The AAB held that the reading out of unsolicited data of a data subject contained in her letter where no restriction for use was imposed in a special meeting held to decide issue relevant to the matters contained in the letter is viewed as for a directly related purpose under DPP3.
Complainant a member of a martial art club - she wrote to the club for waiver or reduction of fee with personal reasons given - meeting convened to decide the matter - the personal reasons given were disclosed - DPPs 3 and 4 of the PD(P)O
The Complaint
The complainant lodged a complaint against the head of the martial arts association of which she was a member. The complainant had previously had certain outstanding issues with the association, in connection with which a special meeting of the association was convened. Since the complainant was not able to attend that meeting, she sent on her own accord a fax to the head of the association just before the meeting. In that fax, she raised certain arguments relevant to the issues to be discussed in the coming meeting. In connection with an issue about the payment of fees, she also disclosed certain family circumstances in support of her plea for a fee reduction or waiver.
In the meeting, the head of the association instructed that the fax from the complainant be read out in full to all those present in the meeting. Learning about this afterwards, the complainant considered that the disclosure of her family matters had caused her severe embarrassment among the fellow members of the association. She therefore complained to the PCPD.
Findings of the Privacy Commissioner
After investigating the case, the Privacy Commissioner formed the view that insofar as the complainant's data were provided to the head of the association on her own accord, these were unsolicited data so far as he was concerned. Furthermore, the purpose for which he received the data was to enable the decision in the coming meeting of the issues concerning the complainant. Since neither the entire fax nor any part thereof carried any "confidential" mark or similar indication, the head of the association could not have been expected to know that the complainant in fact objected to the disclosure of her family matters to others. Hence, in asking for the fax to be read out in the meeting, the head of association did not use the data contained therein for any purpose other than the purpose for which these data were collected by him. There was accordingly no breach of DPP3. Similarly, the Commissioner found that the head of the association had not in the circumstances failed to take such steps as were reasonably practicable to safeguard the security of the personal data of the complainant, hence there was no breach of DPP4.
The Appeal
Upon appeal by the complainant, the AAB unanimously upheld the Commissioner's decision that there was no contravention of any requirement of the PD(P)O. Indeed, regarding DPP4, the AAB held that the object of that principle is to ensure that personal data are properly kept and stored. As such, that principle had no application to this case.
AAB's decision
The appeal was dismissed.