Privacy law explained

SMEs need to know how to comply with laws that protect personal information. Here’s a guide to crucial clauses.

With the evolution of the information age and the constant development of new technologies that enable invasion of privacy on unprecedented levels, privacy law has become one of the fastest growing areas of the law.

Changes in privacy law have been the result of balancing different aspects of the public interest. On the one hand, there is the need to maintain an individual’s privacy; on the other, there is the need to allow legitimate uses and disclosures of personal information.

The Privacy Act 1988 (Cth) (Act) was significantly amended in December 2001 with wide-ranging implications for small to medium enterprises (SMEs). Prior to the amendments, the Act generally applied to public sector organisations. The amendments, based around 10 National Privacy Principles, extended the operation of the Act to apply to most private sector organisations.

The Act provides that an ‘organisation’ means an individual, a body corporate, a partnership, an unincorporated association, and a trust. However, the Act specifically excludes small business operators with an annual turnover of $3 million or less. This exclusion does not apply if the organisation trades in personal information, holds health records as a provider of health services, is a Commonwealth contracted service provider, is a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), or is related to a body corporate who is not a small business operator.

As the coverage of the Act extends to cover most private sector organisations when conducting business, it follows that most SMEs are required to comply with the Act.

Personal information is defined as: “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

Essentially any information that is capable of identifying a person is personal information, such as name, address, phone number, and bank account details.

Privacy Principles

The Act sets out minimum standards for privacy protection in 10 National Privacy Principles (NPPs). The NPPs regulate how private sector organisations must collect, use, disclose, and keep secure the personal information of clients and suppliers. They also give individuals the right to know what information an organisation holds about them, and the right to correct it.

The 10 NPPs are as follows:

Collection: NPP 1 requires that an organisation must only collect personal information if it is necessary for one or more of their functions and must take reasonable steps to ensure the individual is aware of, among other things, why their personal information has been collected, how it is to be used and stored, to whom it may be disclosed, and that the individual has a right of access.

An organisation may also only collect personal information about an individual from a third party with that individual’s consent.

A review of recent privacy case studies indicates that SMEs commonly fail to make individuals aware of how they deal with their personal information. This is particularly so where SMEs collect individuals’ personal information electronically through online websites.

Methods that SMEs can adopt to inform individuals about the collection of their personal information include adopting privacy statements; displaying privacy notices at their premises; for electronic collection, linking their website to information about how they handle personal information; and for over the phone collection, implementing automatic messages about how they handle personal information.