From conversations with our clients there seems to be confusion over the laws surrounding privacy and email (spam). The two are often confused but in reality are quite separate. Both have been designed to protect the rights of the individual but in completely different ways.
Following is an overview of both as they relate to direct marketing.
The Spam Act is all about protecting individual’s email privacy relating to use of their email address.
The Act refers to spam as “unsolicited commercial electronic messaging” which covers emails, instant messaging, SMS and other mobile phone messaging, but does not cover normal voice-to-voice communication by telephone.
To be covered by the Spam Act, the message must be commercial in nature. Communications are only considered to be spam if they are sent without the prior consent of the recipient.
Express consent is obtained when a person directly instructed you to send them a message. You have received express consent from an addressee if that person has specifically requested messages from you. Examples include when the addressee has subscribed to your electronic advertising mailing list; the addressee has ticked a box consenting to receive messages from you; or the addressee has specifically requested such material from you over the phone.
Consent may be Inferred when it is clear that there is a reasonable expectation that messages will be sent. You may be able to reasonably infer consent after considering both the conduct of the addressee and their relationship with you. For example, if the addressee has an existing relationship with you and has previously provided their address then it would be reasonable to infer that consent has been provided. The Spam Act also permits messages be sent if the message relates to the addressee’s published employment function. For example if a plumber advertises their email address, it is okay to send them offers of work or of plumbing supplies, but not to send an offer unrelated to their work, such as cheap pharmaceuticals.
This is about the data that you hold on individuals, the way it is stored, managed and disclosed. Email addresses can be a part of an individual’s data set but email is also covered by the Spam Act outlined above.
The Privacy Act 1988 (Privacy Act) includes the collection, use, storage and disclosure of personal information, and access to and correction of that information.
The Privacy Act includes thirteen Australian Privacy Principles that apply to the handling of personal information :
APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
Requires individuals are given the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 — Collection of solicited personal information
Outlines when an entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
Outlines how an entity must deal with unsolicited personal information.
APP 5 — Notification of the collection of personal information
Outlines when and in what circumstances an entity that collects personal information must notify an individual of certain matters.
APP 6 — Use or disclosure of personal information
Outlines the circumstances in which an entity may use or disclose personal information that it holds.
APP 7 — Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 — Cross-border disclosure of personal information
Outlines the steps an entity must take to protect personal information before it is disclosed overseas.
APP 9 — Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10 — Quality of personal information
An entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 — Security of personal information
An entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 — Access to personal information
Outlines an entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 — Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.