Introduction
Personal information is a vital part of every business. It facilitates transactions and forms the basis of business relationships. Proper management of personal information is key to customer confidence, trust and business reputation.
Understanding exactly what business information constitutes the regulated category "personal information", how different regulations impact different business functions and meeting obligations that apply to collection, management, disclosure, access, correction and de-identification can be complex and challenging. Below we outline our Top Ten privacy tips.
1. The scope of the law is wide. If the information can be associated with a natural person that you have previously dealt with, you hold regulated information.
The Privacy Act 1988 (Cth) (Privacy Act) is Australia's primary data protection legislation. The Privacy Act has the purpose of promoting the protection of "personal information" of individuals handled by an organisation or agency (an APP entity). "Personal information" is defined as "information or an opinion about an identified individual, or an individual who is reasonably identifiable". Personal information includes "sensitive information" which includes information and opinions about an individual's racial/ethnic origin, political opinions, religion, sexual orientation, criminal record and health information and biometric identifiers.
There is no requirement that the "personal information" be confidential or private.
The Privacy Act and the Australian Privacy Principles (APPs) contained in Schedule 1 to the Privacy Act set out requirements in respect of collection, use and disclosure of personal information , the documentation to be provided to individuals in connection with the collection of personal information, controls on cross-border transfers, a security obligation, an obligation to provide access and correction, and to maintain a system for handling of complaints.
2. You must have a privacy policy that reflects the actual practices of your business.
APP 1 requires an APP entity to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and any binding registered APP code (see here), and to deal with related inquiries and complaints.
An APP entity must have a clearly expressed and up-to-date APP Privacy Policy specifying how it manages personal information. An APP entity must take reasonable steps to make its APP Privacy Policy available free of charge and in an appropriate form (usually on its website), and take reasonable steps to provide it in the particular form requested by a person or body.
An APP entity must not collect sensitive information about an individual unless the individual consents to the collection of the information and the information is reasonably necessary for one or more of the APP entity's functions or activities.
3. You have a duty to make sure data subjects are aware of certain matters around the time you collect their personal information
An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters, including:
(a) APP entity's identity and contact details; (b) fact and circumstances of collection; (c) whether the collection is required or authorised by law or a court/tribunal order; (d) purposes of collection; (e) main consequences if personal information is not collected by the APP entity; (f) entity's usual disclosures of personal information of the kind collected by the entity; (g) information about the entity's APP Privacy Policy, how an individual may access personal information in relation to the individual and seek any correction of such information; and (h) whether the APP entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
An APP entity must take reasonable steps before, or at the time it collects personal information. If this is not practicable, reasonable steps must be taken as soon as practicable after collection.
4. Making personal information available offshore is usually a regulated event.
APP 8.1 requires that prior to disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Under section 16C of the Privacy Act, an APP entity that discloses personal information to an overseas recipient is strictly liable for any acts or practices of the overseas recipient in relation to the information that if done by the App entity, would breach the APPs.
The state of mind or intentions of the recipient does not affect the act of disclosure. Further, there can be a disclosure in the circumstances even where the information is already known to the overseas recipient.
APP 8.2 contains two primary exceptions to APP 8.1:
(a) if the party disclosing the data, reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information to at least a substantially similar level to the APPs, and there are mechanisms that the individual can access in order to enforce that law or binding scheme; and (b) if the relevant individual expressly consents to the disclosure of their personal information to the overseas recipient after being informed that the APP entity will not be held liable for the actions of an overseas recipient with respect to that personal information.
5. You must comply with the regulatory framework if you want to do direct marketing.
APP 7 provides that an organisation must not use or disclose personal non-sensitive information for the purpose of direct marketing unless:
(a) the organisation collected the information from the individual; and (b) the individual would reasonably expect the organisation to use or disclose the information for direct marketing; and (c) the organisation makes it easy for the individual to request not to receive direct marketing communications and the individual has not made such a request to the organisation (APP 7.2).
If personal information is collected from a person other than the subject individual, consent is required for direct marketing. However, if it is impracticable to obtain consent, the use of the personal non-sensitive information for the purpose of direct marketing is permissible if:
(a) the organisation makes provision for the individual to easily request not to receive the direct marketing communication; and (b) each direct marketing communication includes a prominent statement that the individual may make a request not to receive the direct marketing communication; and (c) the individual has not made such a request (APP 7.3).
An organisation requires express consent to use or disclose sensitive information about an individual for the purpose of direct marketing (APP 7.4).
Note that compliance with the Spam Act 2003 (Cth) will also be relevant with regard to any electronic marketing. The Spam Act prohibits "unsolicited commercial electronic messages" with an "Australian link". Commercial electronic messages require an individual's consent (express or implied in certain circumstances), to contain accurate sender identification and a functional unsubscribe facility.
6. Personal information must be held securely
Organisations have legal duties to maintain the security of personal and business information. APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.
The Fair Work Act 2009 (Cth) (Fair Work Act) and Telecommunications Act 1997 (Cth) (Telecommunications Act) require organisations to only use or disclose personal or business information for the purpose in which it was obtained, or if it is authorised in accordance with the respective legislation.
The Australian Securities and Investments Commission (ASIC) has issued Report 429 Cyber Resilience Health Check detailing the importance of cyber security, including data security to good corporate governance.
The Australian Prudential Regulation Authority (APRA) has published a Prudential Practice Guide for financial institutions in relation to the management of security risk in information and information technology.
7. Personal information must be destroyed or de-identified if no longer needed
APP 11 requires organisations to take reasonable steps to destroy or de-identify personal information if it is no longer relevant to any purpose for which it may be used or disclosed, if it is not contained in a Commonwealth record, and the APP entity is not required to retain it under law. The most common fault in data audits is the failure to destroy information when it is no longer needed. APP entities should have a system to destroy, shred, de-identify, or an alternative system for destroying information once it is no longer relevant or useful.
8. There is not right to be forgotten in Australia but you must allow data subjects to access and correct the personal information you hold about them.
There is no right in the Privacy Act or APPs for personal information to be forgotten. However, there is the right to be informed when information is collected (APP 5), a right to find out the source of personal information used for direct marketing (APP7.7(b)) and a right to stop further use of personal information for direct marketing (7.7.(a)). There are no further rights for individuals once the personal information is destroyed.
9. Compliant organisations implement Privacy by Design
Privacy by Design (PbD) is an approach to privacy management that ensures privacy protections are built into practices, procedures and systems from the start. PbD comprises of a set of policies intended to integrate privacy considerations with the development of new technologies and IT systems. PbD aims to ensure privacy is considered at the beginning, and then across the entire information life cycle and in all business processes, planning, projects and priorities. PbD is an important strategy for both minimising and managing privacy risks. PbD is a methodology first developed by the Information and Privacy Commissioner of Ontario, Canada, comprising of seven Foundational Principles, which all APP entities should consider embedding into their Privacy Policy. PbD has been formally adopted in Victoria as a core policy.
10. The Privacy Act and information security obligations can be enforced
(a) The Privacy Act is enforced by the Privacy Commissioner Acting on his or her own initiative or in response to a complaint. The Privacy Commissioner can issue guidelines, register and vary codes of practice, seek enforceable undertakings and conduct prosecutions in the Federal Court or Federal Circuit Court to seek mandatory orders and or pecuniary penalties of up to $340,000 (non-corporate entities / individuals) and $1.7 million (corporations) (d) Unauthorised disclosure of credit reporting information about an individual by a credit reporting body can result in a $360,000 fine (section 20E of the Privacy Act); (e) "protected information" is information obtained from the use of a surveillance device, and unauthorised disclosure or use of protected information has a maximum penalty of 2 years imprisonment, unless the use endangers the health or safety of any person or prejudices the effective conduct of an investigation into a relevant offence (maximum penalty of 10 years imprisonment) (section 45 of the Surveillance Devices Act 2004 (Cth)); (f) 2 years imprisonment and/or an AUD 10,800 fine for carriers or carriage service providers (section 276 of the Telecommunications Act).
Conclusion
The Privacy Act imposes obligations of transparency and, in some circumstances, consent and user control over the collection, storage and use of personal information. Understood and anticipated the rules accommodate most business activities while allowing users to understand who has there information and how it is used. The key requirement is to anticipate the privacy consequences of particular projects and activities and build compliance into business systems and processes before they go live.
