Office of the Privacy Commissioner | Case note 284190 [2017] NZPriv Cmr 11: Man complains about Automobile Association card information sharing
A man complained that his new Automobile Association (AA) card was configured so that it would share his personal information with a supermarket chain. He had been informed in a letter from AA about the new relationship between the two organisations. Members using their AA card at the supermarket chain would be entitled to discounts on fuel.
The letter said the first time a customer used their AA card at one of the supermarkets, their details would automatically be sent to the supermarket chain. The man objected to the automatic disclosure of his details to the third party and queried whether it breached his rights under the Privacy Act.
The man said he did not want his personal information circulated to the supermarket chain. He gave his details to AA for the benefits he received as a motorist and an AA member, and only for that purpose. He did not trust a supermarket to have access to the information he had given AA to become a member.
Our response
We studied the man’s complaint. The complaint raised issues under principles 10 and 11 of the Privacy Act.
We concluded that AA’s change in policy and its notification by letter of the change did not amount to a breach of the Privacy Act.
Principle 10 allows agencies like AA to use personal information for one of the purposes they originally collected the information for. AA’s terms and conditions indicated that it might contact its members for marketing and promotional purposes. The letter from AA was an example of this.
We advised the man that if he was uncomfortable with his personal information being shared with the supermarket chain, he could elect not to use his new AA card at the supermarkets that AA had a promotional relationship with.
Principle 11 says an agency that holds personal information shall not disclose the information unless the agency believes the disclosure is authorised by the person concerned.
Swiping the new AA card would amount to him authorising the transfer of his personal information to the supermarket chain, as AA explained would happen. We understood from the conditions set out on the AA and supermarket chain’s websites that no information would be disclosed if he did not use the card. Therefore no unauthorised disclosure of information had taken place.
We acknowledged that AA’s new marketing strategy might be objectionable to the man but we informed him that it was not something we could investigate further because there was no evident breach of the privacy principles. We recognised that the man was offended by the prospect of his details being disclosed to the supermarket chain. Even if there had been a breach of a principle, however, we could not have found an interference with privacy without some evidence of harm.
December 2017
Automobile Association ‒ change of policy ‒ collection ‒ disclosure of details to third party ‒ no evident breach of privacy principles ‒ Privacy Act 1993; principles 10 and 11