Who doesn’t have a story about a time they received an email with dozens of people identified in the to: or cc: field, when they obviously should have been in the bcc: field ?
Well, Australia’s Privacy Commissioner has given the clearest indication yet that dcc:ing can breach the Privacy Act.
‘dcc:ing’ ? It’s ‘dumb copying’, as opposed to ‘blind copying’.
Direct marketer fouls up
According to the Privacy Commissioner’s published ruling, ‘A direct marketer sent out a promotional email which displayed the email addresses of all recipients.
‘The direct marketer responded promptly to the Commissioner’s investigation and the incident … [and] … explained that individuals provide it with their email address specifically to receive information about upcoming promotions.
‘The direct marketer provided its promotional email list to a third party organisation to issue the promotional email. As a result of human error, the third party organisation distributed to everyone who was on the email list an email showing those individuals’ email addresses, rather than using the blind carbon copy or ‘BCC’ email function.’
All familiar stuff. Too familiar.
Privacy Commissioner’s take on it
‘The Commissioner considered that where an email address amounted to “personal information” … the privacy of a number of individuals may have been interfered with.
‘NPP 2.1 provides that personal information collected for a primary purpose must not be used or disclosed for a secondary purpose unless one of a number of exceptions in NPP 2.1(a)-(h) applies.
‘NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.’
‘Personal information’
Under the Privacy Act, information is only protected as ‘personal information’ if the identity of the individual concerned is apparent or can reasonably be ascertained.
So the disclosure of an address like ‘flogbottle21@gmail.com’ might not involve ‘personal information’. But if an email is dcc:ed to ‘kevin.rudd@parliament.gov.au’, some folks might work out who that might be 
It’s not just about the address
It’s not just disclosure of the address that can hurt. There was a spectacular example in 2001 when the manufacturer of Prozac dcc:ed 600 people on the anti-depressant.
Internet Anxiety Real for Some Patients on Prozac
Hundreds of people learned last month that the maker of one of the best-selling antidepressants had accidentally released their identities over the Internet.
Eli Lilly and Company, manufacturer of one of the world’s most widely prescribed antidepressants, was trying very hard to wipe the egg off its face last month.
The maker of Prozac admitted early last month that it had accidentally sent out an e-mail message that included the e-mail addresses of more than 600 individuals who participate in a program in which the company forwards messages about Prozac. Messages can include such information as reminding participants to adhere to their drug regimen and renewing prescriptions. None had given the company permission to release e-mail identities.
The victims of the confidentiality breach, most of whom had diagnoses of depression, obsessive-compulsive disorder, or an eating disorder, had signed up for the Lilly program voluntarily. It is not known whether all the participants use Prozac.
The two-year-old program apparently had operated without major security glitches until June 27, when messages that were supposed to be sent as individually addressed e-mails were instead sent en masse so that every recipient could read the e-mail addresses of all the other program participants.
All’s well that (sort of) ends well
Fortunately for the unidentified direct marketer the Privacy Commissioner was satisfied that ‘The third party organisation counselled the individual responsible for the error and staff undertook refresher training in its quality control procedures. These procedures were also updated to prevent a similar incident in the future.
‘The direct marketer acted quickly to contact all individuals who were on the promotional email list to apologise and explain what happened. The direct marketer also committed to report to appropriate authorities any misuse of the email addresses including issuing spam emails.’
The bottom line
It’s now clear that ‘merely’ including an address in a public field can constitute a privacy breach in the eyes of the Commissioner.
Inappropriate dcc:ing has passed from a dumb thing to do, to a potentially illegal thing to do.
Loading ...
No comments yet.