Australian Privacy Act
The Australian Privacy Act 1988 (Cth) is federal law that affects Australian government agencies and Australian private businesses with over $3 million in annual turnover that deal with personal data or information. Affected businesses include those supplying products or services directly to individual customers or clients. All organisations collecting health information, regardless of turnover, are also affected by the Privacy Act.
Unlike EU laws about protection of personal data, the Australian Privacy Act does not differentiate between entities which control personal information, as opposed to those who process it. This has the effect that storing, processing or disclosure of data or information is all likely to be caught by the Privacy Act.
2014 Privacy Act Amendments
The Australian Privacy Act was amended on 12 March 2014 to enhance privacy provisions in a number of areas such as trans-border data disclosure, direct marketing, consent to collect personal information and requirements of company privacy policies. The amendments brought into existence the Australian Privacy Principles (APPs) which replaced the former National Privacy Principles (NPPs) and Information Privacy Principles (IPPs). Under the Australian Privacy Act the APPs apply to both organisations and Australian Government agencies .
Classifications of information under the Australian Privacy Act
“Personal information” includes information or an opinion about an individually identifiable person(where their identity is known or could be reasonably worked out), whether true or not, and whether recorded in a material form or not. Examples include, a person’s name, address and Medicare number. The Privacy Act does not cover de-identified statistical data where individuals cannot reasonably be re-identified.
“Sensitive information” include information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, professional or trade association membership, union membership, sexual preferences or practices or criminal record. Under the Privacy Act a higher privacy standards apply to the handling of sensitive information.
Health Information is a particular kind of personal information and attracts additional privacy protection because of its greater sensitivity. “Health Information” includes information about a person’s health, disability, genetics, use of health services, other personal information collected from someone when delivering a health service.
Use of disclosure of personal information – APP 6
Generally, under the Australian Privacy Act an organisation can not use information for a purpose different to the purpose for which it was collected, unless the individual consents. Consent must be voluntary, informed and the individual must have capacity to consent. Consent can be express or implied.
APP 6 relates to the use of disclosure of personal information. Very broadly, it prohibits an APP entity (an agency or organisation) that has collected personal information about an individual for a particular purpose (the primary purpose) from using or disclosing the information for another purpose (the secondary purpose) unless:
- the individual has consented to the use or disclosure; or
- the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose;
In addition to the above, if the information is ‘sensitive information’ the secondary purpose must be directly related to the primary purpose.
The 2014 reforms to the Australian Privacy Act give greater powers to the Privacy Commissioner. The Commissioner will be able to apply to a court for a civil penalty if your organisation commits a serious interference with a person’s privacy or repeatedly engages in interferences with privacy. Penalties will now be up to $1.7 million for a company per offence. The civil penalties can also apply to any entity that aids or is knowingly involved in serious or repeated privacy breaches.
Photo credit: Pixabay