Private Sector Privacy Information Sheet
Privacy Act 1988– From 11 March 2014
The Privacy Act 1988 (Cth) regulates the handling, storage, use and disclosure of personal information by the Commonwealth government, its agencies and private organisations, which are referred to as APP entities in the Act. State and Territory privacy laws apply to State and Territory governments and local government/councils.
Privacy laws do not replace laws protecting “confidential information”, including statutory, contractual and equitable obligations for the protection and non-disclosure of confidential information.
What private sector organisations does the Privacy Act apply to?
The Privacy Act 1988 (Cth) (1) applies to the acts and practices of ‘organisations’ in the private sector, including individuals, corporations, partnerships, trusts, and unincorporated associations which are not exempt from the operation of the Act.
In summary the Privacy Act applies to the following private sector organisations (2):
a) Businesses with an annual turnover of $3 million or more.
b) Businesses with an annual turnover of less than $3 million which are related to organisations with an annual turnover of more than $3 million.
c) Health service providers or other organisations that hold health information (other than as an employee record).
d) Organisations that collect, disclose and provide personal information for a benefit, service or advantage.
e) Organisations that are contracted service providers to Commonwealth government contracts (whether or not a party to the contract).
f) Charitable and other not-for-profit organisations with a turnover of $3 million or more.
g) Unions with a turnover of more than $3 million or more.
h) Organisations that are credit report bodies.
A small business operator or a not-for-profit organisation with an annual turnover of under $3 million may opt-in to be covered by the Privacy Act by notifying the Office of the Australian Information Commissioner (OAIC) in writing (3). Opting-in may benefit small businesses/not-for-profit organisations who collect personal information by providing their clients confidence that their personal information will be protected by privacy laws.
What type of information is covered by the Privacy Act?
The Privacy Act applies to ‘personal’ and / or ‘sensitive’ information being collected by an organisation if the organisation collects it for inclusion in a ‘record‘ or ‘generally available publication‘.
‘Personal Information’ is defined in the Act as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not” (4) .
‘Sensitive information‘ is defined in the Privacy Act (5) as:
a) information or an opinion about an individual’s:
i. racial or ethnic origin; or
ii. political opinions; or
iii. membership of a political association; or
iv. religious beliefs or affiliations; or
v. philosophical beliefs; or
vi. membership of a professional or trade association; or
vii. membership of a trade union; or
viii. sexual preferences or practices; or
ix. criminal record;
that is also personal information;
b) health information about an individual; or
c) genetic information about an individual that is not otherwise personal information;
d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
e) biometric templates.
Biometric technology involves the use and storage of personal information, such as fingerprints or DNA, that is capable of verifying the identity of an individual. A ‘generally available publication’ is defined in the Privacy Act as a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public. This definition covers documents published through both traditional means and electronic means. (6)
Examples of personal and/or sensitive information, which may be collected by private organisations include:
a) Employee records (including health records).
b) Health records.
c) Customer and supplier lists.
d) Customer financial information/credit reports.
e) Customer complaints.
f) Client details including personal information relating to treatments, services and products purchased.
g) Electronic databases recording transactions with individuals.
h) Research and development data and test results.
Application to acts and practices overseas
Where an Australian organisation deals with personal and/or sensitive information about Australians, the Privacy Act will apply to information held both within Australia and overseas.
Where Australian organisations send personal information about Australians to foreign organisations, they will also have to ensure that the foreign organisation complies with the Privacy Act.
Compliance
Non-exempt private sector organisations must comply with the ‘Australian Privacy Principles’ (“APP”) set out in the Privacy Act (7) or develop its own ‘Privacy Code’ to regulate the handling of personal information. Commencing on 12 March 2014, the APP replaced the National Privacy Principles (“NPP”) which continue to apply to privacy compliance and privacy breaches occurring during the period up to and including 11 March 2014.
The Australian Privacy Principles provide the legal framework which organisations must follow in handling of personal information. The APP are:
AAP1 – open and transparent management of Personal Information.
Organisations are required to implement and maintain practices, procedures and systems for ensuring compliance with the APP and dealing with inquiries or complaints from individuals about privacy compliance. Specifically, organisations must have an up to date APP privacy policy that complies with APP1. The organisations privacy practices, procedures, systems and policy must have regard to the organisations functions and activities.
APP2 –anonymity and pseudonymity
When dealing with individuals, organisations must give the individual the option of not identifying themselves or using a pseudonym. This requirement is subject to exceptions, namely, where it is impracticable for the organisation to deal with individuals who have not identified themselves or used a pseudonym or where there is a law, or court/tribunal order, to deal with persons who have identified themselves.
APP3- collection of solicited personal information
Organisations are only permitted to collect solicited personal information (other than sensitive information) from the individual that is reasonably necessary for one or more of its functions or activities. Sensitive information about an individual can only be collected with the consent of the individual and where the sensitive information is reasonably necessary for one or more of its functions or activities.
APP3 also contains restrictions on the collection of solicited personal information, including sensitive information about an individual from third parties.
APP4 – dealing with unsolicited information
APP4 sets out the procedures that an organisation must follow in dealing with personal information that it has received and that it has not solicited from the individual. The organisation has to determine whether or not it could have collected the personal information under APP3. If unsolicited information is of the type that could not have been collected by the organisation, it must be destroyed or de-identified provided that it is lawful and reasonable to do so.
APP5 – notification of collection of personal information
Organisations are required to notify or make individuals aware about personal information collected about them before or at the time of collection, or if this is not possible, as soon as practicable after collection. The notification must include the information set out in APP5 and extends to the APP privacy policy requirements contained in APP1.
APP6 – use or disclosure of personal information
Organisations can only use or disclose personal information collected about an individual for the purpose collected. Organisations must not use or disclose the information for another purpose unless the individual has consented or such use or disclosure comes within the permitted uses or disclosures as set out in APP6.
Organisations should also keep a written record of all use or disclosure of personal information.
APP6 does not apply to the use or disclosure of personal information for direct marketing by an organisation, which is covered by APP7.
APP7 – direct marketing
APP7 prohibits the use or disclosure of personal information for direct marketing subject to exceptions specified in APP7.
In summary, organisations can only use or disclose personal information(excluding sensitive information) for direct marketing if they have obtained the individual’s consent or the individual would reasonably expect the organisation to use or disclose the information for that purpose and the organisation provides a simple means by which the individual can request not to receive the direct marketing communications from the organisation and has not made the request to opt out.
Organisations can use and disclose sensitive information for direct marketing only with the written consent of the individual for that purpose.
APP7 prohibits organisations from charging individuals in dealing with requests not to receive direct marketing communications which use their personal information. APP7 also sets out procedures for dealing with such requests.
APP8 – cross-border disclosure of personal information
Before making any such disclosure, the organisation must take reasonable steps in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information to be disclosed or the proposed disclosure to the overseas entity must come within the exceptions set out in APP8.2.
From a practical and legal perspective APP 8 makes organisations accountable for ensuring that privacy of individual personal information is maintained for disclosure of personal information to entities located outside Australia.
Organisations using cloud computing or outsourcing data storage to entities located overseas need to do their due diligence, in respect of the oversea entity and local privacy law, to ensure compliance with the APP.
APP9 – adoption, use or disclosure of government related identifiers.
Organisations are prohibited from adopting, using or disclosing government related identifiers of an individual as the organisation’s own identifier of the individual unless authorised by law or a court/tribunal order or the exceptions in APP9 apply.
APP10 – quality of personal information
Organisations that collect personal information are required to take such steps that are reasonable in the circumstances to ensure that the personal information that is collected, used or disclosed is accurate, up to date and complete.
APP11 – security of personal information
Organisations that hold personal information are required to take steps that are reasonable in the circumstances to protect the information from misuse, interference, and loss, and from unauthorised access, modification and disclosure.
With storage of organisational data being in electronic databases on internal or external computer servers, the security of those servers from unauthorised access will continue to be a challenge for organisations. Organisations using cloud computing facilities will also have to ensure that those facilities have appropriate and adequate security to minimize the risk of unauthorised access to the facilities which could result in disclosure of personal information.
APP12 – access to personal information
Individuals have a right to access personal information held about them by organisations.
Unless one of the exceptions apply, the organisation must provide access to the personal information within a reasonable time after receiving the request. If access to the request is to be refused, the organisation must provide the individual with written notice of the refusal, the grounds for the refusal and the mechanism available to complain about the refusal. The grounds for refusal may include:
- Providing access could pose serious threat to life, health or safety of an individual or the public;
- Providing access would have an unreasonable impact on the privacy of other individuals;
- Information relates to existing or anticipated court proceedings and would not be accessible by discovery in those proceedings;
- Giving access would reveal the intention of the organisation in relation to negotiations with the individual which would prejudice those negotiations;
- Giving access to the information would be unlawful;
- Denying access is required or authorised by Australian law or a court/tribunal order;
- Giving access would be likely to prejudice the organisation taking appropriate action where the organisation suspects unlawful activity or serious misconduct that relates to its functions or activities;
- Giving access would reveal evaluative information generated within the organisation in connection with a sensitive decision making process.
Organisations can charge individuals a reasonable amount for giving access to the personal information held by them but not the cost associated with making the request.
APP13 – correction of personal information
APP13 requires organisations to correct personal information to ensure that it is accurate, up to date, complete, relevant and not misleading. Individuals have a right to request that personal information held by organisations to be corrected and for other organisations to whom the information has been disclosed to be notified of the correction.
APP13 sets out the procedure for dealing with requests for corrections of personal information and refusals of requests.
Effect of Non-Compliance
The Privacy Act gives the Privacy Commissioner the power to investigate complaints and issue determinations, which are enforceable by the Federal Court or the Federal Magistrates Court.
An organisation that develops its own Privacy Code, must appoint an independent adjudicator to investigate complaints and issue determinations. The Privacy Commissioner may be appointed as the independent adjudicator under a Privacy Code. The independent adjudicator has the same powers as the Privacy Commissioner to make determinations.The Privacy Commissioner or the independent adjudicator may make the following determinations that:
a) The respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;
b) The respondent make an appropriate correction, deletion or addition to a record;
c) The complainant is entitled to payment of compensation including amounts for injury to feelings or humiliation suffered;
d) The respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered.
The Commissioner may also seek civil penalties against the respondent in the case of serious or repeated breaches of privacy, and accept enforceable undertakings by the respondent. A maximum payment of 2000 penalty units ($340,000.00) for individuals or 10,000 penalty units ($1.7 million) for a body corporate may be ordered in civil proceedings (8).
Footnotes
- Privacy Amendment (Enhancing Privacy) Act 2012 (Cth), amended the Privacy Act 1988 (Cth).
- Privacy Act 1988(Cth) s 6D.
- Privacy Act 1988 (Cth) s 6EA.
- Privacy Act 1988 (Cth) s 6(1).
- Privacy Act 1988 (Cth) s 6(1).
- Privacy Act 1988 (Cth) s 6(1).
- Privacy Act 1988 (Cth), Schedule 1 – Australian Privacy Principles
- Privacy Act 1988 (Cth) s 80W (one penalty unit is equal to $170 pursuant to the Crimes Act 1914 (Cth) s 4AA)
For further information contact
Katarina Klaric | Principal
STEPHENS Lawyers & Consultants | Suite 205, 546 Collins Street, Melbourne VIC 3000 Australia
T + 61 3 8636 9100 | F + 61 3 8636 9199 | E [email protected]
PO Box 16010 Collins Street West VIC 8007 Australia
www.stephens.com.au
© Stephens-Klaric Legal Pty Ltd (ACN 117 672 376) trading as Stephens Lawyers & Consultants, 2014
***Please note that this list is not intended to be a comprehensive list for privacy compliance. The list provides you with guidelines for dealing with privacy compliance and what your business should do to comply. What is required for compliance will vary from business to business.