Privacy Act (cth)

The Privacy Act 1988 (Commonwealth) ["Act"], generally regulates the use and handling of personal information including credit reports, tax file numbers and in public sector organisations.

In 2001 the Act was amended to protedt personal infoprmation of individuals in the possession of private sector organisations.

The Act defines "personal information" basically as information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

National Privacy Principles

The NPPs provide the following obligations:-

1: Collection. An organisation must not collect personal information unless the information is necessary for one or more of its activities.

 2: Use and disclosure. An organisation must not use or disclose personal information about an

individual for a purpose other than the primary purpose of collection.

 3: Data quality. An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

 4: Data security. An organisation must take reasonable steps to protect the personal information it holds. It must destroy or permanently de-identify personal information if it is no longer needed for any purpose.

 5: Openness. An organisation must set out clearly its policies on management of personal information. It

must also let the person know, generally, what sort of  personal information it holds, for what purposes and how it collects, holds, uses and discloses that

information.

 6: Access and correction. An organisation must allow individuals access to the personal information on request. It must correct the information if it is not accurate, complete or up-to-date.

 7: Identifiers. An organisation must not adopt, as its own identifiers, identifiers used by government

agencies (for example, pension numbers, drivers licence numbers or Medicare numbers).

 8: Anonymity. Where it is lawful and practicable, individuals must have the option of not identifying

themselves when entering into transactions with an organisation.

 9: Transborder data flows. There are only limited circumstances in which an organisation may transfer

personal information to someone (other than the organisation or the individual) who is in a foreign country).

 10: Sensitive information. An organisation must not collect sensitive personal information except in

certain situations. Sensitive information includes information about race, political opinion, membership of certain associations, criminal records, and so on.

These are effectively the "core" principles with which all private sector organisations subject to the Act will be required to comply.

The National Privacy Principle Guidelines contain clarification of the Principles.

Exceptions

The Act provides certain exceptions to the general rule regarding interferences with personal information. This means certain kinds of interferences will not offend the new provisions.

The exceptions include:-

(a) Related bodies corporate (as defined under the Corporations Law) may share personal information

providing the related entity complies with the NPPs or a binding privacy code.

(b) Partnerships. Personal information can be shared when a partnership is dissolved and re-formed,

insofar as that is necessary for the new partnership to hold the information immediately after its formation.

(c) Extra-territorial acts. An act or practice of an organisation outside Australia will not be an interference with privacy if required by an applicable law of a foreign country.

(d) Personal, family and household affairs. An act or practice of an individual is exempt if it is done other

than in the course of a business (i.e. in the individual's personal, family or household affairs).

(e) Commonwealth contracts. If an organisation would be entitled to the small business exemption but for it

being a contracted service provider for a Commonwealth contract, it need only comply with the Act in relation to its activities which are for the

purposes of that contract.

(f) Employee records. Acts and practices done by an employer in relation to employee records are generally exempt. Employee records may include personal details, recruitment and termination information, employment terms and conditions, and health and banking information.

(g) Journalism. Acts and practices of media organisations in relation to personal information, done in the course of journalism, are generally exempt.

(h) State contracts. Acts or practices in relation to personal information under a contract with a State

or Territory authority are generally exempt.

(i) Political acts and practices. Acts and practices of

politicians and persons who work for registered political parties, in respect of elections, referendums and the political process, are generally exempt.

(j) Existing databases. A limited privacy regime applies for personal information collected before the Act commences. Effectively, NPPs that deal with collection, use, disclosure, right of access and correction will not apply to information collected

before the commencement of the Act.

(k) Public registers. The Act and Act do not regulate information contained in public registers.

Issues not covered by the Act

The Act affects privacy of personal information. It does not, however, affect privacy in relation to (for example):

(a) communications and surveillance -

listening devices, phone tapping and interception, email monitoring, video surveillance, etc;

(b) territorial privacy - unlawful entry into buildings and dwellings, home invasion, etc; and

(c) personal privacy - blood testing, body searches, media reporting, etc.

Direct marketing

Personal information may only be used or disclosed for the secondary purpose of marketing where:

(a) it is impracticable to seek the individual's consent - notably, "impracticable" is not defined or explained

in the Act or the explanatory memorandum to the Act;

(b) the organisation gives the individual an express opportunity to opt out of direct marketing communications at no charge; and

(c) the individual has not already asked to be excluded from direct marketing.

In terms of direct marketing by email, organisations must give customers the option to opt out.

Privacy on the internet

Online businesses (like other business) must do the following things:-

(a) collect personal information only if it is "necessary" for one or more of the organisation's functions or activities - in other words, the information may only be collected if the organisation cannot in practice effectively pursue a legitimate function or activity without it;

(b) collect personal information only by lawful and fair means - this requires that it be collected without

intimidation or deception;

(c) disclose the following matters at or before the time of collection (or, if that is not practicable, as soon

as practicable after):

(i) the identity of the organisation and how to contact it;

(ii) the fact that the person giving the information is able to gain access to it;

(iii) the purposes for which the information is collected;

(iv) to whom the organisation usually discloses information of that kind;

(v) any law that requires the particular information to be collected; and

(vi) the main consequences (if any) for the individual if all or part of the information is not provided; and

(d) take reasonable steps to ensure that the person giving the information is or has been made aware of the matters listed in the preceding point (c).

Compliance

Compliance may involve such things as:

(a) updating data collection and record systems so that proper procedures are followed (i.e. procedures

which accord the applicable privacy principles);

(b) introducing systems for checking, updating and evaluating records which contain personal information, so that information remains accurate and up-to-date;

(c) ensuring there are systems in place which notify people about their rights (and obligations) under the

applicable privacy principles (such as to access and correct certain personal information);

(d) securing manual and computerised files which store personal information, so they are protected from such things as unauthorised access and environmental conditions which may affect the accuracy of the documents (e.g., in the case of electronic files, electric power surges, temperature variations, and so on);

(e) updating computer software systems to provide greater security, proper notifications/warnings, and protection from unauthorised access;

(f) training management and staff in applicable privacy principles and protocols;

(g) preparing and/or signing on to approved privacy codes in relevant industries; and

(h) advertising compliance with applicable privacy principles to staff, customers and (if necessary) the

public at large so as to ensure continued confidence in systems for collecting and handling personal information.