Key Points
-
Companies must ensure that before publishing personal information they have a right to do so.
-
When publishing person information companies would do well to show restraint and tempered actions, only going so far as is necessary to satisfy their legitimate interests.
-
Companies must ensure that before publishing personal information they have a right to do so.
-
When publishing personal information companies would do well to show restraint and tempered actions, only going so far as is necessary to satisfy their legitimate interests.
In August last year Jeremy Corbyn cried foul when he was, by his own account, forced to sit on the floor of a train vestibule of a Virgin Train due to overcrowding. At the time Mr Corbyn’s spokesperson used the incident as evidence of why the Labour Party’s policy to bring trains back into public ownership was so popular. Virgin Trains was quick to counter the allegation by releasing CCTV still footage which showed the politician walking past apparently unreserved seats.
The UK’s Information Commissioner’s Office (ICO) found that Virgin Trains was entitled to correct what it deemed to be misleading news reports that were potentially damaging its reputation. However, according to the ICO, Virgin Trains was not justified in releasing CCTV still footage of other passengers. While the ICO stopped short of pursuing formal regulatory action, it reaffirmed that the disclosure was a serious issue and a breach of relevant privacy laws.
How would such a disclosure be viewed under Australia’s privacy and data protection laws?
There is no doubt that the release of the images is a disclosure of personal information. The question is whether it is a “permitted disclosure”. In Australia, the answer to that question will depend on whether the entity releasing the images is a Commonwealth public sector agency, a private sector organisation or a State or Territory public sector agency.
Both Commonwealth public sector agencies and private sector organisations (over the small business threshold) are subject to the Privacy Act 1988 (Cth) and must comply with the Australian Privacy Principles (APPs). These entities are referred to as APP entities.
Under APP 6.1 the general rule is that an APP entity can only use or disclose personal information for the primary purpose for which it was collected unless one of the exceptions listed in APP 6.2 or 6.3 applies. In these circumstances, APP 6.3 is unlikely to apply.
APP 6.2(a) provides that an individual’s personal information can be used or disclosed for a secondary purpose if the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is, if the information is not sensitive information, related to the primary purpose.
In the case of Virgin Trains, the ICO concluded that it was entitled to correct what it deemed to be misleading news reports that were potentially damaging to its reputation. In the Australian context, it is a fair call that, if an APP entity had personal information about an individual that would counter an adverse news report generated by that individual, the individual would reasonably expect the APP entity to use or disclose that information. This would apply even though neither the individual (nor the APP entity) might have considered it at the time the personal information was collected. The question whether the secondary purpose is “related” to the primary purpose is arguably more tenuous but in the circumstances likely to be found.
If the entity was a NSW public sector agency, the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) would apply. Section 18 deals with limits on disclosure. The exceptions that could apply to disclosure for a secondary purpose are:
- The disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure (section 18(1)(a)); and
- The individual concerned is reasonably likely to have been aware that information of that kind is usually disclosed to that other person or body (section 18(1)(b)).
It may be a stretch to claim that the disclosure is directly related to the purpose for which the information was collected. Even if it was, the individual concerned is very likely to object to the disclosure – no matter how unreasonable those objections may be.
The exception in section 18(1)(b) is similar to the exception in APP 6.2(a). Similar considerations should apply here if the determination as whether to disclose the information (and the extent of the disclosure) is properly made at the time of the proposed disclosure rather than at the time of collection.
For these reasons if Mr Corbyn was a passenger of a NSW Government train agency and made similar comments, the agency could use CCTV images of Mr Corbyn to counter any misleading press reports generated by those comments without breaching his privacy.
As the ICO commented in the Virgin Trains case, if disclosure is permitted it would be limited to the personal information of the relevant individual. If the images included other individuals, the identity of those individuals would need to be removed or obscured.
Interestingly in the UK there is a detailed data protection code of practice for surveillance cameras and personal information. There is no equivalent code of practice in Australia.
Post by Vanja Simic and John Kell