As information becomes readily accessible in the age of the internet and other advanced technology, individuals are becoming more and more aware of the ways in which they can protect and maintain the privacy of their personal information. The Privacy Act 1988 imposes significant restrictions on the ways in which organisations can deal with personal information they have collected about individuals, and provides consumers with a tool if they feel an organisation has mistreated them, or inappropriately dealt with or disclosed their personal information.
Accordingly, the need to comply with the provisions of the Privacy Act has never been more pressing. Yet, the percentage of businesses that consider Privacy Act compliance important has, in our opinion, never been so low. The number of businesses that also wrongly believe a Website privacy policy is sufficient to cover them has also never been so high.
The procedure for making a complaint about the information handling practices of an organisation under the Privacy Act is relatively straightforward and readily accessible to consumers. All complaints are considered by the Office of the Privacy Commissioner and if investigated, could cause the relevant organisation significant amounts of time and money in first assisting the Office with their enquiries and second in defending any allegations. If an adverse determination is made by the Privacy Commissioner, it will be made public, along with the name and conduct of the offending organisation. Whilst compensation awards under the Privacy Act have to date been quite low, the legal and general business cost of defending a complaint can be significant, particularly when compared to the relatively low cost of ongoing compliance.
All businesses in Australia (with the current exception of businesses that have never exceeded an annual turnover of $3 million and do not provide a health service) must comply with the private sector provisions of the Privacy Act.
Simply publishing a Website privacy policy and claiming to be ‘privacy aware’ is not enough for a business to be Privacy Act compliant, but there is an unfortunate perception in the business community that it does. In order to be truly compliant, an organisation must comply with the 10 National Privacy Principles (NPPs) in all of its dealings with the personal information of individuals. The NPPs broadly cover the way in which organisations collect, use, disclose, secure, update and allow access to personal information about individuals.
Personal information is defined by the Act to be any information that identifies the individual, or from which the identity of an individual can be reasonably ascertained. This information can include a series of data that, when pieced together, reveals the identity of the individual, even if, for example, their name is not published. True compliance with the Privacy Act not only means implementing appropriate documentation and procedures, but ensuring that all relevant members of the organisation are trained in the requirements of the Act and the procedures they must follow in that regard.
The biggest complaint by individuals is that an organisation has used their information in a way that it was not authorised to, or that it has disclosed information to a third party without permission. While in some cases the individual will suffer no direct damage as a result of the failure to comply, they will still have a right to make a complaint, and have that complaint investigated by the Privacy Commissioner. Direct marketing activities, medical records release and failure to maintain correct information are other areas where consumers rely on the provisions of the Privacy Act to achieve desired outcomes.
As the cost of compliance is relatively low, and can save an organisation significant amounts of time and energy, it is puzzling why so many organisations ignore the requirement to comply, particularly given the freedom with which information can now be transferred, not only amongst organisations, but around the World. It is likely that the privacy legislation has, to date, been seen by businesses as a ‘toothless tiger’, given that compensation awards are historically low and that other penalties are virtually non-existent (with the exception of a public adverse determination). However, widespread reforms suggested by the Australian Law Reform Commission in their recent report into the privacy legislation in Australia will, if enacted, put an end to that misperception with the introduction of an ‘at fault’ data breach notification system together with harsher penalties, including civil penalty provisions for serious breaches.
As the Government has, through the proposed reforms, indicated that it is willing to take data protection more seriously, organisations should also consider their current systems for compliance and ensure documentation and procedures are up to date, to not only demonstrate to consumers that their privacy is taken seriously, but to also avoid the time and cost (and future penalties) involved in breaches of the Privacy Act.
Emma Weedon is a Senior Associate in McCullough Robertson’s Intellectual Property Group, who advises on a range of corporate and commercial matters, including protection and commercialisation of intellectual property rights, and privacy compliance. Emma has worked for a range of clients in the franchising, life sciences, telecommunications, resources, and commercial manufacturing industries.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.