National Privacy Principles: Is your company or business collecting personal information about your existing or potential clients? Personal information is defined in section 6 of the Privacy Act 1988 (Cth) as:
“Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”
“Identification is the action of being identified, of linking specific information with a particular person. An individual’s identity has a degree of fluidity and is likely to change over time. The extensive linking of different information about an individual may restrict or limit this fluidity …
Identification can potentially relate a wide range of elements of an individual’s identity. In practice, identifying an individual generally involves focusing on those things that distinguish that individual from others including, legal name, date of birth, location or address and symbolic identifiers such as a driver’s licence number.”
Whether information can readily identify an individual is greatly dependent on the situational context. For example, the disclosure of gender, ethnicity and the information that the individual suffers a rare medical condition, has been considered to be enough to identify a person.
Generally, information such as a full name, address, date of birth or even an email address can be considered information that makes a person capable of being identified.
Most businesses collect this information on their websites, through order forms or when a potential customer signs up to receive their newsletter. It is important for businesses to understand their obligations when collecting, and dealing with personal information. While there are some exemptions to compliance with the Act, it is good practice for businesses to comply with the Act and the National Privacy Principles when conducting business, as it encourages customers to feel comfortable sharing personal information when interacting with your business.
a. The information collected must be necessary for one or more of the functions or activities of the organisation – for example, for sending of a newsletter or for posting goods purchased by the customer;
b. The information can only be collected by lawful and fair means and not in a way that can be considered unreasonably intrusive;
c. The organisation collecting the information must take reasonable steps to make the individual aware of:
i. the identity of the organisation and any contact information;
ii. the purposes for which the organisation is collecting the information;
iii. the fact that the individual is entitled to access the collected information;
iv. to whom the information may be disclosed; and
i. the secondary purpose for collection is related to the primary purpose; and
viii. the law authorises disclosure or use of the information.
3. Information Quality – The organisation must ensure that the information is maintained complete and up to date.
4. Data Security – The organisation must do all possible to maintain the security of the information, and prevent any unauthorised use or access.
5. Openness – An organisation must set out in a document its policy on management of personal information, and make this “Privacy Policy” available to any person who requests to view it.
6. Access and Correction – An individual must be allowed access to their personal information (except as otherwise specified under the Standards) and may correct such information if it is inaccurate or incomplete.
7. Identifier – An organisation may not use or make reference to an identifier used by the government as its own reference number.
8. Anonymity – An organisation must, where possible, allow an individual the opportunity to deal with the organisation without having to identify themselves to the organisation.
9. Transborder Data Flows – An organisation cannot transfer information outside Australia only if the external territory is subject to similar legislation regulating the use of information, or where the customer consents to the disclosure.
If you are collecting personal information about your customers you may need to ensure that you are acting in compliance with the National Privacy Principles. If you are unsure about your obligations under these rules, we encourage you to contact our office to discuss your concerns.
Nautilus can help you ensure compliance with that National Privacy Principles through the provision of a Privacy Policy, tailored to suit your business and its uses of personal information. Privacy Policies are not only required by NPP 5, they help instill confidence in customers of your business, as they are able to identify how their personal information will be used when they make it available to you. More and more individuals are being educated about the risks associated with providing personal information online, so it is important that your business has policies in place to address any concerns that your customers may have before they engage with your business.
We welcome you to contact our team on (07) 5574 3560 or email us info@nautiluslaw.com.au. Thank you for considering Nautilus Law Group.
Submitted by: Katrina E. Brown BA JD ATIA TEP SSA