Office of the Privacy Commissioner | Case Note 26280 [2002] NZPrivCmr 2 - Clients object to their financial report being used for marketing purposes by life assurance company
A life assurance company, in consultation with a couple, prepared a financial report which contained detailed personal information about the couple and their family. Based on the proposals in the financial report, the company developed a 'sample plan' for marketing purposes.
The couple alleged that although some of their personal information had been omitted from the sample plan, sufficient was included to identify them. The company distributed the sample plan to a number of its employees and to others outside the company. The couple complained that in distributing the sample plan, the company disclosed personal information.
The complaint raised issues under information privacy principles 5 and 11. I formed the provisional opinion that the disclosures were in breach of principle 11 but did not breach principle 5.
Principle 5
Under principle 5, I had to consider whether the company had reasonable security safeguards to prevent unauthorised disclosure of the personal information the company held. Principle 5 does not require that safeguards are failsafe but that they are 'reasonable' in the circumstances.
The company outlined its security safeguards and policies concerning the disclosure of personal information and, in particular, concerning the use of sample plans. These included induction training for new advisers, compliance training modules for advisers and staff, Privacy Act statements and declarations attached to applications, and investment statements containing procedures to be followed when dealing with personal information.
The company said it accepted that before using a financial report as a sample plan to present to other customers, the report must be properly 'sanitised' (to use the company's expression) so that individuals could not be identified. The company has acknowledged that in this case, the procedure was not followed.
The company told me that it has made a number of changes to its system as a result of this complaint to minimise the risk of a similar breach occurring. These include a new process for drafting sample plans which are not based, even anonymously, on any particular customer's circumstances.
In some cases, I have taken the view that an agency is not in breach of principle 5 even though there has been a 'one off' unauthorised disclosure of information. It is extremely difficult for an agency to prevent occasional instances of human error and it is possible for an agency to have reasonable security safeguards in place, but for those safeguards to fail to prevent the actions of a 'rogue' employee.
In the circumstances, I considered that the company's action in disclosing personal information about the complainant was a 'one off' error. I considered that it took reasonable steps to ensure that staff were aware that personal information should not be disclosed unnecessarily, or without the company's authority. My provisional view was that the company had not breached principle 5.
Principle 11
Principle 11 places a general limit on the disclosure of personal information by an agency, subject to certain exceptions.
The company acknowledged that the sample plan was not properly 'sanitised' and contained personally identifiable references. It also acknowledged that the sample plan had been disclosed to a number of employees and to two people outside the company. It was not clear if it had been shown more widely.
One man received the plan as a possible client. Shortly after receiving the plan, he contacted the company and said he felt that he should not continue to read the plan because he recognised the couple and their family. On the facts admitted by the company I did not consider the disclosure to the potential client fell within any of the exceptions to principle 11. My provisional opinion was that the company had disclosed the information to that person in breach of principle 11.
The plan was also given to an accountant who had an association with the company and an interest in this type of plan.
Copies of the sample plan were also given to a number of employees. The company advised that the questionnaire workbook provided to the couple contained the following statement:
_The information supplied in this workbook is intended for use by the Advisor and those Company employees who need access to this information for providing advice and administering any business with the Company_
I am confident that potential customers would understand that information given was to be used and disclosed only for the company's purposes in transacting business with them. Although there was provision for the statement to be signed by the couple, this was not done.
Exceptions to principle 11
Principle 11(a) provides that an agency may disclose information if it believes, on reasonable grounds, that the disclosure is one of the purposes in connection with which information was obtained, or is directly related to the purposes in connection with which it was obtained.
Although I could accept that one of the purposes for collecting the information was to provide it to employees for the purpose of completing the report, it was apparent that the distribution of the sample plan went beyond that group. It was used without the couple's authorisation as an example to keep other employees up to date. It was also given to an employee in a business marketing seminar and to an accountant who might be engaged in future work for the company. I took the view that principle 11(a) did not permit disclosure to these other employees or to the accountant.
My provisional opinion was that these disclosures breached principle 11.
Harm
Section 66 provides that an action is an interference with a person's privacy if it breaches an information privacy principle which results, or may result, in an adverse effect, such as significant injury to the person's feelings. The couple said that the disclosure had led to them suffering depression, sleep disruption, moodiness and constant concerns about the public nature of the disclosures. Their relationship with one of their children had become strained, as had their relationship with one of the recipients of the sample plan. I considered that the company's actions in disclosing the financial details in the plan had caused harm of the nature described in section 66(1)(b) and had led to an interference with the couple's privacy.
Following receipt of my provisional opinion, the company offered $23,000 as financial compensation. The couple accepted this and I discontinued my investigation on that basis.
Indexing terms: Storage and security - life assurance company - financial report prepared for couple - sample plan, based on the couple's financial report, disclosed to employees and to others - new procedures adopted after investigation - 'one off' disclosure - information privacy principle 5
Disclosure - life assurance company - financial report prepared for couple - sample plan, based on the couple's financial report, disclosed to employees and to others -Privacy Act 1993, s 66(1)(b), information privacy principle 11
January 2002