The Privacy Commissioner has named a photography business, Expression Sessions Ltd, (Expression Sessions) as the result of a complaint. Expression Sessions breached principles 3, 4, 9 and 10 of the Privacy Act.
Expression Sessions is a photography business. The business operated a stall in a shopping centre in 2014, where it offered a free photo shoot for children, with the option for parents to later purchase prints.
A mother took Expression Sessions up on the offer, but did not ultimately purchase the photos of her children. She was told that the photos would be deleted.
Two years later, the woman found the photos used in a variety of advertising material, including a large print poster in a mall.
The Commissioner found that Expressions Sessions breached principles 3, 4, 9 and 10 of the Privacy Act.
Privacy Commissioner John Edwards said “When people give their information to agencies, they need to be able to trust that those agencies will respect that information. Expression Sessions misled this woman about almost everything – how long the photos would be stored, who would see them, and even why they were taking them in the first place.”
Principle 3 requires agencies to tell people how they will use their information (such as a photo). Expression Sessions had the woman sign a form, but that form gave no indicator of the fact that the photos would be used for advertising.
Mr Edwards said “Not only did Expression Sessions omit the fact that photos would be used for promotional purposes, it went as far as to specifically say that photos would only be made available to the client. Putting someone’s photos on a poster makes those photos available to thousands of people, the vast majority of whom are not the client.”
Principle 4 prohibits agencies from collecting information in unlawful or unfair ways. Telling the woman that her photos would be destroyed, then using those photos in advertising was unfair, as the woman would not have had the photos taken had she known that they would be used in this way.
“While there is nothing stopping businesses from using photos of people in advertising, the Privacy Act and common courtesy both require them to ensure that those people know their images will be used in that way,” Mr Edwards said.
Retention and use of information
Principle 9 requires agencies to delete information when they no longer need it, and principle 10 prohibits agencies from using information for a purpose other than the purpose for which they collected that information. Since Expression Sessions told the woman that the photos were only for her, it should have deleted the photos when she declined to purchase them. Expression Sessions breached principle 9 by not deleting the images, and breached principle 10 by using the images for advertising.
“I take a dim view towards agencies being so cavalier with personal information,” Mr Edwards said. “Expression Sessions didn’t just omit details about how the photos would be used. It went as far as to explicitly say that the photos would be deleted, and then go on to print them on a poster.”
Expression Sessions briefly engaged with the investigation, but ceased to communicate with the Privacy Commissioner’s office halfway through last year.
Mr Edwards said “Agencies that breach peoples’ privacy should take steps to make it right. At a minimum, this includes engaging with my office’s investigations by answering questions and providing relevant information. Expression Sessions did not do this.”
The Commissioner is publicly naming Expression Sessions in accordance with the Office’s naming policy. Mr Edwards said “Expression Sessions appears to still be in business. We are publicly naming the organisation in order to warn other consumers about its unlawful practices when it comes to personal information.”
Contact: Sam Grover 021 959 050 to interview Privacy Commissioner John Edwards.
Note for editors: This is the fourth recent application of the Privacy Commissioner’s policy on naming respondents.
- On 5 December 2016 the Privacy Commissioner publicly identified Law Debt in relation to breaching the Privacy Act: https://www.privacy.org.nz/news-and-publications/statements-media-releases/privacy-commissioner-finds-debt-collector-failed-to-check-accuracy/
- On 19 December 2016 the Privacy Commissioner named The Department of Corrections in relation to its actions in handling an inmate’s information request: https://www.privacy.org.nz/news-and-publications/case-notes-and-court-decisions/case-note-277412-2016-nz-privcmr-13-corrections-failed-to-comply-with-access-request-from-inmate-seriously-assaulted-in-prison/
- On 22 December, 2016, the Privacy Commissioner named TD Drilling for failing to provide an ex-employee with information he needed for his dispute with the company: https://privacy.org.nz/news-and-publications/statements-media-releases/privacy-commissioner-names-non-complying-agency/