National Privacy Principles: Is your Business informed?

Business Strategies

National Privacy Principles: Is your company or business collecting personal information about your existing or potential clients? Personal information is defined in section 6 of the Privacy Act 1988 (Cth) as:

“Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

But what does it mean for an individual’s identity to be “apparent”, or “reasonably” ascertainable from the information collected?
In 2002, the (then) Privacy Commissioner, released a statement as follows:

“Identification is the action of being identified, of linking specific information with a particular person. An individual’s identity has a degree of fluidity and is likely to change over time. The extensive linking of different information about an individual may restrict or limit this fluidity …

Identification can potentially relate a wide range of elements of an individual’s identity. In practice, identifying an individual generally involves focusing on those things that distinguish that individual from others including, legal name, date of birth, location or address and symbolic identifiers such as a driver’s licence number.”

Whether information can readily identify an individual is greatly dependent on the situational context. For example, the disclosure of gender, ethnicity and the information that the individual suffers a rare medical condition, has been considered to be enough to identify a person.

Generally, information such as a full name, address, date of birth or even an email address can be considered information that makes a person capable of being identified.

Most businesses collect this information on their websites, through order forms or when a potential customer signs up to receive their newsletter. It is important for businesses to understand their obligations when collecting, and dealing with personal information. While there are some exemptions to compliance with the Act, it is good practice for businesses to comply with the Act and the National Privacy Principles when conducting business, as it encourages customers to feel comfortable sharing personal information when interacting with your business.

The National Privacy Principles (NPPs) are the standards of privacy to which private organisations (as opposed to government agencies) must adhere when collecting and holding personal information.
The 10 NPPs are summarised as follows:
1. Collection – This NPP describes how an organisation should act when collecting personal information. Restrictions include:

a. The information collected must be necessary for one or more of the functions or activities of the organisation – for example, for sending of a newsletter or for posting goods purchased by the customer;

b. The information can only be collected by lawful and fair means and not in a way that can be considered unreasonably intrusive;

c. The organisation collecting the information must take reasonable steps to make the individual aware of:

   i. the identity of the organisation and any contact information;

   ii. the purposes for which the organisation is collecting the information;

   iii. the fact that the individual is entitled to access the collected information;

   iv. to whom the information may be disclosed; and

   v. the consequences (if any) of failure to provide the information – for example, full services may not
    be able to be provided without all information;
d. the organisation should, as far as reasonable and practicable, only collect personal information directly from the individual it pertains to.
2. Use and Disclosure – This NPP provides guidelines as to how personal information can be used and disclosed. The obligations can be summarised as follows:
a. The information must only be disclosed for the primary purpose for which the information was
collected, unless:

   i. the secondary purpose for collection is related to the primary purpose; and

   ii. the individual would expect the organisation to disclose the information for the secondary purpose; or
   iii. the individual provided consent to the disclosure; or
   iv. if the information is not of a sensitive nature and the secondary purpose is direct marketing and the
   individual has not declined such communication, and the organisation provides an ‘unsubscribe’ facility; or
   v. where the information is related to health and is necessary for research or statistics pertaining to public
   health and safety; or
   vi. disclosure is necessary to prevent a serious and immediate threat to the life of an individual, the public or
   public safety; or
   vii. the organisation reasonably suspects that an unlawful activity has been carried out and discloses the
   information as part of its investigation; or

   viii. the law authorises disclosure or use of the information.

3. Information Quality – The organisation must ensure that the information is maintained complete and up to date.

4. Data Security – The organisation must do all possible to maintain the security of the information, and prevent any unauthorised use or access.

5. Openness – An organisation must set out in a document its policy on management of personal information, and make this “Privacy Policy” available to any person who requests to view it.

6. Access and Correction – An individual must be allowed access to their personal information (except as otherwise specified under the Standards) and may correct such information if it is inaccurate or incomplete.

7. Identifier – An organisation may not use or make reference to an identifier used by the government as its own reference number.

8. Anonymity – An organisation must, where possible, allow an individual the opportunity to deal with the organisation without having to identify themselves to the organisation.

9. Transborder Data Flows – An organisation cannot transfer information outside Australia only if the external territory is subject to similar legislation regulating the use of information, or where the customer consents to the disclosure.

10. Sensitive Information – Sensitive information cannot be collected except where an individual has specifically consented, where it is required by law or where it is necessary for public health or individual safety. For reference, “sensitive information” includes information or an opinion about an individual’s:
a. racial or ethnic origin; or
b. political opinions; or
c. membership of a political association; or
d. religious beliefs or affiliations; or
e. philosophical beliefs; or
f. membership of a professional or trade association; or
g. membership of a trade union; or
h. sexual preferences or practices; or
i. criminal record; or
j. personal information about an individual’s health or genetic matters.

If you are collecting personal information about your customers you may need to ensure that you are acting in compliance with the National Privacy Principles. If you are unsure about your obligations under these rules, we encourage you to contact our office to discuss your concerns.

Nautilus can help you ensure compliance with that National Privacy Principles through the provision of a Privacy Policy, tailored to suit your business and its uses of personal information. Privacy Policies are not only required by NPP 5, they help instill confidence in customers of your business, as they are able to identify how their personal information will be used when they make it available to you. More and more individuals are being educated about the risks associated with providing personal information online, so it is important that your business has policies in place to address any concerns that your customers may have before they engage with your business.

We welcome you to contact our team on  (07) 5574 3560 or email us info@nautiluslaw.com.au. Thank you for considering Nautilus Law Group.

Submitted by:  Katrina E. Brown BA JD ATIA TEP SSA

468