Fredrick Swaab
Fredrick Swaab
Partner

Swaab Attorneys is a Sydney based commercial law practice.

Our aim is to provide legal solutions which are cost - effective and specially tailored to our clients needs.

Text Size   Small Text Large Text

PRIVACY - ARE YOU COMPLIANT?

  • Introduction
  • Do The Privacy Obligations Apply To You?
  • What Are your privacy obligations?
  • What happens if an individual's privacy is breached?
  • Some Implications of the new privacy obligations
  • How to become privacy compliant
  • Recommendation
  • Useful Links

INTRODUCTION
On 21 December 2001 new laws came into effect to create a privacy regime applicable to the private sector. These laws contained in the Privacy Act 1988 as amended by the Privacy Amendment (Private Sector) Act 2000, requires organisations to comply with National Privacy Principles (NPPs) or an agreed privacy code.

DO THE PRIVACY OBLIGATIONS APPLY TO YOU?
The obligations to keep information private applies to private sector organisations who handle personal and/or sensitive information.

Personal Information is:
"information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion."

Sensitive Information is:
"information or an opinion about an individual's: racial or ethnic origin; or political opinions; or membership of a political association; or religious beliefs or affiliations; or philosophical beliefs; or membership of a professional or trade association; or membership of a trade union; or sexual preferences or practices; or criminal record; that is personal information; or(b) health information about an individual."

A private sector organisation are all organisations other than those specifically excluded such as:

  • small business operators being businesses with a turnover of less than $3 million;
  • political parties and representatives in particular circumstances;
  • certain government contractors; and 
  • media outlets providing journalist services.

It is of note that small business operators who provide health services or who collect personal information on behalf of third parties do not qualify for exemption as a small business operator.

WHAT ARE YOUR PRIVACY OBLIGATIONS?
Organisations subject to the privacy obligations must either adhere to the NPPs or to a code of privacy approved by the Privacy Commissioner (Privacy Code).
The NPPs (or relevant Privacy Code) requires organisations to comply with privacy obligations when they:

  • handle personal information;
  • collect, use and disclosure personal information;
  • store and destroy that personal information;
  • deal with individuals who seek to access and correct that information.

WHAT HAPPENS IF AN INDIVIDUAL'S PRIVACY IS BREACHED?
An interference with privacy can arise if there is a breach of one of the NPPs, or if applicable, the relevant provision of the approved Privacy Code.
Where a person feels that their personal information has been handled inappropriately by a private sector organisation that person may complain to the Privacy Commissioner. The Privacy Commissioner will not investigate a complaint unless it has been directed in the first instance to the organisation concerned, and the individual and the organisation have been unable to reach a satisfactory solution through negotiation.
In the event that the complaint is upheld, the complaint may be resolved by an order that the organisation redress any loss or damage or pay compensation to the person affected.

SOME IMPLICATIONS OF THE NEW PRIVACY OBLIGATIONS
Some examples of where privacy obligations may impact on an organisation's behaviour include:

  • employee use of email and the internet; 
  • recruitment, including reference checking, notes of interviews, selection reports, pre-employment testing and criminal record checks;
  • engagement of contract workers;
  • the collection, use and disclosure of personal information;
  • the use and disclosure of personal information for marketing purposes;
  • the right of individuals to access their personal information and to correct those records if the information is inaccurate, incomplete or out of date;
  • the storage, protection and method of destruction of any personal information collected by the organisation.

HOW TO BECOME PRIVACY COMPLIANT
To ensure that an organisation is privacy compliant it is suggested that the following steps be undertaken:

  1. Audit your information collection practices and systems: 
    • what information is collected? 
    • who is it collected from? 
    • how is it collected? 
    • when is it collected? 
    • for what purpose is it collected and used, and by whom? 
    • what are the functions or activities carried out by your business? 
    • do all the purposes for which information is collected relate to one of those functions or activities?
    • what consents are in place for use or disclosure?
    • is the information updated?
    • how is information stored and accessed?
    • what are the procedures for removing unnecessary or out-of-date information?
    • do you send or transmit information overseas?
       
  2. Appoint a Privacy Compliance Officer whose role will be to:
    • develop and implement privacy policies on an organisation-wide basis;
    • monitor legal developments in relation to privacy;
    • educate staff on privacy issues;
    • deal with privacy complaints from individuals; and
    • monitor compliance with privacy standards within the organisation.
       
  3. Develop a privacy policy consistent with the NPPs and establish a privacy compliance procedure manual to ensure that appropriate privacy management practices are in place within the organisation.
      
  4. Conduct training sessions for all staff, including management, on the issue of protecting privacy and the processes that the organisation will undertake to protect privacy.
     
  5. Establish privacy commitments with all staff and any third party's who collect or disseminate personal information on behalf of the organisation.
     
  6. Maintain a publicly available privacy statement and policy, available on the organisation's website and in hard copy.

RECOMMENDATION
We can provide assistance to your organisation with advice on privacy issues, privacy training and the drafting of privacy policies and manuals.
If you would like further information on any aspect of the private sector privacy obligations please contact Richard Ottley on 02 9225 7610, rbo@swaab.com.au

USEFUL LINKS
National Privacy Principles: http://www.law.gov.au/privacy/royalnpp.htm
Guidelines of Privacy Principles: - http://www.privacy.gov.au/business/index.html#3.2
Office of the Privacy Commissioner: - http://www.privacy.gov.au/business/index.html#3.2
Privacy Act 1988 (Cmth): - http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/

Quick Links
Client Login
Username
Password
 

Visit Us

Click to visit our premises 		Visit Our Office

Swaab Attorneys is one of Australia's most awarded law firms. Click here for details
Subscribe to our newsletter
eMail      
 
SWAAB ATTORNEYS: Level 1, 20 Hunter St SYDNEY NSW 2000
GPO Box 35 SYDNEY NSW 2001, DX 522 SYDNEY
T +61 2 9233 5544 F +61 2 9233 5400 E mail@swaab.com.au
© 2008 Swaab Attorneys | Privacy Policy | Site Map | Contact Us
Liability limited by a scheme approved under Professional Standards Legislation
MULTI AWARD WINNING LAW FIRM
2008 - Winner BRW Client Choice Exceptional Service Award
2008 - Winner BRW Client Choice Awards Best Australian Law Firm+
2008 - Finalist MFAA Excellent Service Awards
2007 - Winner BRW-St George Best Australian Law Firm+
2007 - Finalist Mazda ALB Australasian Law Awards#
2006 - Runner Up Australian Law Firm of the Year**
2004 - Winner Australian Law Firm of the Year*
+Revenue less than 20m *Firms with less than 25 lawyers
**Firms with less than 50 lawyers