Privacy Laws

The Privacy Act 1988 (Cth) ( “the Privacy Act” ) applies to Commonwealth government departments and agencies and the private sector.

The Privacy Act sets out, amongst other things:

• The National Privacy Principles that apply to organisations. These principles deal with:
  • The way in which personal information is collected;
  • Storage and security of that information;
  • How that information can be used;
  • Access to personal information; and
  • Limits on the disclosure of personal information.
• Guidelines relating to the use of tax file numbers;
• Credit reporting rules.

The Privacy Act states that “personal information”: means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

The NPPs set out the minimum privacy standards for organisations.

The Privacy Act defines an organisation as:

• an individual;
• a body corporate;
• a partnership;
• any other unincorporated association; or
• a trust

that is not a small business operator, a registered political party, an agency (defined as a Commonwealth government body or authority), a State or Territory authority or a prescribed instrumentality of a State or Territory.

The Privacy Act defines a small business as a business with a turnover of less that $3 million per year.

An organisation must comply with either:

• The NPPs; or
• Their own privacy code that contains obligations that are at least equivalent to the NPPs and has been approved by the Privacy Commissioner.

If a person believes that you are in breach of one or more of the NPPs, they may lodge a complaint with the Privacy Commissioner.

The Privacy Commissioner will not usually investigate a complaint until it has first been formally raised with the person that is alleged to have breached the NPPs.

If this fails to resolve the matter, the Privacy Commissioner will investigate the complaint and attempt to negotiate a settlement between the parties.

The Privacy Commissioner may require the parties to attend a compulsory conference in order to either facilitate settlement or further investigate the matter.

After investigating the complaint the Privacy Commissioner may make a determination that:

• The complaint be dismissed; or
• That the complaint is substantiated and:
  • The organisation who breached the NPPs should not continue or repeat such conduct;
  • The organisation should take action to remedy the situation. This may include:
    • a written apology;
    • re-training staff;
    • changing procedures; or
    • amending or deleting personal information;
  • that the complainant is entitled to monetary compensation for loss or damage suffered (not as a penalty or a fine); or
  • that no further action should be taken in relation to the complaint.

You are required to keep a record of each disclosure made. You should record:

• the date of the disclosure;
• what was disclosed and to whom;
• the reason for the disclosure; and
• if a customer consents to a disclosure, you should request that they consent in writing and keep a copy of their consent with the record of disclosure.

Organisations that store personal information should ensure that they review their policies in relation to the storage and maintenance of such information and develop in-house policies as to how such information may be accessed and used.

All staff should be trained in the required procedures, before the obligations under the Privacy Act come into effect to ensure your organisation’s compliance.

This article is a guide only and should not be used as a substitute for proper legal advice, readers should make their own enquires and seek appropriate legal advice.