INFORMATION SHEET
Privacy Act 1988 [1]
Implications for your Business
The Privacy Law establishes national standards for the handling of personal information by private sector organisations and aims to ensure that personal information held by private sector organisations will be stored, used and disclosed in a fair and appropriate way.
-
Know if their personal information is being collected by private sector organisations.
-
What personal information is held about them.
-
How the personal information is being used and who is given the personal information.
-
Correct the personal information if it is wrong.
Who does the Privacy Act 1988 apply to?
The Privacy Law applies to the acts and practices of 'organisations' in the private sector, including individuals, corporations, partnerships, trusts, and other unincorporated associations.
-
Businesses with an annual turnover of $3 million or more.
-
Businesses with an annual turnover of less than $3 million which are related to organisations with an annual turnover of more than $3 million.
-
Health service providers or other organisations that hold health information.
-
Organisations that collect, disclose and provide personal information for a benefit, service or advantage.
-
Organisations that are contracted service providers to the Federal Government.
-
Charitable and other not-for-profit organisations.
-
Unions.
What type of information is covered by the Privacy Act 1988 ?
The Privacy Law applies to personal and/or sensitive information being collected by an organisation if the organisation collects it for inclusion in a 'record' or 'generally available publication'.
-
racial or ethnic origin; or
-
political opinions; or
-
membership of a political association; or
-
religious beliefs or affiliations; or
-
philosophical beliefs; or
-
membership of a professional or trade association; or
-
membership of a trade union; or
-
sexual preferences or practices; or
-
criminal record
-
that is also personal information.
> health information about an individual; or
> genetic information about an individual that is not otherwise personal information
A 'generally available publication' is defined in the Privacy Act 1988 as a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public. This definition covers documents published through both traditional means and electronic means.
Examples of personal and/or sensitive information, which may be collected by organisations include:
-
Employee records (including health records).
-
Health records.
-
Customer and supplier lists.
-
Customer financial information/credit reports.
-
Customer complaints.
-
Client details including personal information relating to treatments, services and products purchased.
-
Electronic databases recording transactions with individuals.
-
Direct marketing databases.
-
Research and development data and test results.
Application to acts and practices overseas
Where an Australian organisation deals with personal and/or sensitive information about Australians, the Privacy Law will apply to information held both within Australia and overseas. Where Australian organisations send personal information about Australians to foreign organisations, they will also have to ensure that the foreign organisation complies with the Privacy Laws.
Compliance
An organisation must comply with the National Privacy Principles as contained in the Privacy Act 1988 or develop its own 'Privacy Code' to regulate the handling of personal information.
The National Privacy Principles deal with:
Effect of Non-Compliance
The Privacy Law gives the Privacy Commissioner the power to investigate complaints and issue determinations, which are enforceable by the Federal Court or the Federal Magistrates Court.
An organisation that develops its own Privacy Code, must appoint an independent adjudicator to investigate complaints and issue determinations; the Privacy Commissioner may be appointed as the independent adjudicator under a Privacy Code. The independent adjudicator has the same powers as the Privacy Commissioner to make determinations.
The Privacy Commissioner or the independent adjudicator may make the following determinations that:
-
the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;
-
the respondent make an appropriate correction, deletion or addition to a record;
-
the complainant is entitled to payment of compensation including amounts for injury to feelings or humiliation suffered;
-
the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered.
© Stephens Lawyers & Consultants, March 2007
Contact: Katarina Klaric Principal Further information Further information about privacy and the National Privacy Principals can be obtained from the Australian Federal Privacy Commissioner website at www.privacy.gov.au
Stephens Lawyers & Consultants
Level 3, 530 Lonsdale Street Melbourne VIC 3000 Phone: (03) 8636 9100 Fax: (03) 8636 9199 Email: stephens@stephens.com.au Website: www.stephens.com.au All Correspondence to: PO Box 13286 Melbourne Law Courts Melbourne VIC 8010To register for newsletter updates and to send your comments and feedback, please email
stephens@stephens.com.au
Disclaimer : This newsletter is not intended to be a substitute for obtaining legal advice.
[1] As amended by the Privacy Amendment (Privacy Sector) 2000 Act which came into operation on 21 December 2001