Collecting Information From The Internet: Some Learnings

Organisations are collecting more and more data in today’s digital economy, and it can often be all too tempting to see the internet as another source of data that can be freely tapped into. When collecting information from the internet, however, it is important to remember that privacy obligations will apply if that information constitutes ‘personal information.’ 

A recent OAIC determination highlights some key considerations for organisations to bear in mind when it is planning on collecting personal information from the internet. 

Background To The Master Wealth Control OAIC Determination

Master Wealth Control Pty Ltd (MWC) offered various educational courses for property investors, including the ‘Elite Mentoring Program’. This program provided participants with weekly leads lists containing personal information of individuals in distressed situations, such as those facing bankruptcy or dealing with a deceased estate (leads list). MWC would compile these the leads list by scraping first and last names from daily court listings, published on court websites such as the Victoria Government Gazette, and match it with property information it obtained from a third party, CoreLogic. 

OAIC Investigation 

In its Commissioner Initiated Investigation (CII), the OAIC found that MWC had not collected personal information fairly and had breached Australian Privacy Principle (APP) 3 when compiling its leads list. In reaching this view, the OAIC considered two main factors: 

Reasonable expectation of the individuals

The OAIC noted that court listings were published for the purpose of informing parties about proceedings and relevant court details, and that the use of this information for commercial purposes would not be within their reasonable expectations. The OAIC further noted that the terms and conditions on various courts’ websites prohibited commercial use of court listing information, and that individuals would have had a reasonable expectation that their personal information would be used consistently with those terms. 

Circumstances of the collection

The purpose of the leads list was to enable participants of the Elite Mentoring Program to deliberately target those individuals and seek to capitalise on their circumstances by acquiring their properties for below market value. The OAIC viewed the collection of personal information in these circumstances to be unfair, given the potential adverse impacts that it might have on individuals who were experiencing vulnerability. 

In addition to finding that MWC’s collection of personal information was ‘unfair’, the OAIC found that MWC had failed to comply with the following privacy obligations:

• APP 5: Organisations have an obligation to take reasonable steps to provide individuals with a Privacy Notice upon collecting their personal information. MWC, however, did not take any steps to provide individuals on its leads list with such a Notice. It argued that this was a reasonable approach, as potential inaccuracies in the leads list meant that delivering Privacy Notices would be impracticable. The OAIC disagreed, noting instead that these potential inaccuracies weighed in favour of providing individuals with a Privacy Notice  
• APP 10: Organisations have to take reasonable steps to ensure the accuracy of personal information. The OAIC observed inaccurate data in the leads list could have some adverse consequences, such as unwanted contact from property investors. This meant that it would have been reasonable for MWC to take steps to ensure that the personal information in the leads list was accurate. MWC, however, had failed to take any steps, thereby breaching its obligation under APP 10.
• APP 1: Organisations’ public facing privacy policies need to set out a number of matters, such as the kinds of personal information that it holds, so as to provide transparency to individuals about how it handles personal information. MWC’s privacy policy, however, had failed to mention its collection and use of personal information for generating its leads list, leading to a breach of APP 1. 

Learnings for other organisations 

 This CII offers a number of valuable lessons for organisations that may be contemplating collecting information from a publicly available source: 

Is it personal information?

The first step is to recognise that you are collecting personal information. If it is, then you should start considering how you will comply with privacy obligations

Is the collection ‘fair’ in all the circumstances?

The CII provides a helpful demonstration for how to assess whether a particular collection of personal information is “fair.” The CII suggests that the assessment should be a holistic one and not focus solely on the method of collection. Organisations should demonstrate that it has considered the individuals’ reasonable expectations for the publication of the information, any applicable terms of use, how the organisation is planning on using the information, and importantly – whether any vulnerable individuals may be impacted by the proposed collection and use of personal information. 

‘Reasonable steps’ to provide Notices and ensure accuracy of personal information

The obligation to provide Privacy Notices and ensure accuracy of personal information requires “reasonable steps” to be taken. It may be tempting to reach a conclusion that it is too difficult, and therefore not reasonable to take any steps to satisfy these obligations when collecting personal information from the internet. Especially where an organisation is collecting large amounts of information about third parties. The CII warns against reaching such a conclusion hastily, especially if the data relates to individuals’ experiencing vulnerabilities, or if collection or use of inaccurate personal information could have any adverse impacts on the individual.