IT Advocate: The privacy minefield
- 15 September, 2009 08:05
It is clear to most businesses that deal with personal information that the Privacy Act 1988 (Cth) (Privacy Act) and National Privacy Principles (NPPs) impact in some way or another on them in terms of rights and obligations under the Act. Conversely, consumers dealing with private sector organisations can be relatively certain of the procedures by which they can access personal information held by private sector organisations, or make a complaint in respect of the information handling practices of such an organisation.
However, if consumers or service provider businesses find themselves dealing with government-owned corporations, universities, local governments, state governments or a raft of other state-based public sector bodies, they will need to undertake a significant amount of research to determine the privacy laws applicable to them, and how to best deal with those privacy laws.
At least one thing is clear -- all jurisdictions recognise a definition of personal information that is roughly the same and that such information must be protected, and used only in certain ways.
Commonwealth and Australian Capital Territory government agencies
Commonwealth and ACT government agencies are required to comply with the provisions of the Privacy Act in so far as they relate to Commonwealth and ACT government agencies. In general, this means complying with the requirements of the 11 Information Privacy Principles (IPPs).
Interestingly, the ACT also has the Health Records (Privacy and Access) Act 1997 which covers health records held in the public sector in the ACT and also seeks to apply to acts or practices in the private sector not covered by the Privacy Act. There is no such legislation dealing separately with the handling of health information at the Commonwealth level.
The Privacy Act requires that an agency entering into a contract with a service provider (whether private sector or otherwise) must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an IPP if done or engaged in by the agency. If an individual considers that the contractor has breached their obligations in the handling of personal information about them, they may make a complaint to the Privacy Commissioner who has jurisdiction to directly investigate the actions of the contractor.
Individuals may apply for access to personal information held about them by a Commonwealth or ACT Government Agency either under the Privacy Act or the Freedom of Information Act 1982 (Cth), but the Privacy Commissioner has accepted that most agencies will deal with such requests in accordance with the procedures under the Freedom of Information Act, and has not initiated a separate regime for dealing with access requests under the Privacy Act.
Queensland Government Agencies
Until 1 July 2009, Queensland government agencies were bound by the requirements of ‘information standards’ which essentially did not have the force of law. As of 1 July 2009, Queensland government agencies are bound to comply with the Information Privacy Act 2009 (Qld) which sets out obligations similar to the IPPs mentioned above for most agencies, and obligations similar to the NPPs for the Queensland Department of Health.
Interestingly, and despite this new regime, Queensland does not have separate privacy legislation to regulate private sector health providers.
Under the Information Privacy Act if a service provider is contracted to provide services to a government agency, and the provider is bound to comply with the provisions of the act under the contract, then it becomes a ‘bound service provider’ for the purposes of the legislation, and it is answerable to the Privacy Commissioner under that legislation, regardless of the fact that it is not originally bound to comply with the requirements of that legislation.
Access to information held about individuals by the Queensland government is now facilitated under the Information Privacy Act. However, if an individual incorrectly makes an application for access under the Right to Information Act 2009 (Qld) (the new freedom of information legislation) -- then the relevant government agency must the individual of their error, and ask the individual if they would like to amend their application so that it is made under the correct legislation.
New South WalesThe Privacy and Personal Information Protection Act 1998 (NSW) sets out how NSW public sector agencies (defined as State government departments and statutory authorities, and all local and county councils in NSW, but excludes state owned corporations) manage personal information.
Further, the Health Records and Information Privacy Act 2002 (NSW) governs the handling of health information in both the private and public sectors in NSW through the imposition of 15 information privacy principles and requires that private sector organisations comply with both the Health Records and Information Privacy Act and the private sector provisions of the Privacy Act concurrently.
Individuals can have access to information held about them by NSW government agencies both under the privacy legislation, and under the relevant freedom of information legislation.
Unlike Queensland, ACT and Commonwealth government legislation, the NSW legislation does not require contracted service providers to comply with the NSW legislation, or to be accountable under the NSW legislation.
Interestingly, NSW is the only state to have introduced workplace surveillance legislation which monitors the activities of employers undertaking workplace surveillance in respect of employees (such as reviewing emails etc) and requires employers to inform individuals of the surveillance activities that will be undertaken, and provide at least 14 days advance notice that this will occur.
The privacy system in Victoria is almost identical to that in New South Wales. The relevant legislation is Information Privacy Act 2000 (Vic) overseen by the Victorian Office of the Privacy Commissioner and Health Records Act 2001 (Vic) overseen by the Victorian Health Services Commissioner and applicable to both public and private sector health care organisations. Interestingly though, the health records legislation contains principles dealing with transfer of medical records to another practitioner, and making information available to another health practitioner.
Also, provided that there is a clause in a service contract between a Victorian Government Agency and a service provider binding the service provider to comply with the IPPs, the service provider will be accountable under the Information Privacy Act.
TasmaniaThe Personal Information and Protection Act 2004 (Tas) applies to the public and local government sectors of Tasmania, together with the University of Tasmania, and essentially requires Tasmanian government agencies to comply with privacy principles that mirror the NPPs. The legislation is administered by the Department of Justice. Complaints can be made to the Tasmanian Ombudsman and if the Ombudsman decides to deal with a complaint, the Ombudsman must conduct any investigations in relation to the complaint in accordance with the Ombudsman Act 1978 (Tas).
There is no separate regime for health records maintained by the private or public sector in Tasmania and further, service providers are not liable or accountable under the legislation.
Individuals must access the personal information held about them by a Tasmanian government agency under the State’s freedom of information regime.
Northern TerritoryThe Northern Territory Information Act 2002 (NT) contains provisions regarding freedom of information, information privacy and record/archive management. The privacy principles in the NT legislation mirror the NPPs.
As in Tasmania, there is no separate regime for health records maintained by the private or public sector in Tasmania and further, service providers are not liable or accountable under the legislation.
Western Australia, South Australia
Both Western Australia and South Australia are currently without legislative privacy regimes. Various confidentiality provisions cover government agencies in Western Australia and the South Australian government has issued an administrative instruction requiring its government agencies to generally comply with a set of IPPs.
ConclusionAs you can see, the obligations that businesses will be required to comply with in terms of privacy of personal information (particularly for businesses that are service providers to government agencies or to businesses that provide health services, perhaps even on a national level) are extraordinarily complex and particular care will need to be taken when taking steps to ensure compliance with the relevant laws.
Emma Weedon is a Senior Associate in McCullough Robertson’s Intellectual Property Group, who advises on a range of corporate and commercial matters, including protection and commercialisation of intellectual property rights, and privacy compliance. Emma has worked for a range of clients in the franchising, life sciences, telecommunications, resources, and commercial manufacturing industries. Emma can be contacted at: firstname.lastname@example.org