Privacy and the Private Sector

By Desiree Baldacchino, Volunteer
with assistance from George Paramananthan, Solicitor

First published in ARTS+law, March 2002

The Privacy Amendment (Private Sector) Act came into effect last year. It places restrictions on the way private sector organisations collect, use, keep, secure and disclose personal information. So, for the first time, the handling of personal information by many Australian businesses is now subject to legislative regulation. As a result, it’s important to consider whether these changes have any implications for your business.

What information is caught under the Act?

The changes are concerned with the protection of ‘personal information’. Personal information includes information and opinions about an individual whose identity is apparent or can be reasonably ascertained from the information or opinion. The truth of the information is irrelevant. How the information is recorded is also irrelevant. Personal information can be in any form, including text, images, computer or paper records and includes information such as a person’s phone numbers, email and postal addresses, and marital status. It is important to note that even if what’s collected doesn’t explicitly identify an individual, it could still be considered to be “personal information” if matching the data against other information held on file would identify the individual. This is often the case with information collected electronically over the web.

Does the Private Sector Act apply to you?

The private sector provisions apply to ‘organisations’, which includes incorporated and unincorporated bodies, as well as not for profit entities and co-operatives. ‘Small businesses’ (organisations with an annual turnover of $3 million or less) are exempt from the provisions. Certain acts and practices of media organisations, some practices concerning employee records and the acts and practices of registered political parties are also exempt.

Despite these exemptions, the provisions will apply to small businesses where the small business:

• is related to a business with an annual turnover of greater than $3 million;
• is a contracted service provider for a Commonwealth contract; or
• discloses personal information for benefit, service or advantage.

This means, that if you sell or gain some advantage from trading in the personal information you collect then you will be subject to the new rules. Take for example, the situation where you enter into a sponsorship arrangement with another company. As a part of that deal, your customer list is passed on to the sponsor corporation for their own marketing purposes. You are now caught under the Act, irrespective of your annual turnover figure.

“Opting In”

Even if your small business is not covered by the Act, it may be good business practice to “opt in” to the new privacy regime and be treated as an 'organisation'. By doing so, you may give your customers greater confidence in your business, and thereby entice new customers to trade with you. You may also want to consider opting in if you currently fall within the small business exemption, but think this may change in the near future, for example, if you believe your business turnover may soon exceed the $3 million threshold. If a small business falls within the exemption and wants to “opt out”, all that is required is written notification to the Federal Privacy Commissioner. There are no fees for opting in or out of the system.

National privacy principles and your obligations

The Privacy Act now sets out minimum standards for organisations to comply with when collecting, using and disclosing personal information. These standards are called the National Privacy Principles (NPPs) and apply to private sector organisations that don’t have their own approved privacy code.

The ten NPPS are:

1. Collection: Organisations must only collect personal information if it is necessary for its business activities and individuals must give informed consent to the collection. For example, the collection of personal details like residential address and contact phone number will be allowed where you are in the business of providing door-to-door service. However, the collection of information like shoe size or the frequency of overseas vacations would not be allowed, without prior consent, if you are an art gallery. Also, the information must not be collected in a way that is intrusive or unlawful.
   
2. Use and Disclosure: Organisations can’t use or disclose personal information about an individual for a purpose other than that for which it was collected, unless such use or disclosure would be reasonably expected. For example, you could use information collected via a subscription form to compile an invitation list for your business’ end of year drinks. However, you can’t use this information to promote another business, unless you have obtained consent from your subscribers at the time that the information was collected.
3. Data quality: Organisations must take reasonable steps to ensure that personal information they hold is accurate, correct and up to date. This places a responsibility on you to ask subscribers to routinely confirm that details held on your files are correct.
4. Data security: Your organisation must protect personal inforamation it holds from general misuse. Reasonable steps, for example, pulping or shredding paper records, must be taken to destroy or de-identify personal information when it's no longer required.
5. Openness: There must be clear policies on the management of personal information within your organisation, and copies of the policy must be freely available to anyone who asks.
6. Access and correction: Individuals must be given access to personal information held about them without having to give reasons. You can't charge a fee for lodgement of a request for access, and any fee that your organisation charges for providing the information can't be excessive. If an individual can establish that your records about them are incorrect, you must take reasonable steps to correct or notate the information. If, for example, the information is inaccessible and not in use, destruction instead of correction of the information may be more appropriate. If you deny anyone access or refuse to correct personal information held about someone, you must give them reasons for this.
7. Identifiers: To prevent any loss of an individual’s privacy, identifiers for individuals used by your organisation can’t be the same as those allotted to that individual by a government agency, such as their tax file number or Medicare number. You should have your own means of file identification.
8. Anonymity: Organisations must give individuals the opportunity to remain anonymous when entering into transactions. Organisations cannot refuse a request for anonymity on the basis of additional cost, inconvenience or administrative burden.
9. Transborder data flows: Personal information may only be transferred to someone in a foreign country, if amongst other things, that country has privacy laws similar to the NPPS and the consent of the individual has been obtained.
10. Sensitive information: Organisations can’t collect sensitive information, including information relating to matters like a person’s health, race and ethnic origin, political opinion and sexual preferences unless prior consent is obtained from that individual. This information would also have to be relevant to your organisation’s activities (see Collection, above). For example, information on a person’s ethnic origin, primarily for internal statistical gathering purposes, can’t be collected without consent.

Breach and enforcement

In most situations where someone is complaining that their privacy has been breached, they should make the initial complaint to the organisation itself. Complaints can also be made to the Federal Privacy Commissioner.

The Federal Privacy Commissioner has broad powers to investigate alleged breaches and enforce the new provisions of the Privacy Act. Where the Federal Privacy Commissioner thinks that the privacy of an individual has been breached the Commissioner can order:

• damages for injury to the complainant’s feelings or humiliation suffered by the complainant;
• trade practices penalties (for example, for misleading and deceptive conduct); and
• orders to do a specific act (for example, providing access to information or to publish an apology).

But, despite all these possible penalties, perhaps the most damaging penalty to any business is the negative publicity that is likely to follow a highly publicised complaint.

Further information

The purpose of this article is to provide general information about privacy and the public sector. The issues surrounding these new developments in the Act can be complex and will require consideration on a case-by-case basis. If more information is required on how the law applies to a particular situation, please contact the Arts Law Centre of Australia or the Office of the Federal Privacy Commissioner on 1300 363 992.

An earlier article on the Privacy Act amendments appeared in Arts Law's newsletter ART+law, September 2000.