Journalist Margo Kingston recently quit her job at the Sydney Morning Herald (a Fairfax company) and moved her blog to an independent website: webdiary.com.au.
On the 23rd of August a client of mine received 13 unsolicited emails from that website. The contents of the emails suggested that a lot of people who had commented on the old SMH’s webdiary site had received similar spam. One of my client’s proprietors had also commented on the site. Thinking the spam was from the Sydney Morning Herald and not liking the idea that my client’s privacy had been breached, I emailed them and asked them what was going on.
Their reply included the following: “It appears that your contact details were collected by Margo Kingston, who was previously engaged by Fairfax to edit the Web Diary. Those details were given by Ms Kingston to her associate, Hamish Alcorn, who sent the email in question. We understand that Mr Alcorn has destroyed the list.” It went on to say they had “taken immediate action to ensure that any personal information of Web Diary readers is properly protected.” So Fairfax did not knowingly provide email addresses to Ms Kingston. This was confirmed by Margo four days later when she posted this on webdiary.com.au:
“I understand that Fairfax has received a number of complaints from people who contributed to my former WebDiary on the Fairfax website. Those complaints relate to an email sent to those contributors directing them to my new Webdiary.
I wish to inform everyone that Fairfax was not responsible for sending those emails, which were sent on my behalf solely for information purposes.
G’day. Fairfax’s security systems are intact. I did not and do not have access to or use Fairfax Digital personal information systems, nor have I ever wanted to. I make the statement above in accordance with the acceptance today of an offer I made to Fairfax last week to formally and completely put this fact on the record.”
In comments on the same page she continues, “we created a program to notify Webdiary’s change of address by email should that prove necessary, and an email was sent.” (Seems it did prove necessary). Interestingly, Margo also quotes legal advice she received …
” (a) you are not in breach of the Privacy Act because you are a “small business” (ie, one with an annual turnover for the previous financial year of $3million or less);
(b) you are not in breach of the Spam Act, because the contributors who address their contributions directly to you were aware that they were responding to comments written by you and posted on the website.
You are therefore entitled to consider that you had an existing business relationship with those contributors from which it is reasonable to infer that you had consent to contact them solely for the purpose of informing them that you would no longer be writing for the Fairfax Web Diary and in order to give them notice of your change of address.”
Some obvious questions:
If the emails were “directing them to my new Webdiary”, how can that be “solely for information purposes”? Surely that is for promotional purposes.
How can Margo say the emails were “sent on her behalf” but that she did “not have access to Fairfax information”? “Sent on my behalf” would seem to be contradicted by “we created a program”.
How can Fairfax’s security systems be said to be intact when many, perhaps all of the people who commented on a Fairfax web page have been sent unsolicited email by a third party?
If Margo’s legal advice is correct, many employees leaving a business would be entitled to email all their contacts and advise them of their new email address. Once they leave the big business they are a small business and therefore exempt from provisions of the Privacy Act. The Spam Act would not apply because they had an existing business relationship with the client.
And if that is true, the Privacy Policy you read on a website is not worth the pixels it’s printed on – your information is not protected if used by an employee who has left the company.
Employees who leave are entitled to canvass their former employer’s clients, but they’re absolutely not allowed to remove lists of those clients and use them against their ex-employer. That’s just basic employment law.
I’d never been to the site in question before today, but I see from a quick look that contributor’s email addresses don’t appear to be publically displayed, so it’s likely that a list has been taken. Presumably, the “immediate action” being taken by Fairfax includes a bit of sabre-rattling about returning or destroying any lists.