Insights

Opinion
Insights

Privacy – Do I really need to worry about it?

20 Oct 17

There is a growing focus in the community on Privacy and personal information, and that will no doubt continue as data becomes an increasingly valuable commodity in big business. The Big Brother spectre is a real and growing perception, and business cannot afford to ignore the importance people place on the integrity of their privacy.

In keeping with this developing concern, the powers of the Privacy Commissioner are quite broad sweeping, and the Commissioner has shown an increasing preparedness to act in respect of complaints, as well as instigating his own investigations.

You might be surprised to learn that the Australian Privacy Commissioner recently worked with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada, to investigate the consequences of a major data breach involving Adobe’s facilities in Ireland. Part of Adobe’s network in Ireland held some 1,700,000 records of Australian customers. The Australian Commissioner found that Adobe failed to take reasonable steps to protect all of the personal information it held.

It is therefore worth keeping in mind that whilst you may be liable for damages and other penalties for beaching the Privacy Act, the damage to reputation and image in the market arising not just from the incident, but the Privacy Commissioner’s publicised investigation and findings, may have a far greater effect on business, and a major effect on the bottom line.

So, who is obliged to comply with the Privacy Act 1988 (the “Act”)?

If your business collects personal information, and your annual turnover is greater than $3 million, then as a general rule you must comply with the Act’s requirements. Even if you are well aware of this general obligation, with the changes to the Act that took place in 2014, chances are you need to review your compliance and your privacy policy to ensure you are up to date. Organisations that are obliged to comply with the Act will certainly need to understand the most recent amendments to the Privacy Act imposing mandatory disclosure of data breaches, which will be the subject of a later article.

As a simple statement, the Act prohibits “interfering” with the privacy of an individual. It also specifically provides that “interfering” with an individual’s privacy occurs when conduct breaches an Australian Privacy Principle (“APPs”)(Formerly known as the National Privacy Principles). The APPs are set out in Schedule 1 to the Act.

The next important questions are: What is “personal information”, and how does the Act affect those that collect and handle it?

Personal information is information or an opinion about an individual who can be identified, or who is reasonably identifiable. The truth or correctness of the information or opinion is not relevant. There is a sub-category of personal information called “sensitive information”, which is subject to more stringent controls under the Act. Sensitive information relates to race, ethnic origin, religious beliefs and related matters.

The principal obligations for the collection and handling of personal information are set out in the APPs. Some of the key obligations under the APPs are considered below.

In collecting and handling personal information, you have to take reasonable steps to ensure you can deal with inquiries or complaints. You also have to have an up-to-date and readily available privacy policy. The APPs contain a list of specific matters that your privacy policy must include (APP1).

You can only collect personal information where it is reasonably necessary for your activities, and you can only collect sensitive information with the consent of the individual concerned (APP3). Again, there are certain limited exceptions, and these need to be considered carefully before relying on them. You have to take reasonable steps to notify the individual of your organisation’s details, and the reasons you are collecting their personal information (APP5). Personal information may only be used for the purpose for which it was collected, unless consent is obtained from the individual (APP6), or one of the exceptions in APP6 is satisfied.

It is important to understand that the effect of the APPs extends beyond Australia. In order to disclose personal information outside of Australia, you must take reasonable steps to ensure the offshore recipient does not breach the APPs in respect of that information (APP8).

The Privacy obligations are not one time only responsibilities. Once collected, there are ongoing responsibilities to ensure the information is kept up to date, is accurate and complete. (APP10). You are also obliged to take reasonable steps to protect it (APP11). Under that same APP, where you have personal information you no longer have a use for (i.e. authorised use), then you cannot passively retain it – you have a positive obligation to destroy it or de-personalise it.

There is a general obligation to provide individuals access to their personal information that you hold, with some exceptions (APP12). The final obligation under the APPs is to correct personal information you hold, where there is reason to suspect it is not correct or up to date (APP13).

You need to give time and resources to understanding your Privacy responsibilities and ensuring you comply with them. A failure to do so may have consequences well beyond breaches of the Act, which is in itself serious enough. Some safeguards worth considering are to have an individual appointed within your organisation as responsible for privacy matters and compliance. You need to conduct regular reviews of compliance and your privacy policy, and have an audit trail of those reviews. This should include being clear about what information your organisation actually collects, who collects it, where it is held, and what is done with it.

You need to be sure you understand all of your obligations, and where there is any uncertainty, seek appropriate advice.

Guy Betar is a corporate/IT lawyer with more than 20 years’ experience and is a partner at Salvos Legal and can be contacted by email at guy.betar@salvoslegal.com.au.

chat
1300 272 265
Talk to us
Become a customer
What is next?