Privacy – Do I really need to worry about it?
20 Oct 17
There is a growing focus in the community on Privacy and personal information, and that will no doubt continue as data becomes an increasingly valuable commodity in big business. The Big Brother spectre is a real and growing perception, and business cannot afford to ignore the importance people place on the integrity of their privacy.
In keeping with this developing concern, the powers of the Privacy Commissioner are quite broad sweeping, and the Commissioner has shown an increasing preparedness to act in respect of complaints, as well as instigating his own investigations.
You might be surprised to learn that the Australian Privacy Commissioner recently worked with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada, to investigate the consequences of a major data breach involving Adobe’s facilities in Ireland. Part of Adobe’s network in Ireland held some 1,700,000 records of Australian customers. The Australian Commissioner found that Adobe failed to take reasonable steps to protect all of the personal information it held.
It is therefore worth keeping in mind that whilst you may be liable for damages and other penalties for beaching the Privacy Act, the damage to reputation and image in the market arising not just from the incident, but the Privacy Commissioner’s publicised investigation and findings, may have a far greater effect on business, and a major effect on the bottom line.
So, who is obliged to comply with the Privacy Act 1988 (the “Act”)?
As a simple statement, the Act prohibits “interfering” with the privacy of an individual. It also specifically provides that “interfering” with an individual’s privacy occurs when conduct breaches an Australian Privacy Principle (“APPs”)(Formerly known as the National Privacy Principles). The APPs are set out in Schedule 1 to the Act.
The next important questions are: What is “personal information”, and how does the Act affect those that collect and handle it?
Personal information is information or an opinion about an individual who can be identified, or who is reasonably identifiable. The truth or correctness of the information or opinion is not relevant. There is a sub-category of personal information called “sensitive information”, which is subject to more stringent controls under the Act. Sensitive information relates to race, ethnic origin, religious beliefs and related matters.
The principal obligations for the collection and handling of personal information are set out in the APPs. Some of the key obligations under the APPs are considered below.
You can only collect personal information where it is reasonably necessary for your activities, and you can only collect sensitive information with the consent of the individual concerned (APP3). Again, there are certain limited exceptions, and these need to be considered carefully before relying on them. You have to take reasonable steps to notify the individual of your organisation’s details, and the reasons you are collecting their personal information (APP5). Personal information may only be used for the purpose for which it was collected, unless consent is obtained from the individual (APP6), or one of the exceptions in APP6 is satisfied.
It is important to understand that the effect of the APPs extends beyond Australia. In order to disclose personal information outside of Australia, you must take reasonable steps to ensure the offshore recipient does not breach the APPs in respect of that information (APP8).
The Privacy obligations are not one time only responsibilities. Once collected, there are ongoing responsibilities to ensure the information is kept up to date, is accurate and complete. (APP10). You are also obliged to take reasonable steps to protect it (APP11). Under that same APP, where you have personal information you no longer have a use for (i.e. authorised use), then you cannot passively retain it – you have a positive obligation to destroy it or de-personalise it.
There is a general obligation to provide individuals access to their personal information that you hold, with some exceptions (APP12). The final obligation under the APPs is to correct personal information you hold, where there is reason to suspect it is not correct or up to date (APP13).
You need to be sure you understand all of your obligations, and where there is any uncertainty, seek appropriate advice.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience and is a partner at Salvos Legal and can be contacted by email at firstname.lastname@example.org.