What can I do if a company shares my information without my permission?

In Plain English

If a company shares your personal information without your permission, your options depend on the specific circumstances and the type of information shared.

If the company is using your information for direct marketing without your consent, you can request them to stop sending you these communications and to provide you with the source of your information. They must comply with your request within a reasonable timeframe and free of charge.

If a data breach occurs, and your personal information is involved, the company is required to assess the situation and notify you and the Australian Information Commissioner if the breach is likely to result in serious harm. The Privacy Act 1988 outlines the obligations of organizations in handling personal information, including how they should respond to data breaches.

You can also make a complaint to the National Data Commissioner if you believe an entity has breached the Data Availability and Transparency Act 2022 or a data sharing agreement.

Detailed Explanation

Several pieces of legislation address the unauthorized sharing of personal information:

1. Australian Privacy Principles (APPs) under the Privacy Act 1988:
   • APP 7 deals specifically with direct marketing. Generally, an organization must not use or disclose personal information for direct marketing purposes (Privacy Act 1988, subclause 7.1). However, there are exceptions. For example, an organisation can use your personal information for direct marketing if they collected the information from you, and you would reasonably expect them to use it for that purpose, and they provide a simple way for you to opt out (Privacy Act 1988, subclause 7.2).
   • Opting Out: If an organisation uses your personal information for direct marketing, you can request not to receive direct marketing communications, request the organisation not to use or disclose the information for direct marketing, and request the organisation to provide its source of the information (Privacy Act 1988, subclause 7.6). The organisation must not charge you for making the request and must comply within a reasonable period (Privacy Act 1988, subclause 7.7).
   • Exceptions: Note that APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003, or any other prescribed Act applies (Privacy Act 1988, subclause 7.8).
2. Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988:
   • If an entity is aware of reasonable grounds to believe there has been an eligible data breach (unauthorised access, disclosure, or loss of personal information likely to result in serious harm), the entity must conduct a reasonable and expeditious assessment (Privacy Amendment (Notifiable Data Breaches) Act 2017, section 26WH).
   • If the entity believes there has been an eligible data breach, it must prepare a statement with specific details and provide a copy to the Commissioner (Privacy Amendment (Notifiable Data Breaches) Act 2017, section 26WK). The statement must include the identity and contact details of the entity, a description of the breach, the kind of information concerned, and recommendations for individuals to take in response (Privacy Amendment (Notifiable Data Breaches) Act 2017, subsection 26WK(3)).
   • The entity must also notify the contents of the statement to each individual to whom the information relates or those at risk from the breach, if practicable (Privacy Amendment (Notifiable Data Breaches) Act 2017, section 26WL).
3. Consumer Data Right (CDR) under the Competition and Consumer Act 2010:
   • The CDR gives consumers rights regarding their data, particularly in designated sectors of the economy (Competition and Consumer Act 2010, section 56AA).
   • For joint accounts, data holders must provide a disclosure option management service, allowing joint account holders to manage data sharing preferences. Data holders must notify other joint account holders of changes to disclosure options (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021, Schedule 4, item 14).
4. Data Sharing under the Data Availability and Transparency Act 2022:
   • This Act regulates the sharing of data by Commonwealth bodies for specific data sharing purposes, such as delivery of government services, informing government policy, and research and development (Data Availability and Transparency Act 2022, section 15).
   • The Data Availability and Transparency Code 2022 outlines requirements for consent when sharing personal information under this Act. Consent must be voluntary, specific, current, and the individual must be adequately informed (Data Availability and Transparency Code 2022, section 17).
   • Individuals can make complaints to the National Data Commissioner regarding alleged breaches of this Act or data sharing agreements (Data Availability and Transparency Act 2022, section 88).