Obligations Under the Privacy Act
The Privacy Act obliges certain organisations and government agents to protect the privacy of individuals whose information they handle. This article outlines the obligations imposed by the Privacy Act.
What is personal information?
Under the Privacy Act 1988, personal information can encompass a wide range of things. Some information is explicitly recognised as personal information under the Privacy Act. This includes:
- Health information about an individual;
- Employee records; and
- Tax file numbers.
The information does not have to be explicitly referred to in the Privacy Act to be considered personal information. Furthermore, personal information does not have to be correct for it to be protected under the Privacy Act. Other examples of personal information that may be covered under the Privacy Act include:
- A person’s home address, signature or bank account details;
- Details about a person’s employment or business details such as their work address or bank loan are taken out for their business;
- Comments made about the person by another person, e.g. a manager’s written opinion of an employee’s performance.
Who is bound by the Privacy Act?
The Privacy Act obligates Australian government agents, private organisations with an annual turnover of more than $3 million and some other organisations to protect the privacy of individuals whose personal information they handle.
The Privacy Act creates obligations through thirteen principles of privacy. How entities that are obligated under the Privacy Act comply with these principles will differ according to how their organisation is structured. The privacy principles also allow for their application to be adapted as technologies change.
The Privacy Act also governs how personal credit information, health information and tax file numbers are kept private.
Privacy Act obligations in thirteen principles
The thirteen privacy principles are as follows:
- Option to not identify – Individuals required to provide personal details must be allowed to not identify themselves by giving a pseudonym or remaining anonymous. There are some limited situations where this will not be required;
- The collection of solicited personal information is only allowed in certain circumstances. Generally, it is only permitted where it is reasonably necessary for the entity collecting the information to perform its functions or activities and where the person whose information is being collected has consented to the collection;
- How unsolicited personal information should be handled. Entities having obligations under the Privacy Act must also deal with the personal information they acquire inadvertently. How they are obliged to deal with this information will depend on what the information is. Some information may need to be destroyed or de-identified. Some other information may be kept but will need to be handled in a specific manner.
- Where personal information is collected an entity holding obligations under the Privacy Act must disclose certain things to the person whose information has been collected including:
- Contact details for the obligated entity;
- The details of the collection;
- Whether the collection of personal information is authorised or required according to law;
- The purpose of the collection;
- The consequences of non-collection;
- The usual disclosures the entity makes with the personal information;
- Whether the personal information is likely to be disclosed to any persons or entities overseas, and if so, the locations of those persons or entities.
- Personal information can only be used for the purpose for which it has been collected unless consent to use the personal information for a secondary objective has been obtained, or another exception applies, such as a law requiring disclosure;
- Personal information can only be used for direct marketing activities, where specific requirements are met.
- Certain obligations and requirements must be met where personal information is disclosed to overseas persons or entities;
- Other obligated entities can only use Government-related identifiers for individuals under the Privacy Act in certain circumstances;
- The quality of personal information should be accurate. Entities with Privacy Act obligations must take care to ensure that the personal information they collect is accurate and up-to-date, relevant and complete, taking into account the purpose for which it is kept;
- Personal information should be kept securely. An entity with Privacy Act obligations must take reasonable steps to protect the personal information it holds from loss, misuse, interference, unauthorised access, disclosure or modification;
- Individuals must be given access to their personal information upon request unless an exception applies; and
- Personal information held by entities with Privacy Act obligations must be corrected where that entity knows the information is inaccurate or the person to whom it applies requests that it be updated.
What can be done if an entity has not met its Privacy Act obligations?
If an entity does not meet its Privacy Act obligations, it can be found to have breached its obligations under the law and interfered with an individual’s privacy. The entity may be subjected to regulatory action and penalties. If an individual feels an organisation has mishandled their personal information, they can complain to the Australian Information Commissioner’s Office for free.
If you require legal advice or representation in any legal matter please contact Armstrong Legal.