Guest post by Katrine Evans, Senior Associate at Hayman Lawyers. Originally published on Linkedin Pulse.
Despite our “post-truth” environment (cue eye-roll), there are probably very few Kiwi businesses that subscribe to the theory that there’s no such thing as bad publicity. As a result, the Privacy Commissioner’s policy of naming agencies that fail to act responsibly should be something that influences how businesses operate - and how they react when things go wrong.
There’s been a little flurry of activity under the naming policy since the beginning of December last year, and three of those cases involve SMEs:
- Law Debt Collection Ltd referred a disputed debt to a credit reporter without giving the man a proper chance to prove that the debt was genuinely disputed (which it was). The man got the debt removed eventually, but not before he’d been unable to renegotiate his mortgage rates.
- TD Drilling Ltd failed to provide an employee with information that he asked for and then said it had lost much of it in a move. It also disclosed at a staff meeting that he’d made a confidential statement about use of drugs in the workplace. This made his employment untenable and created worries about possible retaliation. The disclosure issue was a central focus of his successful Employment Relations Act case, but the Privacy Commissioner dealt with the other points.
- Expression Sessions, a photography business, kept and used children’s photos in advertising material after saying they would only be given to the client. It had seriously misled the children’s mother about what would happen with the photos.
These won’t have been the only situations during that time where the Commissioner’s office (OPC) found there had been a breach of the Privacy Act. So why were these particular businesses singled out for attention?
There are various factors, listed in the Commissioner’s policy. None on their own guarantee that you’ll be named, but all increase the odds of being on the wrong end of a media release. These cases give good illustrations of some of those factors.
- If your actions appear to be cavalier, expect trouble. Serious breaches are more likely to result in being named – particularly if you harm someone and the harm was avoidable if you’d applied some common sense. The Privacy Act’s also been law since 1993. If you haven’t got the basics down by now, you’re going to look pretty dumb. All these companies got some very obvious stuff wrong.
- If your practices appear to place others at risk, there’s a real argument to say you should be publicly outed. For example, the Commissioner’s media release said that Expressions Sessions was named to warn other consumers about its unlawful practices. It could have been very different if they’d engaged with the Office and could show they’d changed their spots so future customers wouldn’t have the same experience.
- Don’t ignore the Privacy Commissioner. All three companies either failed to respond to OPC, or stopped responding during the investigation. This happens on occasion – some agencies stick their head in the sand, others get grumpy and defensive and walk away, or actively thumb their nose at the regulator. Talk about self-defeating tactics. And they’re unnecessary. Even if you disagree with the view that OPC is taking on a complaint, the office isn’t exactly hard to engage with.
- You’ll have a chance to fix things for the complainant - take it. OPC places a lot of emphasis on trying to resolve disputes. Lots of agencies make mistakes, but most can see the writing on the wall and will try to address the problem for the complainant in some way. Even if you don’t agree with OPC’s legal analysis, keep looking for practical ways to resolve things. From the Commissioner's case summaries it looks like none of these companies appear to have made any effort, even though it was obvious they’d stuffed up.
- Bad publicity isn’t necessarily the end of it. Law Debt’s failure to remedy the harm it did to the man is very likely to be one of the reasons the case has been referred to the Director of Human Rights Proceedings for him to think about taking proceedings in the Human Rights Review Tribunal. The Privacy Commissioner can’t order an agency to pay compensation or change its processes – but the Tribunal can. So this might not be the last we hear of the case.
- If your case will be a “teachable moment” for others, you could end up being an unwilling poster child. This usually ties in with the other factors rather than standing alone, but it’s important to consider. Often it’s not necessary to name an agency in order to warn others about how to comply with the Act. But if you’ve behaved badly and haven’t fixed things up, you could end up being named to deter others from making similar mistakes. For instance, the Law Debt case is a good example of where lots of other agencies out there may need a short sharp lesson about how to handle disputed debts. After all, the risks to individuals if you get it wrong are significant. Naming one agency can help to make others sit up and take note - and try to avoid similar publicity - in a way that an anonymous case summary won’t.
It's mostly pretty easy to avoid being named by the Commissioner (it's a doddle compared with avoiding negative reviews on Facebook!) Reducing your chances of breaching privacy is obviously the best way, and if you have an opportunity to check that your business isn't running too many risks, that would be ideal. (Tip: you don't need expensive lawyers all the time: having a privacy officer on staff helps hugely). But if you do end up being the reluctant subject of a privacy complaint, it certainly helps to deal with it properly.