PR and the “my client told me to do it” defence

Brisbane public relations agency Mercer PR came under fire recently after it released the identity of a female sexual assault complainant on Nauru in what was described as an “extraordinary” breach of privacy. The press response was brutal and even the Public Relations Institute of Australia waded into the fray, calling for better professional standards.

Among the questions raised about Mercer’s conduct, one of the most prominent was whether or not releasing the woman’s name may have constituted a breach of Australian privacy law. Mercer claimed that they were only doing what their client had instructed them to do, which the Nauruan Government confirmed, stating that they had not ‘published’ the name and had merely sent a police report including the name to a few select media outlets.

So what are the rules for agencies when it comes to privacy and issuing press releases and information on behalf of clients?

Lessons for agencies

Like any other Australian business, PR agencies with a turnover of more than $3 million annually must comply with the Australian Privacy Principles, as set out in the Privacy Act 1988 (Cth) (the Act). Even agencies with a turnover of less that $3 million may need to comply if they disclose personal information to anyone else for a benefit, service or advantage. As a general principle, it is good practice for agencies to assume that Australian privacy laws apply to them.

The Australian Privacy Principles regulate the collection, use and disclosure of personal information, which is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. Classic examples include information like an individual’s name, age or address.

Additional protections apply to a category of personal information called “sensitive information”, which includes information about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation, health information and more. Such information can generally only be collected with the express consent of the individual to whom the information relates.

The APPs provide that an organisation must not collect personal information unless the information is “reasonably necessary” for one of its functions or activities. For PR agencies, collecting personal information to provide services to clients would be an example of such a function or activity. Sensitive information, however, may generally only be collected with the consent of the individual.

In setting out the provisions governing the collection, use and disclosure of personal information, the Act draws no distinction, except in certain limited circumstances that dead with contracted service providers to government agencies, between entities that control or own personal information and entities that provide services to such information owners. PR agencies typically fall into the second category, where information might fall into their possession by virtue of the work they do for their clients, but generally is not collected directly from the individual. Regardless of how the personal information came into its possession, all such APP entities, including PR agencies, are bound under the Act in respect of their handling of that personal information.

For PR firms, this means that they are bound to deal with personal information in accordance with the APPs, even though they did not collect the information themselves. Practically speaking, if a client therefore asks its agency to disclose personal information in a press release or attachment, the PR firm must still consider its obligations under the Act before disclosing the information.

On a practical level, it is important that PR agencies consider privacy and personal information when entering into new agreement with their clients. In particular, consider the need for clauses that require clients to ensure that any information provided to the agency will comply with privacy laws.