SMEs need to know how to comply with laws that protect personal information. Here’s a guide to crucial clauses.
With the evolution of the information age and the constant development of new technologies that enable invasion of privacy on unprecedented levels, privacy law has become one of the fastest growing areas of the law.
Changes in privacy law have been the result of balancing different aspects of the public interest. On the one hand, there is the need to maintain an individual’s privacy; on the other, there is the need to allow legitimate uses and disclosures of personal information.
The Privacy Act 1988 (Cth) (Act) was significantly amended in December 2001 with wide-ranging implications for small to medium enterprises (SMEs). Prior to the amendments, the Act generally applied to public sector organisations. The amendments, based around 10 National Privacy Principles, extended the operation of the Act to apply to most private sector organisations.
The Act provides that an ‘organisation’ means an individual, a body corporate, a partnership, an unincorporated association, and a trust. However, the Act specifically excludes small business operators with an annual turnover of $3 million or less. This exclusion does not apply if the organisation trades in personal information, holds health records as a provider of health services, is a Commonwealth contracted service provider, is a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), or is related to a body corporate who is not a small business operator.
As the coverage of the Act extends to cover most private sector organisations when conducting business, it follows that most SMEs are required to comply with the Act.
Personal information is defined as: “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.
Essentially any information that is capable of identifying a person is personal information, such as name, address, phone number, and bank account details.
Privacy Principles
The Act sets out minimum standards for privacy protection in 10 National Privacy Principles (NPPs). The NPPs regulate how private sector organisations must collect, use, disclose, and keep secure the personal information of clients and suppliers. They also give individuals the right to know what information an organisation holds about them, and the right to correct it.
The 10 NPPs are as follows:
Collection: NPP 1 requires that an organisation must only collect personal information if it is necessary for one or more of their functions and must take reasonable steps to ensure the individual is aware of, among other things, why their personal information has been collected, how it is to be used and stored, to whom it may be disclosed, and that the individual has a right of access.
An organisation may also only collect personal information about an individual from a third party with that individual’s consent.
A review of recent privacy case studies indicates that SMEs commonly fail to make individuals aware of how they deal with their personal information. This is particularly so where SMEs collect individuals’ personal information electronically through online websites.
Methods that SMEs can adopt to inform individuals about the collection of their personal information include adopting privacy statements; displaying privacy notices at their premises; for electronic collection, linking their website to information about how they handle personal information; and for over the phone collection, implementing automatic messages about how they handle personal information.
{mospagebreak}
Use and disclosure: NPP 2 regulates how organisations can use and disclose an individual’s personal information. A critical distinction is made between use and disclosure undertaken for the primary purpose of collection, and use and disclosure undertaken for some other secondary purpose.
Generally speaking, an organisation must not use or disclose an individual’s personal information for a purpose (secondary purpose) other than the primary purpose of collection, unless the individual has consented or the individual would reasonably expect the organisation to use or disclose their personal information for the secondary purpose.
Data quality: NPP 3 requires that an organisation take all reasonable steps to ensure that all personal information they collect, use or disclose is accurate, complete and up‑to-date.
What are considered to be reasonable steps will vary depending on the circumstances. Factors for SMEs to consider include whether the kinds of personal information collected are likely to change over time, how recently the personal information was collected, and who provided the personal information.
Data security: In NPP 4, an organisation must take reasonable steps to protect all personal information from loss, misuse and unauthorised access, modification or disclosure.
The types of security measures that SMEs could implement to comply with NPP 4 include physical security, such as preventing unauthorised entry to premises and locking filing cabinets that store paper-based personal information; computer and network security, such as preventing unauthorised access to networks, firewalls or secured login websites; communications security, such as protecting communications via data transmission, including email and voice, from interception; and personnel security, such as limiting access to personal information by authorised staff for approved purposes.
Openness: Under NPP 5, an organisation is required to make available on request a privacy policy setting out the organisation’s management of personal information it collects.
The privacy policy must set out whether the organisation is bound by the NPPs or by its own privacy code approved by the Federal Privacy Commissioner; any exemptions under the Act that apply to that organisation; how the organisation collects, uses and discloses personal information; and that the individual can obtain more information upon request concerning the organisation’s handling of personal information.
Access and correction: NPP 6 generally requires that an organisation must allow individuals to access and correct personal information held about them. This access may include inspecting records, taking notes, or the provision of photocopies or printouts.
There are limited situations where an individual can be prevented from accessing their personal information. These situations include if the information would breach another person’s privacy (however, where possible, offending information could be blacked out); if the information is a threat to the life or health of a person; where access would be unlawful; or where access would prejudice an organisation’s negotiations with the individual.
Identifiers: NPP 7 restricts an organisation’s use of government identifiers such as Medicare and tax file numbers.
Anonymity: Under NPP 8, an organisation must allow an individual to remain anonymous where reasonable and practicable.
Transborder data flows: NPP 9 requires that when transferring an individual’s personal information overseas, an organisation must ensure the individual has consented, that the recipient is legally or contractually bound to handle the information in accordance with requirements substantially similar to the NPPs, or that the transfer is for the benefit of the individual and it is impracticable to obtain the individual’s consent, which they would be likely to give.
{mospagebreak}
Sensitive informatio
n: NPP 10 places specific restrictions on an organisation when collecting sensitive information about race, religion, political and philosophical beliefs, and health.
Employee records exemption: in relation to employees, it is important to note personal information contained in employee records is not covered by the Act in certain circumstances.
The exemption provides that the Act does not apply to an act or practice relating to an employee record that is directly related to a current or former employment relationship.
An employee record means a record of personal information relating to the employment of the employee. The definition also includes the following items of information relating to:
- * health
- * engagement, training, disciplining or resignation
- * termination
- * terms and conditions
- * personal and emergency contact details
- * performance or conduct
- * hours of employment
- * salary or wages
- * membership of a professional or trade association
- * trade union membership
- * recreation leave, long service leave, personal leave, parental leave, or any other forms of leave
- * taxation, banking, and superannuation affairs.
SMEs are therefore not required to comply with the NPPs when the employee records exemption applies. However, SMEs in their capacity as employers are not entirely free from record-keeping and disclosure obligations. Under the Workplace Relations Regulations 2006 (Cth) employers must keep certain records that relate to their employees.
In addition, NSW employers must comply with the Workplace Surveillance Act 2005 (NSW) when monitoring employee internet and email use and it is likely that employers in other states will have to comply with similar legislation in the future.
Non-Compliance Consequences
If an individual considers an organisation has failed to comply with its privacy obligations, the individual may lodge a complaint with the Federal Privacy Commissioner.
Before lodging a complaint, the individual must first notify the organisation and give them an opportunity to respond (usually within 30 days). If the individual receives no response, or it is unsatisfactory, the complaint may then be lodged with the commissioner for investigation. The commissioner first attempts to resolve a complaint through conciliation.
The commissioner is empowered to make determinations to resolve privacy complaints. These determinations can be wide-ranging, including awarding compensation for damages suffered as a result of interference with the individual’s privacy–e.g., for lost benefits, pain suffered or embarrassment, or ordering the organisation to cease breaching the Act, or to take the necessary steps to remedy the damage suffered.
Such determinations are not legally binding on an organisation. A complainant who has a commission determination in their favour must seek enforcement proceedings in the federal or federal magistrates’ courts.
SMEs must therefore remain mindful of the serious practical implications resulting from complaints, including potentially adverse publicity and damage to reputation.
Considering the serious implications of breaches, it is important for SMEs to be aware of, and to adhere to, the Act and NPPs when handling personal information.
In complying, SMEs need to ensure that they have a privacy policy in place that adequately deals with the collection, storage, access, correction, and disclosure of personal information, and that individuals who deal with them are made aware of the privacy policy and their rights under the Act and the NPPs.
* Mark Dunphy is partner and Alison Baker is senior associate for Hall and Wilcox Lawyers. They can be reached at mark.dunphy@hallandwilcox.com.au and alison.baker@hallandwilcox.com.au
For more articles to make sure your business stays on the right side of the law, be sure to visit DYNAMICBUSINESS.com/legal
