A law firm faxed the complainant at his workplace demanding that a cash retainer be paid later that day. The fax was sent to the general fax number at the complainant's workplace. The complainant was not at the workplace that day. One of his colleagues noted the fax late in the afternoon, collected it and gave it to another colleague who worked closely with the complainant. That colleague contacted the complainant and said it would be stored safely until he could collect it.

I formed the view that the complainant had suffered significant loss of dignity and humilation.

The complaint raised issues under information privacy principles 5 and 11.

Information privacy principle 5

Principle 5 requires agencies to take reasonable security safeguards against a number of risks, including unauthorised disclosure.

The law firm did not claim that it authorised the transmission of personal and private faxes to an individual client's workplace, except with the client's instruction to do so. I therefore had to look into the safeguards it operated to prevent unauthorised access or disclosure to materials which might be faxed to a workplace.

The fax message had a confidentiality statement at the bottom of the page. I considered that this was not a reasonable security safeguard for the purposes of principle 5 because it could not prevent the message from being read by anyone.

I suggested that the law firm consider adopting a practice of calling people prior to sending a fax. In other complaints I had accepted such a practice to be to a reasonable security safeguard for the purposes of principle 5. I considered that practice to be the only effective way of preventing a message from being seen by anyone except the intended recipient, because it would allow the intended recipient to stand by the fax machine and retrieve the message as it was received.

The law firm failed to satisfy me that it had a policy which complied with principle 5. More importantly, it failed to indicate whether it would be prepared to adopt a policy that would comply. I formed the opinion that the law firm had breached principle 5 by failing to take reasonable security safeguards to protect the information contained in the fax message from unauthorised disclosure.

Information privacy principle 11

Principle 11 limits the circumstances in which personal information may be disclosed.

For there to be a disclosure under principle 11 it is necessary to show that a third party received information of which it was previously unaware. I was satisfied from my investigation that at least two people read the fax. I was also aware of a third colleague's claims that other people were aware of the fax and able to discuss its contents.

Principle 11 sets out a number of exceptions allowing disclosure. Having satisfied myself that there was a disclosure, I had to consider whether any of those exceptions applied in the circumstances. Principle 11(d) allows a disclosure if the agency believes on reasonable grounds that the disclosure has been authorised by the individual concerned.

The law firm submitted that the complainant authorised the disclosure through his prior conduct with it. It claimed that the complainant had previously received faxes at his workplace, none of which had been preceded by any telephone contact from the firm.

There was a fundamental conflict on this point which was not ultimately resolved. The complainant said he was always called before faxes were sent to his workplace. He also said that when he called after this particular fax was sent, he was told that the law firm had a policy of calling before sending faxes to people at their workplaces. The law firm claimed it did not have any such policy but instead it did have a policy of not sending faxes to people's workplaces unless expressly requested to do so. It claimed that, in accordance with this policy, messages had been faxed to the complainant's workplace only following his express request.

I asked the law firm to support its claim of having a practice not to send faxes to the workplace without the client's authorisation. In order to prove the policy had been followed, I thought the law firm should have retained a record of the complainant's authorisation on file. I also considered that in order to claim a general right to communicate with clients by fax, any authorisation would need to be in general terms and indicate the fax number which was to be used.

The law firm provided me with a file note which it said was the complainant's authorisation for it to fax him at his workplace. The file note did not indicate that the complainant wanted all communications to be faxed to him at work. Instead it was a note of a request by the complainant to have a specific item faxed to him.

On balance, I considered that the complainant had not given the law firm a general authorisation to send faxes to him at his workplace. However, even if he had given such an authorisation, I would still have expected the law firm to have telephoned to confirm he would be there to receive the faxes. It failed to do so. For these reasons, I formed the opinion that the fax was sent, and information disclosed as a result, in breach of principle 11.

Harm

Section 66 of the Privacy Act defines an interference with privacy. An action will be an interference with the privacy of an individual if it breaches an information privacy principle and results in some adverse outcome for that person.

In this case, the complainant alleged he was very embarrassed as a result of the disclosure and said it had damaged his reputation.

Both of the complainant's colleagues who saw the fax told me that the fax machine to which the message was sent is heavily used and that people from various departments would go through the in-tray for faxes pertaining to them. Both remarked that there was a very real chance that a number of people had seen the fax. A third colleague confirmed overhearing other staff discuss the fax.

I could appreciate how embarrassing this would have been for the complainant.

Given the potential number of people who had seen the fax and the nature of the fax, I formed the opinion that the complainant had suffered significant loss of dignity and significant humiliation in terms of s 66(1)(b)(iii).

I was unable to effect a settlement of this complaint and closed my file after advising the complainant of his right to take this matter to the Complaints Review Tribunal.

August 1999