Privacy concerns were recently raised when news came to light that a popular mobile handset was tracking the location of owners without their knowledge. The revelation that data was being collected of such detail placed a focus on the issue of privacy rights for Australians. What laws protect consumers from unnecessary information collection? What limits do organisations have in the type of information collected, and for what purposes?
The National Privacy Principles
Schedule 3 of the Privacy Act, sets out the National Privacy Principles (the Principles) outlining how information may be collected, stored, used, disclosed and protected. There are 10 Principles overall, although, this piece will only cover the Principles most relevant to consumers.
Collection: An organisation must only collect information that is necessary to its functions and activities. Furthermore, information that is collected must be lawful and not unreasonably intrusive.
When collecting information from an individual, the organisation must take reasonable steps that the person is aware of:
- the identity or the organisation and how to contact it
- that a person can gain access to their information
- the purposes for which the information is collected
- other organisations to which the information will be disclosed
- any laws that require information to be collected
- any consequences (if any) for the person if all, or part of the information is not provided.
Use and disclosure: When collecting information, it must only be used for the purpose for which it was collected.
Typically, information collected about an individual cannot be used for another purpose without consent, except in some of the following circumstances:
- direct marketing campaigns where it is impractical to gain consent, and the person is given the opportunity to opt out of future marketing campaigns
- the disclosure of the information will prevent an imminent threat to a person’s health or safety
- the disclosure is allowed by law
- to protect public revenue.
Data security: Information collected about an individual may be sensitive in nature, and organisations must ensure that all reasonable steps are taken to protect the information from misuse, loss or unauthorised access. Once the information is no longer necessary, organisations must ensure that the data is properly destroyed.
Openness: An organisation must set out their policies on management of personal information and make the document available upon request. A person is also within their rights to request from an organisation what information relating to them it holds, uses, and discloses .
Access: In most cases, a person can request access to information being held about them. However, the person’s right to access is exempt in some of the following circumstances:
- the information will pose a serious or imminent threat to another person’s health or life
- providing the information would have an unreasonable impact on people’s privacy
- the request for information is frivolous
- the information relates to existing or anticipated legal action between the individual and the organisation
- is unlawful
- likely to cause damage to Australia’s national security.
When an individual is denied access to information relating to them, there must be an outline of the reasons for the decision.
Anonymity and sensitive information: When lawful and practical, an organisation must give an individual the option to remain anonymous, and in most cases, consent must be sought for the collection of information.
Who must comply with the Principles?
Organisations with an annual turnover of more than $3 million a year and health service providers must comply with the Principles. If a person believes that their privacy has been breached, they should contact the organisation before making a formal complaint.
If a person is still unsatisfied with how their complaint has been handled, an application can be made to the Privacy Commissioner who can resolve the dispute.