Logo
 
 

ARTICLES & ALERTS

TODAY'S LEGAL NEWS

EVENTS & FIRM NEWS

HORIZONS NEWSLETTER

SEMINARS

 

 

 

 

 
ARTICLES AND ALERTS

Printer Friendly Version

PRIVACY AND SMALL BUSINESS - What are your obligations under the Privacy Act 1988?

Author: Matthew Smith, Katrina Reye

Publish Date: September 15, 2009

May 2009 began with National Privacy Awareness Week, an event designed in part to highlight the obligations of certain organisations under the Privacy Act 1988 (“the Act”).

Who is bound by the Act?

A business with turnover of less than three million dollars a year will be characterised as a “small business” under the Act and will generally not be bound. However, the Act will apply if the small business is:

  • A health service provider;
  • Trading in personal information (e.g. selling mailing lists);
  • “Related” to an entity that is not a small business (e.g. a subsidiary);
  • A contractor providing services under a Commonwealth contract;
  • A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (which includes banks, financial service providers, and the gaming industry); or
  • The operator of a residential tenancy database.

What does the Act require?

The Act requires that “personal” information, such as a person’s name and occupation, and “sensitive” information, such as a person’s sexual preference or criminal record, are handled appropriately. An entity bound by the Act may comply in one of two ways: by creating its own Privacy Code with the approval of the Privacy Commissioner, or by following the National Privacy Principles (“NPPs”) set down in the Act. For reasons of convenience and economy, many businesses choose to follow the NPPs.

The NPPs require the bound entity to:

  • Tell people it collects information and why;
  • Allow people to be anonymous if they prefer;
  • Only use personal information in ways the person might reasonably expect, or with their consent;
  • Never disclose sensitive information to anyone without the person’s consent;
  • Allow people access to the personal information it holds about them;
  • Ensure its information is accurate;
  • Keep its information safe and, when appropriate, destroy it securely; and
  • Be prepared to explain its privacy policy when asked.

As part of complying with the above NPP’s it is necessary to have a privacy policy which deals with the above issues.

Non-compliance

If an individual makes a complaint about the way information has been handled by an entity bound by the Act, then the Privacy Commissioner can investigate and – if necessary – require an apology, a mandatory change in privacy practices, or financial compensation.

Strategies for businesses bound by the Act

If your business is required to adhere to the NPPs, it is vital that you have an appropriately drafted privacy policy, that every individual in your organisation who deals with personal or sensitive information is familiar with the NPPs, and your business is organised in such a way that there is minimal risk of mismanaging information.

If you require any further information in connection with privacy law please do not hesitate to contact Matthew Smith on 49076319 or Katrina Reye on 49076318.

 

Back
Copyright © 2007 Harris Wheeler Lawyers  | Terms of Use & Disclaimer | Privacy Policy |  FirmSite by Findlaw