Privacy Law and Policy Reporter
The fact sheets referred to in the information paper, which provide more detail about how the Bill applies, cover the following topics:
There is also a fact sheet on making a complaint under the private sector privacy scheme.
The fact sheets are available online at <http://www.law.gov.au/privacy/FactSheet.html>.
The Privacy Amendment (Private Sector) Bill 2000 ensures that appropriate standards for the protection of personal information will remain in place when government service provision is outsourced to the private sector.
Protection of personal information held by most Commonwealth agencies is already provided for under the Privacy Act 1988 (Cth). The Privacy Act sets out 11 Information Privacy Principles (IPPs) which govern the collection, storage, security, use and disclosure of personal information as well as access to and correction of such information by the individual concerned. Most of the IPPs are similar to the National Privacy Principles (NPPs) included in the Bill that will apply to private sector organisations. However, there are some differences, particularly in relation to the use and disclosure of personal information.
Given that the IPPs and the NPPs are different, some have queried which set of principles will apply when a government agency outsources functions that will result in a contractor or subcontractor handling what is essentially government-entrusted information.
The Government has sought to make it very clear in the Bill that the same level of protection will apply regardless of whether the government agency provides a service or contracts a private sector organisation to provide the service.
Government agencies which outsource functions that involve the collection and/or holding of personal information will be required by law to take contractual measures to ensure that their contractors and subcontractors do not act in a way that would amount to a breach of privacy standards if the act were done by the agency concerned.
Where a Commonwealth contract sets out particulars about the way in which a contractor must store, use or disclose personal information held for the purposes of the contract, the Bill ensures, in effect, that those contractual provisions will prevail over the NPPs that would otherwise apply to the contractor as a private sector organisation.
The Bill contains an extra safeguard to protect personal information held by Government contractors for purposes of a contract with a Government agency from being used for direct marketing purposes unrelated to the contract itself.
The Bill also contains a provision requiring government agencies and their contractors to be open about the privacy clauses contained in their contracts, enabling individuals to be informed of the content of such provisions on request.
The Privacy Amendment (Private Sector) Bill 2000 will regulate the acts and practices of ‘organisations’. The standards for the protection of privacy are based on the Privacy Commissioner’s National Principles for the Fair Handling of Personal Information (NPs). The NPs originally defined ‘organisation’ as including a group of related bodies corporate. This meant that, after initial collection, personal information could be shared within the organisation (that is, between related bodies corporate). This sharing or ‘use’ of personal information, and handling personal information generally, needed to be in compliance with the NPs.
The Bill has not adopted the definition of ‘organisation’ in the original NPs. To define an organisation as a ‘group of related bodies corporate’ would have (among other things) created difficulties identifying the respondent to a complaint. Instead, the Bill defines an ‘organisation’ to include a body corporate, and provides a mechanism by which related bodies corporate can share personal information. The mechanism is the ‘related body corporate provision’.
The related body corporate provision identifies situations where acts and practices of related bodies corporate will not be interferences with privacy. It recognises commercial reality that, for many bodies corporate to continue to operate effectively, they need to be able to communicate with each other. Often, what appears to the consumer to be one ‘organisation’ will, in fact, be several bodies corporate that are related to each other.
The related body corporate provision allows related bodies corporate to share information, consistent with the intention of the original NPs. Sharing information between related bodies corporate involves disclosure by one body corporate to another, and collection by the second mentioned body corporate from the first. The related body corporate provision allows one body corporate (A) to disclose personal information to another related body corporate (B), and for B to collect personal information from A without those acts being an interference with privacy.
The bodies corporate will, in all other areas, each need to comply with the NPPs in the Bill (or approved privacy code, as appropriate) — they do not have the freedom to use and handle personal information however they wish.
Before an organisation can collect personal information and rely on the related body corporate provision to allow it to disclose to other bodies corporate to which it is related, it must first comply with NPP 1.3 or 1.5 (or code equivalent, whichever is appropriate). NPP 1.3 (which applies where personal information is collected directly from the individual) and NPP 1.5 (which applies where information is collected from a third party) both require the organisation to take reasonable steps to ensure that the individual knows that the organisation has collected the information, what the organisation will use the information for, and the types of organisations to which the information is usually disclosed by that organisation. These sub-principles aim to ensure that individuals are aware of who has their personal information and what the information will be used for. An approved privacy code will also contain equivalent (or greater) privacy protection.
‘Use’ of the information by one body corporate (once it has collected the information from another body corporate) must then be in accordance with NPP 2. This is consistent with the requirement under the original mechanism. Every organisation, regardless of whether it is related to another organisation, must use information for the primary purpose of collection, or a secondary purpose where the use falls within the circumstances described in NPP 2.
For example, NPP 2 provides that personal information may be used for a secondary purpose where that purpose is related to the primary purpose of collection and the individual would reasonably expect the organisation to use the information in that way. Another situation where information may be used for a secondary purpose is where the individual has consented to that use. Personal information may also be used for direct marketing purposes provided the individual is given an opportunity to opt out and it is impracticable for the organisation to contact the individual to get his or her consent before using the information in that way.
The exemption is limited to the collection from, and disclosure by, related bodies corporate of personal information that is not ‘sensitive information’. The related body corporate provision does not allow the disclosure of health information between private hospitals or between co-located private hospitals and community held centres run by related bodies corporate.
Pre-existing databases will not escape regulation under the new regime. The Privacy Amendment (Private Sector) Bill 2000 will come into effect 12 months after it receives Royal Assent, or on 1 July 2001, whichever is later. Some of the principles in the Bill will apply to personal information that has been collected by an organisation before the date on which the Bill comes into effect; others will only apply to personal information collected after the date of commencement. To require that all the principles apply to existing information would impose unjustifiably high compliance costs on business, and these costs may well be passed on to the consumer.
The legislation will oblige private organisations that hold existing databases of personal information to take reasonable steps to ensure this data is accurate, complete and securely held. The organisation will also be required to be open to consumers about what information it already holds and how it collects, holds and proposes to use or disclose such information.
If an organisation proposes to transfer outside Australia personal information that was collected before the commencement of the Bill, it will have to comply with stringent requirements. An organisation may transfer personal information to a foreign country if:
After the legislation takes effect, organisations that hold existing databases of personal information will need to comply with all aspects of the Bill when they update that information, including those relating to the collection, access and use and disclosure.
Website operators that collect personal information online will have to take reasonable steps to ensure that internet users know who is collecting their information and how it is used, stored and disclosed, under the Privacy Amendment (Private Sector) Bill 2000.
The legislation will also allow people to access their records and to correct those records if they are wrong.
Organisations will have to protect people from unauthorised access and disclosure of personal information that they hold. Website operators who handle personal information will have to address issues of data security, such as encryption.
The legislation will require organisations to make public their policy on privacy. This will mean in practice that all websites will have to include a clearly identified privacy statement.
While Australians have embraced the information technology revolution, there is some reluctance to use the internet to do business. People have legitimate concerns about the legal certainty, security, authentication and privacy of electronic commerce. They want to know who has their name, their address, their telephone number, their credit card details and any other information they impart as they trawl through the web. They also want to know how that information will be used.
The Bill will establish a new approach to the protection and handling of personal information in the private sector. It has been drafted in such a way that it can be applied in both the conventional and electronic environments.
The Bill will also apply to direct marketing by electronic mail. The legislation allows the use of personal information for direct marketing purposes, provided the individual is given the opportunity to opt out of receiving any further direct marketing,
This will regulate spamming — the unwanted bombardment of junk email — from Australian private sector organisations. The Bill provides benchmarks, but private sector organisations can adopt higher standards, such as an opt-in approach. For example, the Minister for Financial Services and Regulation has been working on a model code for internet traders which promotes a qualified opt-in approach to unsolicited commercial email, such as spamming. The Internet Industry Association has recently announced a code which also adopts the qualified opt-in approach.
The Government’s objective in developing the legislation has been to strike a balance between encouraging IT developments and protecting the right to privacy.
The Bill is one element of the Government’s strategy to increase public confidence in doing business online and to position Australian businesses globally to take full advantage of e-commerce opportunities.
It also complements the Privacy Commissioner’s Guidelines on Workplace E-mail, Web Browsing and Privacy. These guidelines encourage organisations to devise clear email and web browsing policies which are widely known and understood by their staff.
Many private sector organisations operate across national boundaries and may move information overseas to use and process. The Privacy Amendment (Private Sector) Bill 2000 will apply in some circumstances outside Australia to ensure that organisations do not avoid privacy protections simply by moving information overseas.
The Bill draws a distinction between Australian organisations and foreign organisations. Where an Australian organisation deals with information about Australians, the Bill will apply both inside and outside Australia. For example, if an Australian company collects and stores information about Australians overseas, the company will have to apply the safeguards set out in the Bill.
In order to regulate the behaviour of foreign organisations operating outside Australia it is necessary to establish a strong link with Australian jurisdiction. In the Bill that link is based on a range of factors. The foreign organisation must carry on business in Australia and deal with information about Australians. The information must have been collected, or held at some time, in Australia. For example, where a foreign company collects information about Australians in Australia and then moves that information overseas, the company will have to apply the safeguards set out in the Bill.
In general, Australian-based organisations will also have to ensure that comparable privacy safeguards apply before transferring information to overseas organisations.
Medical records and other sensitive personal information will be given greater protection under the Government’s proposed private sector privacy legislation.
The Privacy Amendment (Private Sector) Bill 2000 makes a distinction between personal information and sensitive information. It recognises that people are fiercely protective of their sensitive personal details, such as their religious and political beliefs, sexual preferences and health information.
The legislation gives greater protection to sensitive information by placing stricter limits on how this information is collected and handled by private sector organisations. Specifically, it bans the use of sensitive information, such as health information, for direct marketing purposes. For example, a research organisation would not be able to pass on an individual’s medical records to a drug company which wants to target its advertising.
For the first time, all Australians will be able to access their own medical records held by private doctors unless providing access would pose a serious threat to the life or health of any individual. The Privacy Commissioner, in consultation with health consumers and professionals, will set guidelines for access to such information.
The Bill recognises that health professionals take seriously their obligations to keep their patients’ information confidential. However, there are clearly times when health information about a person needs to be shared, either amongst the treating team of health professionals or the patient’s family, except if they have voiced a wish to the contrary. Where a patient is unable to give consent to the disclosure of health information, doctors may provide the patient’s family with information to help to provide care or treatment or for compassionate reasons. Health professionals will be permitted to share health information about a person where it is necessary to assist treatment and in order to better care for them. For example, a doctor who has taken a patient’s medical history may share the information with a specialist who is seeking to determine the best treatment for that patient.
In most cases, private organisations will not be able to collect sensitive information without consent. However, health information may be used for research or the compilation or analysis of statistics that are relevant to public health, public safety, or the management, funding or monitoring of a health service. The information will not be made available if non-identified, aggregate data is sufficient for research purposes. Research will not be able to be published until it has had any identifying features removed. Organisations will have to show that they cannot conduct this research without the information and that there is no reasonable way to get a person’s consent. Examples of research which may require access to medical records include the investigation of clusters of childhood cancers or a food safety scare.
The legislation will apply to information about individuals which is derived from genetic technologies, to the extent that the information identifies the individual.
However, advances in gene technology raise unique privacy and other issues, such as discrimination, which will require separate consideration. The Attorney General and Minister for Health intend to pursue jointly further policy consideration of this important and complex issue.
The Privacy Amendment (Private Sector) Bill 2000 will not apply to small businesses for 12 months after the legislation commences to allow them time to comply with the new laws.
After 12 months, all small businesses will continue to be exempt from the legislation unless they:
A small business is defined in the Bill as a business with an annual turnover of $3 million or less. Annual turnover is calculated using the same process that businesses will use to comply with tax reform legislation. Using the one calculation for more than one purpose will save small businesses time and money.
Small businesses that provide health services and hold health information — such as medical practices, pharmacies and health clubs — should not be exempt from the Bill, because Australians consider such information particularly sensitive and want it to be given a higher level of protection. The provision is designed to ensure that information held by small medical practices and pharmacies is subject to appropriate privacy protection.
Small businesses will not be prevented from collecting, holding, or using personal information for business purposes. Trading in information, however, creates a higher privacy risk. The Bill acknowledges this risk and includes provisions to regulate small businesses that trade in personal information.
The Bill also allows the Attorney General, if it is in the public interest and after consultation with the Privacy Commissioner, to prescribe small businesses or certain activities of small businesses that will be subject to the Act, despite the exemption. This will ensure that otherwise exempt small businesses, when found to constitute a particular risk to the privacy of individuals, will be subjected to privacy regulation.
When consulting the Commissioner the Attorney General will consider the views of other interested people, such as the Minister for Small Business and the Privacy Advisory Committee. The Attorney intends to appoint a small business representative to the Privacy Advisory Committee to provide an additional safeguard and voice for small businesses.
The Bill also provides an exemption for the collection, use or disclosure of information contained in employee records where this relates to the employment relationship. Employee records are defined as records that contain the types of personal information about employees typically held by employers on personnel and similar files. This is designed to stop an employer selling personal information from employee records to direct marketers, for example. While employee records deserve privacy protection, it is the Government’s view that such protection is more properly a matter for workplace relations legislation.
The Privacy Amendment (Private Sector) Bill 2000 allows people to make a complaint if they feel their personal information has been handled inappropriately by a private sector organisation.
Complaints will be directed in the first instance to the organisation. If the person and the organisation are unable to reach a satisfactory solution through negotiation, the person can request that an independent person investigate the complaint and determine whether there has been an interference with their privacy.
Where there is no organisational or industry privacy code, the independent investigator is the Commonwealth Privacy Commissioner. Where the relevant industry has established a code complaints body, the independent investigator will be an adjudicator nominated under the relevant industry code.
A complaint which is upheld may be resolved by an order that the organisation redress any loss of damage or pay compensation to the person. This could include ordering that a person’s name be removed from a direct marketing mailing list or ordering the organisation to pay compensation. If the order is not complied with, a person can have the order enforced in the Federal Court or the Federal Magistrates Service.
The record of the Privacy Commissioner in resolving complaints is excellent. There are very few complaints which have been made under the existing Privacy Act, which covers the public sector, that have not been resolved by conciliation by the Commissioner. It is expected complaints against private sector organisations will be resolved in a similar manner.
The Government’s aim is to provide an avenue for people to have their complaints dealt with simply, quickly, at low cost and without red tape. The complaints processes are designed to ensure most complaints can be resolved through conciliation and mediation, rather than the courts.