2000
The Privacy Amendment (Private Sector) Bill 200 was introduced in Parliament on 12 April. When enacted, the legislation will require most “organisations” to adhere to standards when handling “personal information”. The National Privacy Principles (NPPs) will be the minimum standard. These principles regulate the collection, use and disclosure, rights of access and correction, and storage of personal information. Special requirements apply to “sensitive information” and “health information”.
The Bill regulates the collection,2 use and disclosure,3 storage and handling of,4 and rights of access to “personal information” by “organisations”.5 An organisation must not do any “act” or engage in any “practice” which breaches an applicable privacy Code or, if no Code is applicable, the National Privacy Principles (“NPPs”).6
If there is a breach of an applicable Code or the NPPs, then the individual concerned may complain about an “interference with the privacy of the individual”.7 A complaint, if not resolved, may be referred to the Privacy Commissioner or an adjudicator under an approved Code.8
There are numerous exceptions to the application of the Bill. Certain organisations are deemed not to be “organisations”,9 certain acts and practices are deemed not to be “acts and practices”,10 certain breaches of the NPPs are deemed not to be breaches of the NPPs,11 and certain interferences with the privacy of an individual are deemed not to be such.12 There is also a “small business operator” exception which protects certain organisations with an annual turnover of less than $3 million per year.13
Organisations subject to the Amendments will be required to set out clearly expressed policies on the management of personal information. This “Privacy Policy” must be available to anyone who asks for it. Since the Privacy Policy is a public document, care must be taken that it is accurate and not misleading.
The NPPs regulate the handling of “Personal information”. The phrase is defined in the Privacy Act as
“information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”14
Special rules apply to “sensitive information”. The Bill lists certain types of information or opinions about an individual which are thought to be “sensitive”.15 The list includes such matters as race and various beliefs, activities, memberships, sexual behaviour and criminal records. Financial information about a person is not “sensitive information”.
Not all of the NPPs apply to “old” data, that is, data collected before the organisation is required to comply with the Act.16
This “old data” exemption is not as generous as it seems. Old data may be used for any purpose, but reasonable steps must be taken before use to ensure that it is accurate, complete and up-to-date17
Most “old data” will require regular updating. The Attorney-General has indicated that when “old data” is updated, it is no longer old and so is subject to all of the NPPs.18
Any organisation which intends to make use of the “old data” exceptions must implement systems which will clearly segregate “old data”. The system must ensure that when data is updated that it is no longer classified as “old”. Many organisations will find that this trouble and expense is unjustified for the limited exclusions granted.
The basic rule is that personal information may only be used for the “primary purpose” for which it was collected.19 There are rules for the use of the information for any “secondary purpose”.
For most organisations, the most important exceptions are those for direct marketing and the “consent” rule.20
Non-sensitive personal information may be used or disclosed for direct marketing purposes. This is so even if the individual has not consented and would not normally expect that the information would be so used. However, some conditions apply:21
it must be impracticable to seek the individual’s consent before the use; and
there must be no charge to the individual for honouring a request not to receive direct marketing communications; and
the individual has not made a request not to receive direct marketing communications; and
the individual must be given the express opportunity at each contact to request not to receive any further direct marketing materials;
each contact must provide information which permits the customer to contact the organisation.22
It will probably be impracticable to seek individual consent for most marketing lists.
The direct marketing exception is a substantial departure from the normal rule about use and disclosure. The price paid for this is:
the need to maintain an appropriate data base entry that identifies those individuals who have asked not to receive direct marketing communications; and
the need to provide a method for the individual to “opt-out” of the marketing list.
If a request is received to stop sending direct marketing communications, then the organisation probably may insist upon reasonable identification procedures to ensure that the request is genuine. However, it is probably not possible to insist that the individual conform to any particular method of submitting the request. No charge may be imposed on the individual for honouring his or her request to opt-out.
In general, personal information should not be used for a “secondary” purpose except in exceptional cases.23 One of the exceptions is that the data subject has “consented”.24 Consent may be either express or implied.25
Care must be taken in relying on implied consent. In Turner v Royal Bank of Scotland,26 the English Court of Appeal considered implied consent in the context of bankers’ references. It held that there could be no consent for a practice that was not known to the general public. In the case under consideration, it was relevant that the practice was kept secret by the bank. See Tyree (Tyree 2000) for a full discussion of the case.
We can also expect to see the notion of express consent tested. The mere fact that a customer “consents” to practices identified only in the fine print is unlikely to be “consent” for the purposes of the Act.
Credit providers will remain subject to Part IIIA of the present Act which regulates credit reporting. The interaction between the NPPs and Part IIIA is by no means clear. Is information “derived from a credit report” subject to the restrictions of Part IIIA even though the very same information would be subject to few restrictions under the NPPs?
Further, it is not clear how the NPPs interact with the Tournier duty of confidentiality.27 For example, the NPPs clearly permit “personal information” to be disclosed to a “related company”.28 Case law has said that such disclosure is a breach of the Tournier duty.29
Unfortunately, the better view is that Part IIIA is independent of the new Amendments as well as any other duty of confidentiality. It is also significant to note that none of the sections of Part IIIA “authorise” the disclose of any information.30 They merely exempt certain areas from the prohibition of use or disclosure. Therefore, Part IIIA cannot be used to justify disclosure under NPP2.1(g) which permits use or disclosure where “required or authorised by or under law”.
Nor may the NPPs be used to justify use or disclosure of information to which Part IIIA applies. Any restriction imposed by Part IIIA on disclosure or use of personal information is not altered by the NPPs. Section 16A(4) of the Act puts this beyond doubt:
To avoid doubt, an act done, or practice engaged in, by an organisation without breaching an approved privacy code or the National Privacy Principles is not authorised by law (or by this Act) for the purposes of Part IIIA merely because it does not breach the code or the Principles.
For example, NPP2.1(c) permits an organisation to use personal information in a direct marketing campaign subject to certain conditions. In other words, use of personal information in this way is not a breach of the NPPs. However, if the information in question is subject to Part IIIA, then it may only be used or disclosed subject to Part IIIA. Use of Part IIIA information in a direct marketing campaign will be a breach of Part IIIA even though it is not a breach of the NPPs.
In addition to the NPP restrictions on the use and disclosure of personal information, NPP9 adds additional requirements if the information is to be transferred overseas. The principle rule is that data is not to be transferred unless it is reasonably certain that the receiving organisation is obliged to treat the data according to rules that are similar to the NPPs.31
This rule works in connection with the “long arm” jurisdictional rule to permit transfer to related companies. Such companies are subject to the NPPs by s5B.
Obligations under the Act will not commence until 12 months after the Bill becomes law. However, most organisations will require significant systems modifications to meet their obligations. Most importantly:
The “primary purpose” of collection must be identified;32
“old” and “new” data must be identified;33
direct marketing “opt-outs” must be recorded;34
procedures must be established for providing information to individuals concerning the personal information held about them;35
individuals have a right of correction.36