Protection of personal data: the Australian perspective; new legislation has applied the information privacy principles of 1988 to the private sector through national privacy principles.

• Author: Klimt, Steven

THE MAIN data protection law in Australia in relation to privacy is the Privacy Act 1988 (Cth). It has been amended by the Privacy Amendment (Private Sector) Act 2000 (Private Sector Act), which came into operation in December 2001 and effectively extends the operation of the 1988 act to the private sector.

The regime introduced by the Private Sector Act has far-reaching consequences for both the business community and consumers in Australia. The stated aim is to reduce obstacles to the development, take-up and use of electronic commerce and other new technologies resulting from concerns about the possible mishandling of personal information by the private sector, while at the same time avoiding excessive red tape and minimising the cost of compliance on business.

The 2000 Act creates a co-regulatory legislative framework through the development of self-regulatory codes of practice by organisations that must achieve certain minimum standards of privacy protection set out in 10 National Privacy Principles (NPPs) in the act. The NPPs are the core of the private sector regime and establish minimum standards in relation to the collection, holding, use, disclosure, management, access, correction and disposal of personal information about natural persons. The NPPs also include special measures with regard to certain types of personal information defined as sensitive. In the absence of a relevant self-regulatory code, the NPPs themselves will apply.

The requirements of the Private Sector Act have affected, directly or indirectly, all businesses in Australia. Organisations subject to regulation under the act have been required to implement changes to transactional documents, internal and external information handling and security procedures, information technology requirements, customer communications and training of staff in order to comply with the new regime. Maintaining compliant information-handling practices is a continuing challenge.

It is important to note that the Private Sector Act does not stand alone. Regulation of information-handling practices in Australia intended to protect individuals' privacy has existed in a number of forms prior to the Private Sector Act, although these existing regimes will not be considered in any detail in this article.

A number of state and territory governments have enacted legislation affecting their governments' dealings with individuals' personal information--for example, the Privacy and Personal Information Act 1998 in New South Wales. Other existing forms of regulation of information-handling practices affecting the private sector include (1) common law obligations of confidentiality; (2) a number of statutory mechanisms affecting specific industry sectors; and (3) voluntary codes of conduct adopted by industry groups--for example, the Insurance Council of Australia, the Australian Direct Marketing Association, and the Australian Bankers Association.

The 1988 Act required federal government agencies to act in accordance with 11 Information Privacy Principles (IPPs), which are broadly similar to the NPPs. The Privacy Act applies these to private sector organizations (1) in relation to the collection, storage, use and security of tax file number information; and (2) in relation to the information-handling practices of credit reporting agencies, credit providers and associated persons.

SCOPE OF PRIVATE SECTOR REGIME

The Private Sector Act introduced a new regime, termed the "the private sector regime," which operates within the existing structure of the 1988 Privacy Act. References in this paper to sections are, unless otherwise stated, references to sections of the Privacy Act 1988, as amended by the Private Sector Act.

The 2000 act extends regulation of handling of all forms of personal information across the private sector, and it introduces new provisions and modifies a number of existing provisions, while leaving the preexisting obligations on private sector organisations regarding tax file number information and credit reporting practices in place.

1. What Is Regulated?

   1. Personal Information

      The handling of "personal information" is regulated. Personal information is defined in Section 6 as:

      Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion. By way of example, this is not personal information, if this information alone is collected by an organisation: "male, 180 cm tall, blue eyes." The identity of the individual is not apparent, nor can it reasonably be ascertained from the information, even if, when combined with other information, the identity of an individual could be ascertained. However, this is personal information: "[name] male, 180cm tall, blue eyes." From this information the identity of an individual could reasonably be ascertained.

   2. Sensitive Information

      The private sector regime imposes additional requirements on an organisation with respect to "sensitive information." Sensitive information is defined in Section 6(1) as:

      Information or an opinion about an individual's:

      * racial or ethnic origin; or

      * political opinions; or

      * membership of a political association; or

      * religious beliefs or affiliations; or

      * philosophical beliefs; or

      * membership of a professional or trade association; or

      * membership of a trade union; or

      * sexual preferences or practices; or

      * criminal record; that is also personal information; or

      * health information about an individual.

      Essentially, an organisation is not permitted to collect sensitive information except (1) with the consent of the individual; (2) where required by law; (3) in limited circumstances, associated with a non-profit organisation's (1) dealings with its members (or individuals in regular contact with that organisation in the course of its activities); or (4) where collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

      In limited circumstances, sensitive information that is health information may be collected if it is necessary to provide a health service to an individual or for research purposes, where it is not possible to use de-identified information.

2. Commencement and Application

   The Private Sector Act commenced on 21 December 2001. However, special provision was made for certain small businesses, which will benefit from a delayed application period of up to 12 months after 21 December 2001.

   The NPPs regulating collection, use and disclosure of personal information apply to personal information collected only on or after 21 December 2001. Personal information collected before that date may be used or disclosed by an organisation without reference to the requirements of the second NPP, which regulates use and disclosure of personal information. However, in many cases it is not practical for organisations to have separate procedures for use and disclosure of personal information they hold, depending on whether that information was collected before or after the commencement of the private sector regime.

   In any event, organisations have obligations under the NPPs with respect to the accuracy and completeness, security and disposal, policies for management, access and correction, (2) and transborder movement of personal information in their possession, even if that information was collected before commencement of the private sector regime.

   1. Who Is Affected?

      The private sector regime applies to the acts and practices of "organizations," a term that includes bodies corporate, unincorporated associations, partnerships, trusts and individuals. Section 6C. However, some entities are excluded from the definition of organization--for example, small business operators. Certain acts and practices--for example, employee records--are exempt. These exclusions and exemptions are dealt with below.

   2. Who and What Are Excluded?

      1. Private Affairs

         Individuals may be subject to regulation under the act as an "organisation" in relation to their business activities. Acts and practices of individuals which are organisations other than in the course of a business carried on by the individual are exempt. Section 7B(1). Moreover, Section 16E expressly excludes the collection, holding, use or disclosure or transfer of personal information by an individual, or personal information held by an individual for the purposes of, or in connection with, his or her personal, family or household affairs.

         The term "personal, family or household affairs" is not defined. Existing case law defining "in the course of a business" may provide a guide to determining the circumstances that fall within this exemption.

      2. Employee Records

         The act provides an exemption for the collection, use or disclosure of information contained in employee records in the context of employment relationships. Section 7B(3) states that an act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt if the act or practice is directly related to (1) a current or former employment relationship between the employer and the individual; and (2) an employee record held by the organisation and relating to the individual.

         Employee records are defined broadly to include, for example, a record containing information about the engagement, training, disciplining or resignation of an employee; the terms and conditions of employment of an employee; or an employee's performance or conduct. Section 6. The rationale for the exemption is that handling of employee records is an issue best dealt with under workplace relations legislation. (3)

         The requirement that the act or practice be related to a current or former employment relationship and an employee record held by the organisation and relating to the individual means that once information contained on an...