach of NPP 1 if it has collected information from someone other than the individual when it would have been reasonable and practicable to collect the information directly from the individual (see Chapter 3 on NPP 1. 4).
The above paragraph should also refer to breach of NPP 1. 3. We suggest it would be clearer if changed to:
An organisation should be aware that although NPP 2 might allow an organisation to use information for direct marketing without the individuals consent when it has collected the information for the primary purpose of direct marketing, it might be in breach of NPP 1 if:
it has not taken reasonable steps to make the individual aware that the organisation has collected the information for this purpose (see Chapter 3 on NPP 1. 3), or
it has collected information from someone other than the individual when it would have been reasonable and practicable to collect the information directly from the individual (see Chapter 3 on NPP 1. 4), or
it has not taken reasonable steps to make the individual aware that the organisation has collected the information from someone else for this purpose (see Chapter 3 on NPP 1. 5).
p74 Must be impracticable to seek the individuals consent
Impracticable in only limited circumstances
Organisations can only rely on this exception if seeking the individuals consent is impracticable. The Commissioner views this as a limitation on the circumstances when organisations can use 2. 1(c) especially where they are using automated direct marketing processes such as e-mail, or other online options such as mobile network, SMS messaging, or interactive digital television.
It is not clear what "automated processes" have to do with practicability. It is practicable for organisations to seek consent if they are intending to send direct marketing material to an e-mail address whether or not they are using an automated process to prepare and send e-mail. We suggest this be changed to "...especially when they are using technology-facilitated direct marketing processes such as ..."
p75 Never impracticable to get consent for Spam and other online direct marketing
The Commissioner takes the view that it will never be impracticable to seek the individuals consent where an organisation engages in direct marketing online and so such techniques as Spam cannot rely on NPP 2. 1(c) to direct market. This means the organisation will need to seek the individuals consent and in most cases, the Commissioner will require that consent to be explicit consent.
See earlier comments herein about what spam is. We suggest the above be changed to: "... and so organisations who use spam to direct market cannot rely on NPP 2. 1(c). "
p76 Not charging individuals for deleting them from a direct marketing list NPP 2. 1(ii)
An organisation cannot charge individuals a fee for giving effect to their request not to receive direct marketing. However an organisation can offer incentives for people to receive direct marketing communications, for example, bonus loyalty scheme points or a chance to win a prize. They can also charge different prices, for example, offer a discount on a product for agreeing to receive direct marketing material.
This is contrary to Chapter 3 "Opt-out procedures and implied consent" which states that "the cost of exercising the opt-out is so low as to be almost unmeasurable" and with Chapter 3 "Consent should be voluntary" which states that "An individuals consent may not be voluntary and valid if the individual is denied some benefit or is disadvantaged in some way because they refused consent. "
p76 Hanging up on a marketer
If contact is by phone and the person hangs up, the specific circumstances should be assessed, but this should usually be taken as a request not to receive further direct marketing communications.
Replace "person" with "individual".
p77 Giving contact details in the direct marketing material.
When communicating electronically the organisation must include...
This paragraph should also state that contact details must be provided when communicating by means other than electronically.
6. Chapter 6 - Keeping Information Accurate, Complete and Up to Date
p90 We recommend this section not state that an organisation only needs to consider the primary purpose of the collection. If an organisation is using or disclosing information for a secondary purpose, then the accuracy etc of the information is important.
p 92 We disagree that it is reasonable for an organisation to disclose personal information on the basis that it was collected "x years ago" and may be out of date and the recipient organisation should check its accuracy. In circumstances, for example, where the information is claimed to be collected used and disclosed by both organisations for their "primary" purposes, the individual has no control over use and disclosure of their personal information and the original collecting organisation has no control over whether or not the recipient organisation actually checks the information before using or further disclosing it. It seems clear elsewhere in the Guidelines that organisations are required to collect information directly from the individual (unless this is impracticable) and we see no grounds for what appears to be a suggestion that NPP 3 offers wide-ranging opportunity to indirectly collect out of date personal information provided the original collecting organisation (when disclosing out of date information) asks the recipient organisation to check information. We consider organisations disclosing information without the prior consent of the individual should be required to ensure it is accurate, complete and up to date before disclosing it.
7. Data Security, Access
While EFA agrees with the intent that organisations should provide individuals with access to their personal information in a user friendly manner, and that in some situations it may be appropriate to provide access via the Internet, we consider that more emphasis should be placed on the need to inform an individual that receiving information "in an electronic form may not be secure" (p112) and to ensure security of online systems and that identifiers used to gain access are not easily guess-able or likely to be known to other persons etc. Such considerations are especially important when there is no human involved who is likely, for example, to notice that a person is attempting to guess identification information or passwords, or that the inquirer is of a different gender from the individual and so on. While some IT security systems are capable of preventing continual guesswork attempts at access, some readily available and commonly used ID/password entry systems can not and hence present a considerably greater risk of unauthorised access than requests responded to by a human.
EFA considers it would be appropriate for the Guidelines to recommend that organisations seek agreement of the individual to provide their personal information to them via online means rather than automatically make all individuals' data available for access in this way.
position on National Privacy Principle (NPP) 2. 1(c) (i)
of seeking of consent to use an email address for the purpose of
sending direct marketing material
NPP 2. 1 states (inter alia):
"An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other then the primary purpose of collection unless:
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individuals consent before that particular use; and
EFA considers that the NPPs
should not permit use and disclosure of personal information for the
purpose of direct marketing without specific prior consent of the
individual. EFA's position in this regard has previously been set out
in our submissions to the House of Representatives Standing Committee
on Legal and Constitutional Affairs Inquiry into Privacy Amendment
(Private Sector) Bill 2000, May 2000
(http://www. efa. org. au/Publish/privacy_inquiry_2000. htm#3)
and our supplementary
submission to that inquiry
(http://www. efa. org. au/Publish/privacy_inquiry_2000_suppl. html).
In terms of the law subsequently enacted by the Parliament, EFA considers the NPP 2. 1(c) exception is not applicable to direct marketing by email because it is always practicable for an organisation to seek consent from the email addressee before sending direct marketing material.
Some commentators have contended that is impracticable to gain consent first because sending a request for consent may be considered as intrusive as sending unsolicited direct marketing material together with opt-out instructions. While many Internet users would agree that a request for consent is equally intrusive (a view that EFA shares), a requirement that direct marketers obtain consent first is preferable (best of worst case scenarios) because it gives Internet users a significantly greater level of control over use of their personal information. For example:
In the case of direct marketing material sent with opt out instructions, unless the recipient opens and reads the material, and then replies with an opt-out request, the direct marketer has carte blanche to send more direct marketing material as no opt-out reply has been received. Recipients who do not wish to receive direct marketing material are placed in a situation of having to open and read email to ascertain whether a particular message offers an opt-out option. Since the Privacy Act will not apply to all Australian businesses, nor of course to overseas businesses, many messages will not contain such an option. Many Internet users receive large amounts of spam from around the world and it is impossible time-wise for them to read it. It is unfair and unreasonable to require recipients to read mail they did not request or want to receive in order to exercise a right to opt-out of receiving further communications.
A requirement that a recipient reply to a message or take other action (e. g. visiting a web page) in order to opt-out helps unscrupulous persons trick Internet users into confirming the validity of their email address. Recipients will generally have no means of knowing whether the sender is covered by the Privacy Act or is, alternatively, an unscrupulous person pretending to be covered and pretending to intend to honour an opt-out request. Many spammers do not honour opt-out requests. Instead, the opt-out request is used to verify that there is a person reading the email and the email address becomes regarded as more valuable data. A marketing list of known-to-be-read email addresses has higher value in terms of sale of the list to third parties (e. g. "for $99. 95 you can buy addresses of all the hard-to-find customers!"). Hence, Internet users who are not well informed about the practices of spammers may be tricked into verifying their email address, while users who are well informed are unlikely to avail themselves of a purported opportunity to reply in order to opt-out because they will consider doing so entails too much risk of increased mis-use of their personal information.
The mere action of opening an email message can result in the recipient's email address being added to a database of valuable email addresses, for example, when the recipient is using an HTML email package and a Web bug is hidden in the email message. A recipient should therefore not be required to open an email message in order to opt-out. For information about this use of Web bugs, see Section 3(b) of EFA's submission to Submission to Senate Select Committee on Information Technologies, Inquiry into e-Privacy, July 2000.
http://www. efa. org. au/Publish/eprivacy. htm#tech
The requirement to reply to a message or take other action (e. g. visiting a web page to tick a box) in order to opt-out involves a cost for the individual in time and Internet connectivity fees. (This is in addition to the initial cost of receiving the email message).
EFA therefore recommends that
"opt-out" be defined, by default, as "did not opt-in".
An organisation should be required to seek and obtain consent to use
an email address to send direct marketing material before doing so.
Such request for consent must ask for permission to send direct
marketing material, not say, in effect, "we'll send you
marketing material unless you reply and opt out". No reply to an
inquiry seeking consent must be regarded as non-consent and
applicable to all products/services/etc from the organisation and
from any related organisations. Organisations should not be permitted
to use an email address more than one time to seek consent (unless
they have received explicit prior consent from the addressee to do
so), irrespective of how many times, or from how many sources, they
collect a particular address or whether they commence
selling/distributing/etc. a different product at some future time
(i. e. after the use of the address to seek consent).