Doing Business in Australia 2015: Privacy Law

“The Privacy Act 1988 (Cth) (Privacy Act), which is the key legislation regulating the use of personal information in Australia. It imposes privacy related obligations on public and private organisations which do business in Australia, in relation to the collection, use, disclosure and storage of personal information.”

An “organisation” is defined to mean an individual, body corporate, partnership, unincorporated association and a trust. Specifically excluded are, among other entities, small business operators (defined as a business with a turnover of $3 million or less a year and which does not trade in personal information, provide a health service, hold health information or provide services to the Federal Government).

The Privacy Act has been significantly reformed with the introduction of the new Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) in November of 2012. 

As from 12 March 2014, the core privacy obligations for organisations are set out in thirteen Australian Privacy Principles (APPs). The APPs are principles-based law and set out standards, rights and obligations in relation to the handling of personal information. They are structured to reflect the personal information lifecycle, including matters related to:

  • the consideration of personal information privacy,
  • collection of personal information,
  • dealing with personal information,
  • integrity of personal information, and
  • access to, and correction of, personal information.

The APPs apply to both Australian government agencies as well as the private sector. Compliance with the APPs is mandatory. 

The APPs require an organisation to, amongst other things, have a clearly expressed and up-to-date privacy policy which describes how the organisation manages personal information - including how it collects personal information, for what purposes and to whom it discloses that information.

An important obligation is in relation to the disclosure of personal information to a location outside of Australia. The APPs place responsibility on the domestic organisation to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. 

In such circumstances, the domestic organisation will, subject to certain exceptions, be accountable for any acts or practices of the overseas recipient that would breach the APPs.

The Privacy Act places special requirements on operators in the health, credit providing and credit reporting industries. It also contains more stringent rules which apply to organisations that collect sensitive information, including information concerning a person’s racial or ethnic origin, political or religious affiliations, membership of a trade association or union, sexual practices, criminal record or health.

At present, there are limited exemptions from the Privacy Act in relation to employee records and journalism practices, and for organisations acting under government contracts.

At the State level, the requirements of the Privacy Act are supplemented by State legislation and regulations regarding personal and health information. For example, in New South Wales, all employers must comply with:

  • the Workplace Surveillance Act 2005 (NSW) which regulates how employees may be monitored while at work, including in relation to video surveillance and computer tracking/monitoring of emails, and
  • the Health Records and Information Privacy Act 2002 (NSW) in relation to “health information” of individuals.

It is recommended that organisations appoint an employee to assume the duties of “Privacy Officer”.

Data retention law

The Australian Government has recently passed the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Amendment), which introduces further compliance requirements for internet and telecommunications service providers. The Data Retention Amendment requires these service providers to keep prescribed communication-related metadata, such as the date, time and duration of a telephone call or email, for a two year period. The operative provisions of the Data Retention Amendment commence in September 2015. 

For the purposes of privacy compliance, data retained under the Data Retention Amendment is assumed to be personal information if that information relates to an individual or is a communication to or from an individual. As such, the obligations and principles set out in the Privacy Act and the APPs specifically apply to data retained by service providers under the Data Retention Amendment.

Data breach reporting 

The Australian Government is also expected to shortly introduce mandatory data breach reporting legislation.