Privacy... is your business caught by the new legislation?
by
Judy Anne Feeney
The new Privacy Amendment (Private Sector) Act 2000 came into effect for most private sector organisations on 21 December 2001. Your company may have to comply with the new rules and it could mean you have to change the way you handle the information you gather about people.
The Act applies to personal information - information that can identify a person - held by organisations. An organisation is defined as a partnership, trust, a body, an individual, an unincorporated association that is not a small business operator.
Essentially, if your business:
- Has a turnover of $3 million or more
- Is related to a corporation with a turnover of more than $3 million
- Provides health services which hold health information
- Collects and/or discloses personal information for a benefit, service or an advantage
- Falls into a category which is prescribed by regulation under the Act
then you must ensure that your business operations comply with the new privacy regime.
However, if your organisation is a small business that collects health information or sensitive information - such as religion or sexual preference - or discloses personal information about others for a benefit, service or advantage, it is also required to comply with the Act.
Businesses that do not have to comply may voluntarily 'opt in' to the legislative scheme to comply with the National Privacy Principles (NPPs). This is recommended as it will provide your business with a competitive edge and extend consumer confidence in your business operations.
What does this mean?
It is not merely a question of preparing a privacy policy that complies
with the NPPs set out in the Act. The NPPs provide special rules about
collection, storage, use and disclosure of sensitive information. You
have to ensure that your business changes its procedures where necessary
to comply with the Act.
A significant consequence of the legislation is raising the awareness of consumers, staff and management to privacy issues and the way personal information should be handled.
The legislation took effect on 21 December 2001 for most organisations. If your business is a small business but is required to comply with or has chosen to opt into the legislation (apart from health services), then you will have until 21 December 2002 to prepare and comply with the legislation.
How to prepare
- First and foremost you need to implement a privacy policy and put
in place procedures and systems for information collected prior to commencement
of the Act and after
the Act. - If the information you already have is sensitive, you need to review and notify the personal information holder of the primary purpose of collecting the information, and if it's for a secondary purpose you need consent from the owner of the personal information.
- You will need to implement a process where information is reviewed
and updated on a regular basis and notify the personal information owner
that the information
is updated. - You must notify the owner as to how the information can be accessed or modified.
These suggestions are by no means conclusive but are issues for you to consider.
If you have any legal questions you would like answered, please email michelle@abn.org.au
Selected questions will be answered by Judy Anne in the following issues of the ABN Members newsletter, The Networker.
Judy Anne Feeney specialises in the privacy laws and issues and practises in all areas of general commercial law and can assist you with any of your organisational needs. More information can be found on privacy.gov.au or by contacting Judy at DibbsBarkerGosling Lawyers on (02) 8233 9557.