The handling of personal information in Australia is governed by legislation at both a federal and state/territory level.
At a federal level, the Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must handle personal information, largely through the 13 Australian Privacy Principles (APPs) set out within the Privacy Act.
‘Personal information’ is defined by the Privacy Act as:
State and territory government agencies must comply with the relevant state or territory based privacy legislation.
Entities handling personal information in Australia must also be aware of their obligations under:
The Privacy Act imposes obligations on ‘APP entities’.
An APP entity is, generally speaking:
An APP entity does not include:
However, a small business operator will be deemed to be an APP entity, and therefore required to comply with the Privacy Act if they:
The key features of the Privacy Act include:
Accordingly, APP entities must be aware of the full scope of the obligations imposed upon them according to the nature of their business activities.
APP 1 requires an APP entity to implement privacy practices, procedures and systems:
It also requires them to develop and make readily available a policy about its management of personal information.
APP 2 entitles individuals to the option of anonymity or using a pseudonym, when dealing with an APP entity, except where impracticable or another prescribed exception applies.
APP 3, in summary:
APP 4 requires an APP entity that receives unsolicited personal information to determine whether it would otherwise have had grounds on which to collect it (i.e. under APP 3) and:
APP 5 requires an APP entity to notify an individual (or ensure they are aware), at or before the time of collection, of prescribed matters. Such matters include but are not limited to whether the individual’s personal information is collected from any third parties, the purpose(s) of collection, to whom personal information is disclosed and the processes through which an individual can seek access and/or correction to their personal information, or otherwise complain about the way in which it is handled.
Compliance with APP 5 usually requires ‘collection statements’ to be included on or with forms, or other materials, through which personal information is collected. Such statements should refer and include a link to the APP entity’s privacy policy.
APP 6 prohibits an APP entity from using or disclosing personal information for a purpose other than the purpose for which it was collected, unless the individual consents, the individual would reasonably expect their personal information to be used for the secondary purpose, or another prescribed exception applies.
Such prescribed exceptions generally arise where the disclosure is necessary to protect someone’s health or safety or is otherwise in the public interest.
APP 7 generally prohibits personal information to be used for direct marketing purposes unless the individual reasonably expects it, or consents to it, and prescribed ‘opt out’ processes are in place through which the individual can elect not to receive direct marketing communications (and the individual has not elected as such).
If an APP entity is to disclose personal information to an overseas recipient, APP 8 requires it to take reasonable steps to ensure the recipient does not breach the APPs. This usually requires the APP entity to impose contractual obligations on the recipient.
Relevantly, if the overseas recipient does breach the APPs, the Privacy Act imposes liability on the APP entity that made the overseas disclosure.
There are exceptions to this obligation, including but not limited to where:
APP 9 prohibits an APP entity from adopting, using or disclosing a government-related identifier unless:
Government-related identifiers are identifiers that have been assigned by a government agency including an individual’s licence number, Medicare number, passport number and tax file number.
APP 10 requires an APP entity to take reasonable steps to ensure personal information it collects, uses, discloses and holds is accurate, up-to-date and complete. Additionally, personal information can only be used or disclosed to the extent to which it is relevant to the purpose of the use or disclosure.
APP 11 requires an APP entity to take reasonable steps to protect information from misuse, interference and loss and from unauthorised access, modification or disclosure.
An APP entity must also destroy or de-identify personal information it no longer requires (unless otherwise required to retain it by law).
APP 12 requires an APP entity to provide an individual, upon request, with access to their personal information unless a prescribed exception applies.
APP 13 requires an APP entity to take reasonable steps to correct personal information it holds upon request from an individual for correction or where it is otherwise satisfied, having regard to the purpose for which it holds the personal information, that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If an APP entity refuses a request for correction, it needs to provide the individual with the reasons for the refusal and may be required to associate with the personal information a statement evidencing the individual’s view that the information is incorrect.
Where correction does occur, the APP entity may need to notify third parties to which the personal information, in its incorrect form, was disclosed.
The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.
‘Sensitive information’ is defined under the Privacy Act and includes information about an individual’s racial or ethnic origin, political opinions, professional or political or religious affiliations or memberships, sexual orientation or practices, criminal record, health, genetics and/or biometrics.
As an example, APP 3, which deals with the collection of solicited personal information, prohibits (with some exceptions) the collection of sensitive information unless the individual to whom it relates consents to the collection and the information is reasonably necessary for the collecting entity’s functions or activities.
The collection of non-sensitive information is otherwise generally permitted where it is reasonably necessary for the collecting entity’s legitimate functions or activities.
An entity operating outside Australia will still have obligations under the Privacy Act if the entity has ‘an Australian link‘. An entity will have an Australian link for the purposes of the Privacy Act if, generally speaking, the entity was formed in Australia, has its central management and control in Australia, or is otherwise carrying on a business and collects or holds personal information in Australia.
This expands the reach of the Privacy Act to overseas entities, or Australian subsidiaries of overseas entities, who are engaging in business-related acts within Australia, even if the business is otherwise predominantly conducted outside of Australia.
The Australian Information Commissioner has also pointed to specific indicators that an entity is carrying on a business within Australia, including where an entity has an agent or agents within Australia, websites offering goods or services to Australia, purchase orders being actioned within Australia, or personal information being collected from a person who is physically in Australia.
If an APP entity is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the APP entity may face penalties of up to:
An APP entity will interfere with an individual’s privacy if (among other things) it:
Generally, related bodies corporate can share personal information, provided they comply with the APPs and any applicable APP code. Where personal information is disclosed from one related body corporate to another, the Privacy Act requires the personal information to be handled (by the related body corporate to which it is disclosed) in accordance with the purpose for which it was initially collected (by the related body corporate from which it is disclosed).
Employee information is, generally speaking, excluded from the ambit of the Privacy Act.
Specifically, where an employer engages in an act or a practice that is directly related to:
An ’employee record’ refers to a record of personal information relating to the employment of the employee. This includes, but is not limited to, health information about the employee and/or personal information about, discipline, resignation, termination, terms of employment, personal contact details, wages or salary, performance or conduct, periods of leave and/or memberships of professional bodies.
Accordingly, employers need not comply with the Privacy Act and the APPs to the extent they are dealing with an employee record in a manner that is directly related the employment relationship.
This does not mean, however, that employers can handle personal information about its employees with general disregard. Where the personal information does not fall within the employee records exemption (i.e. the personal information is not an employee record and the employer’s act or practice is unrelated to the employment relationship), compliance with the Privacy Act will be required.
Specifically, compliance with the Privacy Act is required with respect to:
Additionally, employee information is likely to be subject to common law obligations of confidentiality and, in some states, health records legislation.
The employee records exemption has also been marked for possible repeal in the future, which would result in employers having to handle employee information in accordance with the Privacy Act.
The credit reporting provisions of the Privacy Act and the CR Code set out the ways in which entities are to handle credit-related personal information.
The credit reporting provisions of the Privacy Act are long and complex and impose obligations and prohibitions on credit reporting bodies and credit providers (and agents of credit providers).
An entity captured by the credit reporting provisions is required to take steps (often in addition to those set out in the APPs) to ensure compliance with the Privacy Act. Such obligations include, in some circumstances, acting with the express consent of the individual to whom the information relates. Additionally, specific obligations will depend on the type of information being handled. For example, a credit provider can only access and use information about an individual’s history of debt repayments if the credit provider is a ‘licensee’ under the National Consumer Credit Protection Act 2009 (Cth).
On or before 22 February 2018, APP entities will also be required to notify the Australian Information Commissioner, and affected individuals, if the APP entity experiences a data breach that is likely to cause an individual serious harm. This obligation is designed to enable affected individuals to take steps to protect themselves.
The Privacy Act includes health information within its definition of ‘sensitive information’. Health information is therefore afforded a higher standard of protection.
Additionally, both private and public sector entities need to be aware of obligations that may arise under state-based legislation, including:
These laws also impose obligations on employers in Victoria and the ACT when handling health information about their employees. While health records law in NSW contains an employee records exemption for private sector employers, such employers may nevertheless be bound by the NSW legislation if the health information is unrelated to their employment.
Health and other sensitive information will also be subject to common law principles of confidentiality.
The use of surveillance and/or listening devices is governed by both state/territory and federal legislation. Obligations in relation to surveillance will depend on the type of device (e.g. computer and/or video surveillance, geographical tracking and/or the use of listening devices), the nature and purpose of the surveillance, the specific activity being observed/recorded including whether it is occurring in the workplace or not and, in some cases, whether it occurs in the private or public sector.
While each jurisdiction differs, generally speaking, the use of surveillance and/or listening often requires consent and/or notification. However, exceptions may apply, including where the use of such a device is necessary to protect a party’s lawful interests, for an enforcement-related purpose, and/or is in the public interest. Specific obligations may also be impacted by whether the person using the surveillance or listening device is a party to the activity/conversation and whether the activity/conversation is private or in a private space.
Hall & Wilcox is well placed to advise on privacy law compliance and any other issues arising from the handling of personal information.