There is a growing focus in the community on privacy and personal information, and that will no doubt continue as data becomes an increasingly valuable commodity in big business.
The Big Brother spectre is a real and growing perception, and business cannot afford to ignore the importance people place on the integrity of their privacy.
Privacy Commissioner, Timothy Pilgrim, has quite broad sweeping powers to act on complaints as well as instigating his own investigations.
The Commissioner recently worked with the Data Protection Commissioner of Ireland and Office and the Privacy Commissioner of Canada, to investigate the consequences of a major data breach involving Adobe’s facilities in Ireland.
Part of Adobe’s network in Ireland held some 1,700,000 records of Australian customers. The Australian Commissioner found that Adobe failed to take reasonable steps to protect all of the personal information it held.
So it’s worth keeping in mind that although you may be liable for damages and other penalties for beaching the Privacy Act, the damage to reputation from the incident and the government’s publicised investigation and findings, may have a far greater effect on your business and bottom line.
So, who is obliged to comply with the Privacy Act?
As a simple statement, the Act prohibits ‘interfering’ with the privacy of an individual. It also specifically provides that interfering with an individual’s privacy occurs when conduct breaches an Australian Privacy Principle (APP).
The next important questions are: What is ‘personal information’, and how does the Act affect those that collect and handle it?
Personal information is information or an opinion about an individual who can be identified, or who is reasonably identifiable. The truth or correctness of the information or opinion is not relevant.
There is a sub-category of personal information called ’sensitive information’, which is subject to more stringent controls under the Act. Sensitive information relates to race, ethnic origin, religious beliefs and related matters.
The principal obligations for the collection and handling of personal information are set out in the APPs. Some of the key obligations under the APPs are considered below.
You can only collect person information where it is reasonably necessary for your activities, and you can only collect sensitive information with the consent of the individual concerned (APP3). Again, there are certain limited exceptions, and these need to be considered carefully before relying on them.
You have to take reasonable steps to notify the individual of your organisation’s details, and the reasons you are collecting their personal information (APP5). Personal information may only be used for the purpose for which it was collected, unless consent is obtained from the individual (APP6), or one of the exceptions in APP6 is satisfied.
It is important to understand that the effect of the APPs extends beyond Australia. To disclose personal information outside of Australia, you must take reasonable steps to ensure the offshore recipient does not breach the APPs in respect of that information (APP8).
The privacy obligations are not one time only responsibilities. Once collected, there are ongoing responsibilities to ensure the information is kept up to date, is accurate and complete (APP10).
In addition to keeping the information up to date, you are also obliged to take reasonable steps to protect it (APP11). Under that same APP, where you have personal information you no longer have a use for (i.e. authorised use), then you cannot passively retain it – you have a positive obligation to destroy it or de-personalise it.
It is worth looking at another example to consider how important these requirements may be. The Privacy Commissioner is currently investigating yet another data breach incident, this time involving Westnet, a subsidiary of iiNet.
It appears a hacker comprised a database containing Westnet customer information, and then offered that information for sale online.
The Commissioner would no doubt be investigating to see if Westnet had taken reasonable steps to protect the information. iiNet has itself referred to the information compromised as “old customer information stored on a legacy system”. It would be ironic in the extreme if this statement, no doubt intended to tone down alarm over what was compromised, led to a further investigation into whether APP 11 had been breached.
There is a general obligation to provide individuals access to their personal information that you hold, with some exceptions (APP12).
The final obligation under the APPs is to correct personal information you hold, where there is reason to suspect it is not correct or up to date (APP13).
You need to give time and resources to understanding your Privacy responsibilities and ensuring you comply with them. A failure to do so may have consequences well beyond breaches of the Act, which is in itself serious enough.
You need to be sure you understand all of your obligations, and where there is any uncertainty, seek appropriate advice.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.