Privacy

How can we help?

We can assist your business in any aspect of privacy law.  This includes:
  • developing a privacy policy which suits your business;
  • providing advice on privacy protection; or
  • reviewing and amending existing privacy documentation.

What is privacy protection?

Privacy is internationally recognised as a basic human right.  Since 1988, the Privacy Act has provided privacy protection to individuals in their dealings with the public sector.  In December 2001, new provisions were introduced that regulate the private sector.

Thus, generally, organisations must either comply with the approved privacy code or comply with the 10 National Privacy Principles (NPPs).

The privacy legislation protects:
  • personal information, which is defined as information or an opinion about an individual whose identity is apparent from the information or opinion; and
  • sensitive information in relation to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal records and health information; and
  • where that information is held in a record.

What are the National Privacy Principles?

  1. Collection (NPP1 and 10)

    An organisation must only collect personal information that is necessary for its functions or activities, and only directly from the person if it is reasonable and practicable to do so.  At the time that it collects personal information, or as soon as practicable afterwards, an organisation must make the person aware of:
    • Why it is collecting information about them;
    • Who else it might give it to.
    An organisation must obtain the person's consent before collecting sensitive information.

  2. Use and disclosure (NPP2)

    An organisation should only use or disclose personal information for the primary purpose of collection.  If it is going to use personal information for a secondary purpose (e.g. marketing), an organisation must generally obtain the person's consent.  The use of non-sensitive personal information is allowed for direct marketing where, among other things, it is impracticable to seek the person's consent and where the customer is told that they can opt out.

  3. Data quality (NPP3)

    An organisation must ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

  4. Data security (NPP4)

    An organisation must protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.  It must destroy or permanently de-identify personal information if it no longer needs it, or otherwise have a lawful reason to keep it.

  5. Openness (NPP5)

    An organisation should put its privacy policy on its website and have it available to provide to people.  If a person asks, it should let them know what sort of personal information it holds, what purposes it holds it for and how it collects, uses and discloses that information.

  6. Access and correction (NPP6)

    A person has a right of access to all the personal information that an organisation holds about them.

  7. Identifiers (NPP7)

    An organisation cannot collect a particular Commonwealth-government-assigned identifier (e.g. TFN) from all its customers and then use that identifier to organise and match other personal information.

  8. Anonymity (NPP8)

    An organisation must give a person the option of interacting anonymously with it if it is reasonably practicable to do so.

  9. Trans-border data flows (NPP9)

    An organisation must not disclose personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the person's consent.


Complaints handling

A person who thinks an organisation has interfered with his or her privacy can complain to the Office of the Australian Information Commissioner (OAIC).  The OAIC will give the organisation the opportunity to resolve the complaint directly.  The OAIC will conciliate the complaint using letters, phone calls and meetings.  The OAIC may make a formal determination.  This determination can be enforced by the Federal Court.


Privacy Law Changes

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) includes three major changes to the existing privacy laws in Australia that are set to take effect from March 2014:
  1. A set of new, harmonised, privacy principles for both the public and private sector, called the Australian Privacy Principles (APPs).  There are 13 new principles that will replace the existing Information Privacy Principles (IPPs) that currently apply to the public sector and the National Privacy Principles (NPPs) that currently apply to the private sector. 
  2. Increased powers for the commissioner, such as obtaining enforceable undertakings and seeking civil penalties. 
  3. Changes to the credit reporting laws that provides a more comprehensive credit reporting process and will include an individual’s current credit commitments. It also implements prohibitions such as the reporting of amounts less than $150 and reporting information about children.
For more information about the changes click here.
 

What do I do now?

If you have an enquiry about privacy, email us today for assistance.


  • By Fiona McCord

    Data Breach Reporting is on its way

    Tuesday, 14 February 2017
    The long-awaited Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the data breach law) has been passed by both houses of the Parliament.

    Keep Reading

  • By Naomi Fink

    Privacy update for mobile apps

    Tuesday, 23 September 2014
    The OAIC has released its findings from the recent Global Privacy Enforcement Network (GPEN) Privacy Sweep [http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/mob-apps-must-put-privacy-first]

    Keep Reading

  • By Katherine Temple

    Part III – ‘Privacy by Design’: Developing a Mobile App

    Friday, 29 August 2014
    This is the third, and final, part of a blog series titled ‘Privacy by Design’ about the privacy practices a business should adopt when launching or updating a mobile app. Read the first and second blog here.

    Keep Reading

Running a Business