The complainant, the manager of a local bank, took out an insurance policy. The insurance company used personal details it obtained from her to market its policies, naming her and referring to her status as a bank manager. The complainant considered this was a breach of the Privacy Act 1993.

The complaint raised issues under information privacy principles 3 and 11.

Principle 3

This principle provides that, where an agency collects personal information directly from the individual concerned, it must take reasonable steps to ensure the individual is aware of, among other things, the purpose of the collection. An agency is obliged to comply with the requirements of principle 3 on every occasion that a collection takes place unless it had recently advised the purpose of collection.

The policy was taken out in 1988, prior to the Privacy Act 1993. The application forms current at that time authorised use of personal information for marketing purposes. Although the company could not produce the complainant's application, it had recorded that the complainant had agreed to such use. From an inspection of the materials supplied, I was satisfied the complainant had signed an application containing authorisation for the use of personal information for marketing purposes. The complainant said she was unaware of any such provision.

After the enactment of the Privacy Act in 1993, the company adopted a policy of advising its clients, on the annual renewal of their policies, that their personal information could, with their authorisation, be used for marketing purposes. The policy was not followed in the case of the complainant. The company's agent visited the complainant on some five occasions, but she was not advised of the possible use of her information for marketing purposes, or that the agency held an authority given in 1988, or that this was revocable. I considered that on each of these occasions the company collected personal information and that in not obtaining renewed authorisation to use the information for marketing purposes, it was in breach of principle 3.

Principle 11

Principle 11 provides that an agency cannot disclose personal information, but may do so if it believes, on reasonable grounds, that the disclosure is authorised by the individual concerned (principle 11(d)).

As mentioned above, I was satisfied that the complainant had originally given an authorisation to use her personal information for marketing purposes.

On a number of occasions the company had disclosed personal information about the complainant to prospective clients for marketing purposes.

In considering whether the company had reasonable grounds to believe it could rely on the 1988 authorisation for such disclosures, I took into account that the authorisation was five years old when the Privacy Act came into force, and the company itself had doubts about its continued validity. Although the company had instituted a policy of obtaining fresh authorisations on the annual renewals of policies, in this case, it had failed to advise the complainant on at least five occasions that it would continue to disclose her personal information for marketing.

I considered the company could not reasonably believe that the complainant's original authorisation applied. I formed the opinion that the disclosures were in breach of principle 11 and did not fall within the authorisation exception of principle 11(d).

Indexing terms: Collecting personal information - Insurance company - Use of personal information for marketing - 1988 policy application authorised use - Company policy to obtain renewed authorisation - No further authorisation - Information privacy principle 3

Disclosure of personal information - Insurance company - Disclosure of personal information for marketing - 1988 policy application authorised use - Company policy to obtain renewed authorisation - No further authorisation - Information privacy principle 11(d)

June 2001