Managing Risks Associated With Privacy

Alison Baker- Senior Associate

Hall & Wilcox

24 November 2006819234.3

IMPORTANT

This is not advice. Readers should not act solely on the basis of the material contained in this presentation. Items herein are general

comments only and do not constitute or convey advice. Also changes in legislation may occur quickly. We therefore recommend that our formal advice be sought before acting in any of the areas covered in

this presentation.

Alison Baker (03) 9603 3568E-mail: alison.baker@hallandwilcox.com.au

Overview

• The Privacy Act 1988 (Cth)

• The 10 National Privacy Principles (“the NPPs”)

• Privacy Codes

• Employee Records Exemption

• Consequences for non-compliance with the Privacy Act 1988 (Cth)

The Privacy Act 1988

• Most private sector organisations required to comply with 10 National Privacy Principles when collecting, using and disclosing personal information

The Privacy Act 1988

• “Organisation” means:– individual– body corporate– partnership– unincorporated association– trust

The Privacy Act 1988

• Small business operator with an annual turnover of $3 million or less excluded unless:– provides a health service and holds health

records– trades in personal information– related body corporate not a small business

operator

Personal Information

• Personal information means:

“...information or an opinion (including information or an opinion forming part of a data base) whether true or not, and whether recorded

in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

The National Privacy Principles (“the NPPs”)

• The NPPs regulate the handling of personal information by organisations by regulating:

– collection– use– disclosure– security

NPP1: Collection

• Essential to organisation’s functions or activities

• Individuals must be aware of:– the identity of the organisation– their ability to access that information– the main purpose for collection– the consequences of not providing the information

NPP2: Use and Disclosure

• Primary purpose

• Secondary purpose only if:– related to primary purpose and individual would expect use

or disclosure– individual has consented– direct marketing (subject to criteria being met)– research or statistical analysis for public health or safety– to lessen or prevent a serious and imminent threat to life,

health or safety– to investigate, report or prevent unlawful activity– authorised by law or court order

NPP1 & NPP2 in Practice - Contractors

• Organisations may “contract out” aspects of their business to contractors

• Can involve contractors handling personal information

• The contract should clearly state how the contractor is to collect, use, disclose and keep secure personal information

NPP3: Data Quality

• Accurate

• Complete

• Up-to-date

NPP4: Data Security

• Protection from:– loss– misuse– unauthorised access, modification or disclosure

• Destroy or de-identify when no longer needed

NPP1 – NPP4 in practice – Due Diligence

• Organisations must comply with the NPP’s when selling or buying a business

• Some due diligence protocols to follow:– The vendor should only disclose information that is necessary for

the prospective purchaser to carry out due diligence investigations– The prospective purchaser should only inspect and not collect

documents containing personal information – The number of people who have access to the personal

information should be restricted– The prospective purchaser should return or destroy personal

information after due diligence is completed

NPP5: Openness

• Privacy Policy– Clearly expresses policies and procedures– Available upon request– Meets requirements under the Privacy Act

NPP6: Access and Correction

• Individuals can access their personal information

• Individuals can correct their personal information

• Third party access to an individual’s personal information only permissible on individual’s request or with consent

NPP7: Identifiers

• Government / Agency identifiers– e.g. Tax file number

• Prohibition on unnecessary disclosure

NPP8: Anonymity

• Provide option of remaining anonymous where reasonable and practicable

NPP9: Transborder Data Flows

• Overseas transfer of personal information for use or disclosure prohibited unless certain criteria met

NPP10: Sensitive Information

• Sensitive Information means:– information or an opinion about an

individual’s:• racial or ethnic origin

• political opinion

• membership of a political association

• religious beliefs or affiliations

• philosophical beliefs

NPP10: Sensitive Information cont...

• membership of a profession or trade association

• membership of a trade union

• sexual preferences or practices

• criminal record

– Health information about an individual

Privacy Code

• Application and approval by Privacy Commissioner

• Meets requirements under the Privacy Act

• Benefits and disadvantages

Employee Records Exemption

• Privacy Act does not apply:– to an act or practice engaged in by an

organisation that is, or was, an employer of an individual; and

– that is directly related to:• a current or former employment relationship

between the organisation and the individual; and • an employee record held by the organisation relating

to the individual

Employee Records Exemption

• “Employee Record” includes information about:

• health of an employee

• employee’s engagement, training, disciplining or resignation

• employee’s termination

• employee’s performance or conduct

• employee’s hours of work

• employee’s salary or wages

• employee’s trade union membership

Workplace Relations Regulations 2006

• Employers have record keeping and disclosure obligations

• Records must identify:– the instrument that covers the employee

– the employee’s remuneration

– the employee’s starting and finishing times and total number of hours worked

– the accrual and balance of annual, personal or other forms of leave

– the amount of superannuation contributions that were paid and the fund to which the superannuation contributions were paid

– if the employee’s employment is terminated, details of the termination.

Workplace Relations Regulations 2006

• Employers must retain employee records for seven years

• Records must be made available for inspection by employee to whom the record relates and workplace inspectors

Employee Records Exemption and Recruitment

• Unsuccessful candidates are not in an employment relationship

• Unsuccessful candidates can access personal information collected, used or disclosed about them

• Notes about unsuccessful candidates can have legal implications

• Notes about unsuccessful candidates should be based on objective, bias-free methods

Unsuccessful Candidates

• Destroy or de-identify personal information held about unsuccessful candidates

– Inform unsuccessful candidates in writing of the destruction of their personal information

• Obtain consent of unsuccessful candidates to retain their personal information

– Inform unsuccessful candidates that they can access or change their personal information or withdraw consent at any time

Consequence of Non-Compliance

• Complaint to Privacy Commissioner• Investigation of complaint• Conciliation of complaint• Possible award of damages• Privacy commissioner awards / determinations

enforced through Federal Court of Australia or Federal Magistrates’ Court of Australia

Questions?

Alison Baker (03) 9603 3568E-mail: alison.baker@hallandwilcox.com.au