AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2004 >> [2004] PrivLawPRpr 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Privacy Law & Policy Reporter --- "Cases and complaints" [2004] PrivLawPRpr 21; (2004) 11(1) Privacy Law and Policy Reporter 12


Cases + complaints

Seven Network v Media Entertainment and Arts Alliance [2004] FCA 637

Federal Court of Australia - Gyles J (21 May 2004)

Privacy - use of internal company telephone directory by a call centre engaged by a union to poll staff on industrial bargaining issues - collection of personal information - purpose of collection - availability of injunctions - Privacy Act 1988 NPPs 1, 2, 10, s98

The MEAA was a union representing staff employed by Seven. After negotiations between Seven and MEAA broke down, Seven proposed to enter into an enterprise agreement directly with its employees. The MEAA engaged ACTU Member Connect Pty Ltd (Connect) to conduct a telephone poll of certain employees of Seven. The poll concerned various issues relevant to the enterprise agreement. The employees to be contacted were identified on an internal Seven telephone directory which had been obtained by the MEAA in about 2001 (probably surreptitiously) and passed on to Connect in 2003. Connect used that directory to create a database to allow the call centre staff to enter the results of the polling directly into the database. For each employee to be polled, the database included the person’s first and last names, the work telephone number and the person’s location. The results of the poll (which included, amongst other things, details of Seven’s staff who were interested in the MEAA’s activities) were provided by Connect to the MEAA.

Seven commenced proceedings under the Workplace Relations Act 1996, claiming that the MEAA was engaging in action with intent to coerce Seven’s employees to vote against the proposed enterprise agreement. Seven’s application was subsequently amended to allege a breach by each of MEAA and Connect of the Privacy Act 1988 and the Copyright

Act 1968.

Held (dismissing Seven’s application under the Workplace Relations Act, but allowing Seven’s applications under the Copyright Act and the Privacy Act):

1 The MEAA had no intent to coerce Seven’s employees to vote against the proposed enterprise agreement. Although some recipients of the telephone calls may have viewed the calls as subtle pressure to vote ‘no’, no implied threat of victimisation was intended and there was no intent to overbear the will of those polled.

Finance Sector Union of Australia v Commonwealth Bank of Australia [2000] FCA 1468; (2000) 106 FCR 16; National Tertiary Education Industry Union v Commonwealth of Australia [2002] FCA 441; (2002) 117 FCR 114; National Union of Workers v Qenos Pty Ltd (2001) 106 IR 373 followed.

2 The internal telephone directory was a literary work in which copyright subsisted, and that copyright was owned by Seven. Each of MEAA and Connect infringed Seven’s copyright by reproducing the telephone directory (or a substantial part of it) without the licence of Seven.

Desktop Marketing Systems Pty Ltd v Telstra Corporation Ltd [2002] FCAFC 112; (2002) 119 FCR 491 followed

3 The Federal Court of Australia has jurisdiction under s98 of the Privacy Act to grant an injunction restraining a person from engaging in conduct that constitutes a contravention of the Privacy Act. Any person may apply for such an injunction. Section 98 is indistinguishable in principle from s80 of the Trade Practices Act 1974.

Ibarcena v Templar [1999] FCA 900; Gao v Federal Privacy Commissioner [2001] FCA 1683; Gao v Federal Privacy Commissioner [2002] FCA 823; Day v Lynn [2003] FCA 879 distinguished.

4 The information contained in the internal telephone directory was ‘personal information’ for the purposes of the Privacy Act. To know where and for which organisation a person works and the work telephone number of the person is ‘personal’.

5 MEAA ‘collected’ the personal information contained in the internal telephone directory because it took active steps to obtain the directory. But there was no evidence that the information was collected after 21 December 2001. Accordingly, MEAA was not obliged to comply with National Privacy Principle (NPP) 1 when it originally obtained the directory.

6 MEAA was obliged to comply with NPP 1 when it received the results of the telephone survey from Connect in 2003. The list of Seven’s employees with an interest in MEAA and those wishing to obtain more information about MEAA contained ‘personal information’. MEAA breached NPP 1.1 because, no matter how useful or desirable to MEAA, that information was not necessary for any of its functions.

7 MEAA breached NPP 1.5 because the script used by Connect did not draw attention to the matters identified in NPP 1.3.

8 When conducting the telephone survey, Connect collected personal information for inclusion in a record. Accordingly, Connect was obliged to comply with the NPPs.

9 Connect was in the business of conducting telephone polls of the kind conducted for MEAA in this instance. In these circumstances, it was necessary for Connect to collect personal information for its functions and activities. Accordingly, Connect did not breach NPP 1.1 when conducting the telephone survey as MEAA’s contractor.

10 Connect did not breach NPP 1.2 when conducting the telephone survey - there was no evidence that Connect was aware that the internal telephone directory had been obtained by the MEAA surreptitiously.

11 Connect was in breach of NPP 1.3 for failing to take reasonable steps in the script to draw attention to the matters identified in NPP 1.3. In particular, Connect was required to identify itself as the organisation collecting personal information for the purposes of NPP 1.3(a), despite the fact that Connect was acting as agent for the MEAA.

12 Connect did not breach NPPs 1.4 or 1.5 when it obtained the internal telephone directory from the MEAA at the commencement of its engagement. As a call centre operator it was not reasonable or practicable for Connect to collect the initial contact details of the Seven employees it was to poll only from those individuals.

13 Connect did not breach NPP 2.1 when disclosing the results of the telephone survey to the MEAA. In an agency situation like the present, the primary purpose for which the information is collected is that of the principal. Accordingly, Connect did not disclose personal information to the MEAA for a purpose other than the primary purpose. In any event, if there were two purposes, they were directly related.

14 Connect did not breach NPP 10. To the extent that the questions in the telephone survey solicited ‘sensitive information’, the recipients had a choice as to whether to answer. Accordingly, any sensitive information was collected with the individual’s consent.

15 Section 347 of the Workplace Relations Act 1996 does immunise Seven or Connect from an order for costs in relation to the Copyright Act and Privacy Act proceeding. A separate federal claim is not ‘in a matter arising under’ the Workplace Relations Act within the meaning of s 347.

Maritime Union of Australia v Geraldton Port Authority (2000) 94 IR 404 distinguished.

Comment

This is the first decision of the Federal Court to analyse the NPPs in a serious (albeit brief) manner and to acknowledge its jurisdiction under section 98.

Gyles J is undoubtedly correct to state that section 98 is analogous to section 80 of the Trade Practices Act. Both provisions confer the power to grant an injunction on the application of the relevant regulator (the Privacy Commissioner or the ACCC) or ‘any other person’. In the context of the Trade Practices Act, the courts have held that the words ‘any other person’ must be given their ordinary meaning without imposing any qualifications. Gyles J promptly and properly disposed of the MEAA’s argument that previous decisions of the Federal Court precluded him from recognising the jurisdiction conferred by s98. The cases relied upon by the MEAA have previously been criticised in PLPR (see (2002) 9 PLPR 118; (2001) 8 PLPR 142; (2001) 7 PLPR 178) for ignoring the Court’s jurisdiction under s98.

However, the approach of Gyles J to the construction of NPP 1 is more controversial. In particular, it seems harsh to find that ‘no matter how useful or desirable’ it was not necessary for one of the MEAA’s functions or activities to collect information to the effect that an employee of a media company would be interested to know more about the activities of the union. If a similar approach was taken to the collection of personal information by private sector organisations about individuals who may be interested in the goods or services offered by the business, the direct marketing industry would be in deep trouble. Gyles J’s treatment of Connect’s obligations under NPP 1.3(a) also raises practical problems for businesses using independent call centres to communicate with their customers. Call centre operators rarely disclose the fact they are agents for their principal. Yet this is what Gyles J required of Connect. In fairness to his Honour, the judgment makes it clear that counsel for the MEAA did not make any detailed submissions on the various breaches of the NPPs alleged by Seven. If the court had the benefit of such submissions, these conclusions may have been different.

Patrick Gunning, Mallesons Stephen Jaques, Sydney

Tenants Unions v TICA (Complaint Determinations 1-4 of 2004)

Australian Privacy Commissioner

Representative complaints s38 – determinations power s52 – breaches of National Privacy Principles 1, 3, 4, and 6 - Privacy Act 1988 (Cth)

The Commissioner has issued four Complaint Determinations under s52 arising from the one dispute. The respondent to the complaints was TICA Tenancy Control Pty Ltd (TICA), which operates a tenancy database accessed by real estate agents. The complainants in a representative complaint under s36(2) and s38 were the Tenants’ Union of Queensland Inc, Tenant’s Union of NSW Co-op Ltd and complainants A and B. The class of members in the representative complaint were “tenants or former tenants, who incur charges from TICA in order for them to access information about their listing on the [TICA] database.” The Commissioner found that the complaint satisfied s38.

In the course of the four Determinations the Commissioner found that TICA breached the NPPs in the following ways (The relevant NPP and Compalint Determination (CD) number are in parentheses, and the Commissioner’s words are used as far as possible):

The Commissioner also made numerous findings that actions alleged by the Tenant’s Union were not breaches, some of them significant (not covered here).

The Commissioner made a declaration under s52(1)(b)(i) that TICA should cease and not repeat the practices found in his four determinations as breaching the NPPs. However, he found that he does not have power under s52(1)(b)(ii) to make declarations as to the specific methods and actions that TICA should employ to remedy its breaches. The section states that he may make ‘a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant’.

Instead, the Commissioner made a number of recommendations that TICA may wish to implement to remedy its practices. These included (in the Commissioner’s words where possible) recommendations that TICA:

Comment

These Determinations are of considerable significance for any private sector organisations that allow members or subscribers to access databases of personal information, particularly if they charge fees for individuals to enquire about, access or correct their own information. Aspects of the Determinations could require significant organizational change in some businesses, particularly the finding that ‘failing to advise tenants contemporaneously that they have been listed on the database’ was a breach of NPP 3. The details and implications of these determinations will be examined by Chris Connolly, one of the advisers to the Tenants’ Unions, in the next issue of PLPR.

The Determinations do not set any reporting requirements or time limit for compliance by TICA. Given the Commissioner’s refusal to specify what actions TICA should take to remedy its breaches, it is unclear when it would be appropriate for the Tenants’ Union or the Commissioner to commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination under s55A. If such proceedings are commenced, the Federal Court may consider any breaches of the NPPs that may arise from the facts, not only those found by the Commissioner (s55A(5)).

Graham Greenleaf, General Editor

X v Commonwealth Agency [2004] PrivCmrA 4

Australian Privacy Commissioner

Disclosure- NPP 2 - financial compensation not agreed – use of s41(2)(a) power not to investigate further –‘the Commissioner is satisfied’ - Privacy Act 1988 (Cth)

The complainant was assisted at the counter by an employee of a Commonwealth Government Agency (the agency) who was also formerly related to the complainant. In the course of the transaction the complainant ad vised the agency that the complainant was expecting to receive money from a court settlement. The next day the complainant’s ex-partner obtained a court order restraining the complainant from accessing that money. The complainant alleged that the agency’s employee disclosed to the complainant’s ex-partner that the complainant was to receive money from a court settlement.

The Commissioner’s Office concluded, following investigation, that, on the balance of probabilities, the agency’s employee did disclose to the complainant’s ex-partner that the complainant was to receive money from a court settlement. It concluded that no relevant exception applied and the agency had breached IPP 11.

The agency did not accept that it disclosed the complainant’s personal information, however it did agree to the Office conciliating a settlement. Section 27(1)(a) of the Act provides for the Privacy Commissioner, where he or she considers it appropriate, ‘to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation’. If the matter can be settled by conciliation and the Commissioner is satisfied that the matter has been adequately dealt with he or she may decline to investigate the matter further under section 41(2)(a). The Office aims to assist the parties achieve a fair and reasonable outcome by conveying requests and offers between the parties. The Office also provides advice, including about the nature of settlements that have been reached in similar cases. The Office negotiated at length with the parties but the complaint did not resolve by way of conciliation. The complainant wished to be in a position to pursue action against the agency in the courts. The Office ceased its investigation of the complaint under section 41(2)(a) of the Act.

(Edited by PLPR Editors from the complaint note published by the Office of the Federal Privacy Commissioner. See www.privacy.gov.au for the full text of the complaint note.)

Comment

It is commendable that the Commissioner’s Office has published details of their practices in cases of this type, as they are very important to the practical operation of the Act. However, the merits of the practice described are questionable. The casenote confirms that complaints will be dismissed under s41(2)(a) if the Commissioner is satisfied the respondent has dealt adequately with the matter, even if the complainant is dissatisfied. If this occurs, the only avenue open to the complainant is to seek judicial review of the Commissioner’s decision for procedural or other inadequacies, since there is no right of appeal against decisions of the Commissioner. The complainant could seek a s98 injunction, but this would not achieve anything in the case in question, as it cannot result in the award of compensation.

The alternative approach open to the Commissioner is to proceed under s52 and make a determination finding a breach of IPP 11 (according to the reported facts of this case) and a declaration as to compensation under s52(iii). The complainant would then not walk away from the process empty-handed when a breach has been found (as is now the case). The respondent would have the choice of paying the compensation (which in this case it may have been willing to do) or refusing to do so thus enabling the complainant to have the matter re-heard by the Federal Court under s55A. The complainant could also seek judicial review of the Commissioner’s decision.

However, all previous s52 determinations have identified the respondent, whereas this complaint/report note does not identify the respondent agency. The result of the s52 approach might be that agencies who have breached the Act, even if the Commissioner finds their subsequent actions reasonable, could not continue to hide the fact of their breaches if they were faced by a dissatisfied complainant. There is nothing unfair about this. Complainants should at least be able to insist that proven breaches of the Act are made known, even if they receive no other remedy acceptable to them.

The Commissioner’s Office should reconsider its practices in relation to s41(2)(a).

Graham Greenleaf, General Editor

L v Commonwealth Agency [2003] PrivCmrA 10

AustralianPrivacy Commissioner

Accuracy, security and disclosure of personal information - Information Privacy Principles 4, 8 and 11 – Privacy Act 1988 (Cth)

The complainant’s ex-wife had submitted an application, to an agency, which impacted on the complainant. The application included inaccurate personal information relating to the complainant, including an incorrect mailing address and other facts. The complainant was unaware that his ex-wife had made an application to the agency until approximately one year later, since the agency had been sending information to the complainant at an incorrect mailing address.

IPP 8 (accuracy) requires that an agency check the accuracy of the personal information it holds in records and in doing so take into account the purpose for which the personal information will be used. Therefore, the issue for the Commissioner was whether or not the agency’s use of the incorrect address and other facts was in breach of IPP 8. The agency’s usual process in relation to the type of application submitted by the complainant’s ex-wife involved minimal investigation. The agency was unable to indicate whether or not any checks had been made to verify the accuracy of the complainant’s mailing address before use. Consequently, the Commissioner found the agency in breach of IPP 8 in respect to the incorrect mailing address. The agency paid the complainant $250 compensation for the use of an incorrect mailing address.

However, the Commissioner did not find the agency in breach of IPP 8 in respect to the other incorrect facts. By virtue of the agency’s legislation it is not required to conduct any inquiries or investigations into matters concerning the eligibility of an application and may act on the basis of the information contained in the application. Therefore, the Commissioner was unable to conclude that there was a breach of IPP 8 in this circumstance, in light of the agency’s legislation.

IPP 4 (security) requires an agency to take reasonable security precautions to ensure that personal information contained in records it holds is protected against loss, unauthorised access, use, modification or disclosure. The complainant had been provided with a password to be used to identify him when contacting the agency. However, its computer systems did not prompt the agency employee receiving the call that a password had been provided to the complainant, and on numerous occasions when he called the agency, he was not asked for his password.

Accordingly, the Commissioner found the agency in breach of IPP 4 since it was unable to implement its own security initiatives. As a result of the investigation, the agency upgraded its computer systems to enable passwords to be used in practice. The front menu screen that an agency employee views when responding to a call from an individual now informs the agency employee that a password has been provided and that it needs to be asked for, before personal information is disclosed to the caller.

The investigation was closed under s41(2)(a) of the Privacy Act, on the grounds that the agency had adequately dealt with the matter.

(Edited by PLPR Editors from the complaint note published by the Office of the Federal Privacy Commissioner. See www.privacy.gov.au for the full text of the complaint note.)

Comment

The Commissioner states that the legislation governing the agency provides that ‘it is not required to conduct any inquiries or investigations into matters concerning the eligibility of an application and may act on the basis of the information contained in the application’. It seems that the agency can act on the basis of incorrect information with impunity, which is in effect an exemption from the Privacy Act 1988.

However, the Commissioner does not identify the agency. This is a situation where the public interest would justify the disclosure of the agency’s identity in the report summary (without endangering the privacy of the complainant), so that interested parties could investigate whether there is a deficiency in the agency’s legislation that needs rectification. This is also a defect in the Commissioner’ summary of M v Commonwealth Agency [2003] PrivCmrA 11, where a ground for dismissing a complaint was that ‘[IPP] 11.1(d) which permits disclosures which are authorised by law - Agency B’s governing legislation provided an authorisation that meant that Agency A was “authorised by law” to provide the information Agency B requested’. Again, the agencies are not identified, and the correctness of the Commissioner’s interpretation of the law – or its implications if correct – cannot be assessed by any outside observers.

The Commissioner’s reporting practices concerning identification of respondents need review.

Graham Greenleaf, General Editor


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2004/21.html