Privacy and the perils of group emails

By Matt McGoldrick, Solicitor | Tuesday 4 November 2008

A recent decision of the Privacy Commissioner involving a recruitment company deserves not to go unnoticed by organisations using email communication as part of their business.

The decision is, in effect, a rap over the knuckles for the company, which sent an email to clients leaving all recipients' email addresses visible.

While visible group emailing is often either the result of a mistake in using the "cc" button instead of the "bcc" (blind carbon copy), it appears there are a good number of small business operators unaware of the Privacy Act breaches they may be committing.

In the case of recruitment, the potential damage may not be as innocuous as finding out who else receives an email from the local tennis club or beauty salon – if you are looking for a new job you might want to be a little circumspect about it!

In a recent case dealt with by the Privacy Commissioner, after a recruitment agency sent an email out to a number of its clients with their addresses visible, one of them complained to the company about his email address being disclosed. The company apologised but the man didn't consider that enough in the circumstances and laid a complaint with the Commissioner.

The recruitment agency explained the error had happened through use of the "cc" field instead of the "bcc" field. They expressed sincere apologies for the one-off mistake, appreciating that confidentiality was important given the nature of their business and assuring the man and the Privacy Commissioner that steps had been taken to ensure it would not happen again. The man accepted this apology and the complaint was settled with the Commissioner writing to the company saying it would be concerned if the situation recurred.

While this matter was laid to rest, it does raise relevant issues for a number of other business emailing clients over their obligations under the Privacy Act.

The Privacy Act is based on "Information Privacy Principles" – and one of these is that an organisation that holds personal information must not disclose that information to others except in certain circumstances. Those exceptions include that an individual has authorised the disclosure, the source of the information is publicly available or that the disclosure is necessary to avoid prejudice to the maintenance of law.

In most cases, a client or customer will be on an organisation's database for direct communication – without any agreement to disclose their relationship with the organisation to others. Allied to privacy issues, an organisation risks breaching its confidentiality obligations to clients or customers which might arise as a result of a special relationship between them.

Although accepting it as a one-off error, the Privacy Commissioner told the recruitment company it had breached the Privacy Act by disclosing personal information in the way it did.

The Commissioner said that because the nature of the recruitment business "required confidentiality", it was important to recognise that email addresses were part of this requirement of confidentiality.

This same applies to many other professions and organisations where duties of confidentiality are paramount. Lawyers, for example, owe stringent obligations of confidence to their clients. In fact the Law Society's recently updated Rules of Professional Conduct pay particular attention to the subject noting that even "information acquired in the course of the professional relationship that may be widely known or a matter of public record (such as the address of the client, criminal convictions, or discharge bankruptcy) will nevertheless be confidential information".

The lesson to be learned from this case is simple but important: an organisation that has a practice of sending out updates to its client database should ensure that it has safeguards in place to prevent the disclosure of information which may identify an individual. Make sure you use the "bcc" field before pressing send.