In a recent privacy decision (DV and Telstra Corporation Limited [2014] AICmr 118), the Privacy Commissioner made a determination that Telstra Corporation Limited ('Telstra') apologise, update its privacy policy and collection notices, and pay $18,000 to a family law judge ('DK') as a result of Telstra's breach of National Privacy Principle ('NPP') 1.3 which constituted an interference with DK's privacy. The breach resulted from a failure by Telstra to inform DK that his information would be included in the White Pages (and therefore disclosed to the public).

A number of interesting issues arise in this decision:

  1. Telstra's subsidiary, Sensis Pty Ltd ('Sensis'), which published DK's personal information in the White Pages, was not held to be responsible;
  2. Telstra breached DK's privacy by not informing DK of the likely disclosure;
  3. Telstra's breach occurred even though it was authorised by law to disclose DK's personal information via its directories; and
  4. the investigation represents the Privacy Commissioner's largest damages award to date.

Background

DK was a Federal Circuit Court Judge who dealt with family law cases. Telstra installed a landline phone at DK's personal residence, for the sole purpose as a back-to-base alarm which DK could use in emergencies. In order to install the phone line, Telstra collected personal information about DK, including his name, address and telephone number.

In addition to installing the phone line, Telstra provided DK's name, address and phone number to its wholly-owned subsidiary, Sensis, which published DK's personal information via its hardcopy and online White Pages directories.

Although it was Sensis that published the White Pages, Telstra was found to be responsible as the Privacy Commissioner found that it was Telstra that 'disclosed' the information.

Why Telstra was responsible (but not Sensis)

The actual disclosure of DK's information was made by Sensis. However, it was Telstra which was found to be responsible.

Although not stated, this is because the privacy obligations under the NPPs (which applied in this case, and now the Australian Privacy Principles or 'APPs' which have applied since 12 March) apply to entities that 'hold' personal information. Consequently, whether or not the responsibility rested with Telstra or Sensis depended on which entity was the 'holder' of DK's personal information.

Section 6 of the Privacy Act relevantly provides:

an entity holds personal information if the entity has possession or control of a record that contains the personal information.

In his decision, the Privacy Commissioner found that Telstra 'maintained effective control over the information' that it provided to Sensis, and therefore the publication of the information by Sensis was a publication by Telstra.

This decision is consistent with the Privacy Commissioner's own-motion investigation into AAPT and Melbourne IT. In that investigation the Privacy Commissioner considered which entity was responsible for AAPT Ltd ('AAPT')'s data. The data in question was owned by AAPT but was held on a server managed by WebCentral Pty Ltd ('WebCentral'), a webhosting business unit of Melbourne IT Ltd ('Melbourne IT'). The Privacy Commissioner found that the responsibility for the data rested with AAPT (not Melbourne IT or WebCentral). The report of the own-motion investigation stated:

Information is held by an organisation where it has physical possession of the data or the right or power to deal with the information even if it does not physically possess or own the medium on which the information is stored.

The Commissioner took the view that AAPT held the information for the purposes of NPP 4.1, despite it being stored on Melbourne IT’s server.

In other words, the Commissioner appeared to adopt the position that even though one party may have possession, and the other control, the appropriate test was who had control of the record. This is also consistent with the approach taken by the current APP Guidelines which focus on which entity has 'effective control' of the information:

An APP entity discloses personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the personal information from its effective control. This focuses on the act done by the disclosing party. (Paragraph B.58)

'Generally, an APP entity uses personal information when it handles and manages that information within the entities effective control' (Paragraph B.137)

If this is the correct approach, it might be contended that Sensis would not be required to even have a privacy policy, as it would not be collecting, using or disclosing the personal information. In our view, it would be helpful if in future the Privacy Commissioner spelt out the obligations of entities which do not have 'effective control' of records.

Telstra failed to provide a collection notice

Telstra claimed it was common knowledge that it publishes a White Pages directory, which includes the name, address and phone number of each individual who has a landline in Australia (except those with a silent number). In this case the landline line which Telstra installed for DK was not to be used as a phone; the landline was connected for the sole purpose of a back-to-base alarm which DK could use in emergencies. In this context it is understandable that DK would not have realised that his telephone number (which he never intended to use as a telephone number), and name or address, would be published by Telstra.

Nevertheless, the Privacy Commissioner took the view that, even if the landline had been installed for providing a telephone service, Telstra would have been required to issue a collection notice. This is a very strict view of the collection notice requirement in NPP 1.3 (now set out in APP 5) which required organisations to take reasonable steps to, among other things, notify individuals whose personal information they have collected of, among other things:

  • the purposes for which the information is collected (NPP 1.3(c); now APP 5.2(d)); and
  • the organisations (or the types of organisations) to which the organisation usually discloses information of that kind (NPP 1.3(d); now APP 5.2(f)).

Under this obligation the Privacy Commissioner said that Telstra needed to specifically identify how it made DK aware that his personal information would be published in its White Pages:

… it is not sufficient for Telstra to assume that the complainant knew that his personal information would be published in the White Pages… Telstra bears the onus of showing that the complainant was aware that it was Telstra's usual business practice to disclose phone line information in the White Pages. …(Paragraph 32)The Privacy Commissioner reviewed Telstra's Privacy Statement and concluded that it had not discharged its collection notice obligations:

There is no information before me to suggest that the complainant was made aware through any medium of this particular purpose of collection (i.e. publishing in the White Pages) and of the consequent disclosure of his personal information. (Paragraph 34).

In fact, before the Privacy Commissioner had handed down his determination Telstra had amended its Privacy Statement to make specific reference to the publication of customer information in the White Pages, and put processes in place to require sales consultants to notify each prospective customer of the option of taking out a silent line. Such action may have assisted in avoiding the imposition of aggravated damages.

Telstra was permitted to disclose DK's personal information

Telstra had claimed that it was permitted to disclose DK's personal information for three different reasons:

  1. the disclosure was one of the primary purposes for which it collected DK's personal information (NPP 2.1; now set out in APP 6.1);
  2. the disclosure was 'related' to the primary purpose for which the information was collected, and DK would reasonably expect Telstra to disclose his personal information for that related purpose (NPP 2.1(a); now set out in APP 6.2(a)); and/or
  3. the disclosure was required or authorised by law (NPP 2.1(g); now set out in APP 6.2(b)).

The Privacy Commissioner found that the primary purpose of the collection of DK's personal information was for the purpose of setting up the phone line (and therefore NPP 2.1 was not applicable). While the Privacy Commissioner found that the publication of DK's personal information was a purpose 'related' to the primary purpose, there was no evidence to suggest that DK would reasonably expect that his personal information would be published in the White Pages (and therefore NPP 2.1(a) was not applicable).

However, the Privacy Commissioner did find that Telstra was authorised to disclosed the personal information (rather than required) by law because of clause 9 of the Carrier Licence Conditions (Telstra Corporation Limited) Declaration 1997. This meant that Telstra was authorised to disclose DK's personal information, but this did not excuse it from failing to comply with its collection notice requirements.

How the Privacy Commissioner calculated the damages

The $18,000 damages award represents the largest damages award for a privacy breach awarded by the Privacy Commissioner. However, the award was purely to compensate DK for the fear and anxiety he suffered, and this amount was calculated by reference to disability discrimination cases which the Privacy Commissioner considered dealt with comparable levels of distress and anxiety.

DK had also asked for compensation for economic loss, such as the stamp duty payable as a result of having to move houses. However, because the out-of-pocket expenses were paid for by DK's employer, this was not a loss which DK actually suffered.

Nevertheless, there is no reason why an award of damages under the Privacy Act would not be capable of including economic losses, and there is the potential for the quantum of damages to be higher where an individual suffers a significant economic loss as a result of a breach of their privacy.

Lessons

Entities routinely need to disclose personal information they have collected. Sometimes this is as a result of a legal requirement (for example, corporate entities are typically required to make their list of members available under certain circumstances).

The DV and Telstra determination highlights the risks of not ensuring policies and procedures are in place to clearly notify individuals whose personal information an entity will disclose. Even if authorisation can be established for the disclosure, an interference with privacy may arise as a failure to publish a compliant privacy policy (APP 1.4) or provide an adequate collection notice (APP 5).

In order to mitigate these risks, some entities may need to:

  • review and update their privacy policy and collection notices to clearly articulate how the entity will handle the personal information it collects; and
  • if necessary, obtain consents to authorise the entity to handle the personal information for the purposes it requires.