Preventing Privacy Problems: Collecting and Using Personal Information

There are many instances in day to day business where personal information is provided, disclosed, used, reused, and sometimes even repackaged. Most businesses encounter some form of personal information- whether you collect your client’s information through your website, or use data to provide a service or product. Sometimes data is exchanged even when it is ancillary to a business and you might not even realise personal information is being exchanged. Internally, your business will also have personal information relating to your employees. 

There are rules which you may be required to comply with to protect the privacy of your clients, employees and any other third-parties. When handling personal information both in the public and private sector, businesses have a legal obligation to protect that information. It is important that your business is aware of the legal obligations to prevent any potential breaches from arising. 

Because of all of the regulation around privacy and the heavy international focus on privacy protection, it is vital that Australian businesses promote a culture of privacy compliance. Below we provide a rundown of your privacy obligations and some “do’s” and “don’ts” to make sure your business complies with its legal obligations. 

What legislation governs personal information?

The Privacy Act 1988 (Cth) (“PA”) is the federal legislation that governs personal information. Schedule 1 to the PA outlines the Australian Privacy Principles (“APP”) which provide how personal information is to be handled, used and managed. We discuss this in detail below.

Each state and territory also have their own legislation which governs how information is used in state and territory agencies and other bodies. However, Western Australia and South Australia do not have their own privacy legislation. These two states use a piecemeal approach in that each agency or organisation will have their own legislation that addresses privacy, for example freedom of information provisions included in legislation.

Does the PA apply to me?

You must comply with the PA if your business has an annual turnover of over $3 million.

If your business has an annual turnover of less than $3 million, you may still have responsibilities under the PA if you:

• are a private health service provider;
• sell or purchase personal information;
• contract services to the Australian government, a department or agency;
• are a credit provider/credit reporting body; and
• are a residential tenancy database operator.

Even if the PA does not apply to you, the strong culture and focus on privacy in recent years has created an expectation in consumers that the privacy of their personal information is rigorously protected. This means that even if the PA does not strictly apply to you, it can be used as a best practice guidance to run your business and can create a positive spin on your business reputation.

What is personal information?

The PA differentiates between different categories of information requiring different levels of protection:

• Personal information: information or an opinion about an identified individual or  an individual that is reasonably identifiable. Examples of personal information include a name, address, bank account, employment details and photos. 
• Sensitive information: information that attracts a higher level of protection under the PA due to the nature of the information. This includes information about an individual's racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record.
• De-identified information:  anonymised or pseudonymised data that does not identify the individual. The PA does not apply to de-identified information and this can be shared.

What are the APPs?

THe APPs are principles-based laws. This gives a business the flexibility to tailor their personal information handling practices to suit their individual requirements. The APP’s are deliberately technology neutral which allows them to adapt to changing technologies overtime. A summary of the APP’s are below:

1. Open and transparent management of personal information

• Reasonable steps must be taken to implement practices, procedures and systems that ensure compliance with the APP and enable the entity to deal with inquiries and complaints regarding compliance
• Organisations should have a clearly expressed APP privacy policy

2. Anonymity and pseudonymity

• Individuals must have the option of not identifying themselves or using a pseudonym

3. Collection of solicited personal information

• Organisations must not collect personal information unless the information is reasonably necessary for one or more of its functions or activities
• The collection of personal information must be by lawful and fair means
• The information must only be collected from the individual - unless an exception applies
• Where the personal information is sensitive as well, the organisation must not collect it unless the individual consents or there is an exemption by a court order

4. Dealing with unsolicited personal information

• If an organisation receives personal information and the organisation did not solicit the information, it must make a determination on whether it would have been able to solicit the information under APP 3
• If the organisation determines that it could not have solicited the information, then it must destroy the information or ensure it is de-identified

5. Use or disclosure of personal information

• If an organisation holds personal information about an individual that was collected for a particular purpose, the organisation must not use or disclose this information for another purpose
• The exceptions to this APP include if an individual consents or if the organisation is required to disclose under a court order

6. Direct marketing

• If an organisation holds personal information about an individual, it must not use or disclose this information for the purpose of direct marketing unless the individual consents

7. Cross-border disclosure of personal information

• Before an organisation discloses personal information about an individual to a person or organisation that is not in Australia, the organisation must take reasonable steps to ensure the overseas recipient of the information does not breach the APPs

8. Adoption, use or disclosure of government related matters

• An organisation must not adopt a government-related identifier, for example a tax file number, as its own identifier
• The exception to this APP is where this is authorised or required under a court order

9. Quality of personal information

• An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, up to date and complete

10. Security of personal information

• An organisation must take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure 

11. Access to personal information

• If an organisation holds personal information about an individual, that individual can request the organisation to give the individual access to the information
• The exception to this APP being where the organisation believes that giving access would pose a serious threat to the life, health or safety of any individual

12. Correction of personal information

• If an organisation holds personal information about an individual and believes the information to be inaccurate, out of date, incomplete, irrelevant or misleading, it must take reasonable steps to correct the information
• This also applies in the situation where the individual, whose personal information the organisation holds, requests the organisation to correct the information

What can I do with a person’s data? Can I buy or sell personal information?

If you pass on personal information for a payment or some other sort of benefit (for example a discount or premium services), you will fall under the definition of “trading in personal information” under the PA and will be classed as an APP entity. 

However, if you obtain the consent to sell the personal information from the individuals, you may not be required to comply with the APPs. 

What are some other protections for the collection of data?

The Spam Act 2003 (Cth) states that a commercial electronic message with an Australian link may not be sent without the addressee’s consent. The message must include clear and accurate information about the person or business that is responsible for sending the message and it must include a function to unsubscribe.

 Another example is the “Do Not Call” Register which provides that marketers are prohibited from calling the numbers on the Register except where the recipients have expressly consented to receiving such calls.

Are there any special sectors which are subject to additional provisions?

• Health sector: PA provides additional requirements for handling health information
• Financial sector: financial services providers will be subject to enforceable Australian Prudential Regulation Authority prudential standards and influenced by the APRA practice guides
• Telecommunications sector: Telecommunications Act 1997 (Cth) and Telecommunications (Interception and Access) Act 1979 (Cth) both impose a number of specific data retention and data security requirements on carriers, carriage service providers and others

How does the legislation monitor personal information that is sent outside of Australia?

An organisation or entity must have a clear APP privacy policy about how they manage personal information and this should include whether they are likely to disclose personal information to overseas recipients and if so, which countries. An organisation is obligated under the APPs to take reasonable steps to notify the individual whose information they are gathering that their personal information may be disclosed to specified countries.

Organisations that wish to disclose personal information to an organisation outside Australia have three steps they need to take:

• Reasonable steps to ensure that the overseas recipient will not breach the APPs
• Have a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs and the relevant individual may enforce those laws
• Obtain informed consent from the relevant individual by making it known that the APPs will not apply to the disclose of the information

Organisations should remember that where personal information is disclosed to an overseas recipient, the organisation is accountable for any acts or practices of that overseas recipient in relation to the personal information disclosed by the organisation. 

What happens if there is a breach of an APP?

A breach constitutes an “interference with the privacy of an individual” and can lead to regulatory action and penalties.

Interested in chatting with us?

Contact us here. Or shoot us an email at hello@biztechlawyers.com.au. And of course you can always pick up the phone +61 2 9043 1376.

Have you taken a look around Biztech Documents?

High quality, ready to customise legal documents and agreements at your fingertips. Be guided through an expert interview wizard, then your customised legal document is sent to your inbox, all done in under 5-20 minutes.

Check out our IP License agreement, Consent to use for Images and Recoding, Deed of assignment for IP, Website Privacy Policy and more for your Commercial needs! 

Head to Biztech Documents to create yours today.