Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Monday, 21 May 2018
Page: 3811


Dear Mrs Wicks

Petition number: EN0114

I am writing in response to a letter from the Chair of the Standing Committee on Petitions dated 20 March 2017 to the Minster for Communications, regarding a petition about companies that sell individuals' personal information from their mailing lists. I apologise for the delay in responding to that letter. The petition has only recently come to the attention of my Office. The petition requests that 'it be written into law that companies not be allowed [to] sell contact information of persons who have ever appeared on their mailing lists.' As acting Australian Information Commissioner and acting Privacy Commissioner, the petition has been provided to me for response, as I have regulatory oversight of the Privacy Act 1988 (Privacy Act).

The Privacy Act includes 13 Australian Privacy Principles (APPs) that outline how entities must handle, use and manage personal information. The APPs apply to most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (known as APP entities). Personal information is information or an opinion that identifies or could reasonably identify an individual. Some examples are an individual's name, address, phone number, email address, date of birth, medical records, bank account details, and opinions.

Businesses covered by the Privacy Act will generally need to comply with the APPs, when selling individuals' personal information from their mailing lists. Some of the relevant APPs are outlined below.

APP 6 outlines when an APP entity may use or disclose personal information. The intent is that an entity will generally use and disclose an individual's personal information only in ways the individual would expect or where an exception applies. If an APP entity holds personal information about an individual that was collected for a specific purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose). Exceptions apply where, for example, the individual has consented to the use or disclosure, or where the individual would reasonably expect the secondary use or disclosure and the secondary purpose is related to the primary purpose. For example, an APP entity that sells or otherwise discloses individuals' contact information on a mailing list may only do so where this is within the individuals' reasonable expectation and related to the primary purpose of collection, or covered by another exception to APP 6.

APP 6 does not apply to the use or disclosure by an organisation of personal information for the purposes of direct marketing.

APP 7 provides that an organisation must not use or disclose personal information it holds for the purposes of direct marketing unless an exception applies, Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services. There are some exceptions to the requirements set out in APP 7, including for example, where the individual would reasonably expect their personal information to be used for the purpose of direct marketing. Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:

allow an individual to request not to receive direct marketing communications (also known as 'opting out'), and

comply with that request.

An organisation must, on request, provide its source for an individual's personal information, unless it is impracticable or unreasonable to do so. Direct marketing involving sensitive information (such as health information) requires the individuals' consent.

APP 7 does not apply to the extent that the Spam Act 2003 (Cth) (Spam Act) or the Do not Call

Register Act 2006 (Cth) (DNCR Act) apply. The Spam Act applies to commercial electronic messages (such as those sent using email, instant message, SMS or MMS) and requires:

commercial electronic messages to be sent with the consent of the recipient

accurate sender identification including the sender's contact information, and

a functional unsubscribe mechanism.

Telemarketers and fax marketers must not call or fax numbers listed on the Do Not Call Register as required under the DNCR Act. However, some exemptions apply and the DNCR Act will not apply where the calls or faxes are made by exempt entities (such as registered charities or political parties), where the calls or faxes are made by market researchers conducting opinion polling or social research, or an individual has consented to the call or fax.

The Australian Communications and Media Authority has the primary regulatory responsibility for the Spam Act and the DNCR Act.

Where an individual considers that an APP entity has breached an APP, they should first complain to the APP entity. If the APP entity does not respond within 30 days, or the individual is dissatisfied with the response, the individual can bring a complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC has a range of regulatory powers under the Privacy Act, including for example, the ability to make determinations in complaint investigations and 'Commissioner initiated investigations', accept an enforceable undertaking and bring proceedings to enforce an undertaking and seeking a civil penalty from the courts in the case of a serious or repeated interference with privacy.

I trust that this Information is of assistance. If you would like to discuss this matter or have any questions, please contact Sophie Higgins, Director, Regulation & Strategy, on (02) 9284 9775 or

Yours sincerely

from the Acting Australian Information Commissioner, Acting Privacy Commissioner, Angelene Falk