|
At our third Wine (+Web) Appreciation Seminar, Peter Mulligan, a senior lawyer at Henry Davis York, shared his insights on the Privacy Act. Here we summarise his key points in relation to associations and the handling of members’ personal information.
Privacy law hits the Public Domain
Ever bothered to click on the “Privacy” link at the bottom of a website? Probably not and most people have no interest in the arcane intricacies of privacy law. Yet, 3 recent high profile incidents have brought privacy law front and centre in the public conscience.
Kevin Colvin Chucks a Sickie
Kevin Colvin was an intern at the Anglo Irish Bank when he emailed his boss to tell him that he couldn’t come to work because of a “family emergency”.
When his boss saw a picture of him on Facebook that made it clear the “emergency” was a Halloween party, he let Kevin know – in good humour – that he’d been sprung. But then he blind copied all the bank employees. Cue serious embarrassment for Kevin. He didn't sue, but we're sure this was not far from his mind.
Stephanie Rice gets raunchy
Stephanie was an ordinary, fun-loving Aussie girl who liked sharing party snaps on Facebook. That was all well and good, until she became Stephanie Rice, Olympic Gold Medal winner. All of a sudden those private (and fairly suggestive) photos became public property, and Swimming Australia was not amused.
Who says Liskula Cohen is a skank?
Ever heard of Vogue cover girl, Liskula Cohen? Neither had I. And since I don’t have an RSS feed from the “Skanks in NYC” blog, I didn’t know Liskula had been accused of being “a psychotic, whoring, lying … skank”.
Liskula considered this to be slanderous – in whole or in part – and demanded that Google tell her the identity of the anonymous blogger. Google rolled over, and revealed it was another model, Rosemary Port. Once Rosemary was outed (and seriously embarrassed by the whole affair!) Liskula dropped her defamation case. In a strange twist, Rosemary Port then sued Google for $15 million for failing to protect her privacy.
How associations should deal with members' personal information
Clearly, associations need to exercise extreme caution in dealing with members' personal information. It’s a grey area but these recent examples show that a cavalier approach could end up being both highly embarrassing and hugely costly. There are 3 main steps to follow:
Step 1. Tell them you’re collecting their personal information
It might seem obvious that when someone registers with your association that you’ll be in possession of their personal information – but not as far as the law is concerned. You need to explicitly tell your members that you have collected their details and then tell them what you’re going to do with that information.
Step 2. Tell them what you’re going to do with their personal information
Consider these 2 very different Consent clauses:
Consent Clause A:
“We may use and disclose your personal information for the sole
purpose of providing Product X to you. We will not provide your
personal information to any third parties.” (Anon)
Consent Clause B
“In general we may use and disclose your personal information ... to conduct our business, including for marketing and research purposes.” (NRL)
If your association uses Consent Clause A, you are being very honourable and respectful but not very practical, allowing very little room to seek third party assistance when providing member services. Can you really do everything in house? There are a range of legitimate purposes for which you may at some stage need to use or disclose a member's personal information so you should allow yourself plenty of scope up front by including a wider consent clause in your privacy policy.
We would encourage you to consider including in your privacy policy a clause something like the more “expansive” Consent clause B. This does not mean you are not doing the right thing or that you are not complying with privacy law, but it does enable you to expand member services by utilising third parties such as mail houses and online services, where appropriate.
As long as you tell your members up front that this is what you are going to do, and you manage their personal information in accordance with the terms of your privacy policy you are likely to be OK. Data is like s#x. Consent is everything.
However, while you might be in the clear legally, you should also be aware of reputational issues. In business, your reputation is everything. If you go too far with what you do with members' personal information, consider the likely impact this will have on your brand and corporate image. Privacy compliance is not just about doing the right thing with personal information, it is also about being seen to do the right thing.
Step 3. Secure that data
Under privacy law, your responsibilities don’t stop there:
- You must take reasonable steps to make sure that the personal information you collect is accurate, complete and up-to-date
- You must take reasonable steps to protect that personal information from misuse, loss and unauthorised access, modification and disclosure
- You must take reasonable steps to destroy or permanently de-identify information if it is no longer needed for the purpose for which it was collected.
The future of privacy law
In Aug 2008, the Australian Law Reform Commission brought down a report on privacy law that comprised:
- 3 volumes
- 74 chapters
- 295 recommendations
The Government has released its response to the report and will implement a large majority of the ALRC recommendations in 2 phases. In the first phase, the Government will simplify the Privacy Act, seek to achieve consistency between public and private sector privacy principles, reform credit reporting and provide for greater powers for the Privacy Commissioner. The first phase of legislation is due in early 2010.
In the second phase of reforms, the Government will consider making the following changes:
- Removal of the small business exemption
- Removal of the employee records exemption
- Including a statutory cause of action for serious invasions of privacy
Digital law is evolving and associations need to stay current to avoid becoming a globally quoted case study of how not to handle member's personal information.
If in doubt, contact a lawyer! We know a good one which we can recommend to you.
|