Overview of Privacy Law in Australia

The Privacy Act imposes obligations on ‘APP entities’.

An APP entity is, generally speaking:

• an agency (which largely refers to a federal government entity and/or office holder) or
• an organisation (which includes an individual, body corporate, partnership, unincorporated association, or trust).

An APP entity does not include:

• a ‘small business operator’ (subject to the exceptions below), which is an operator of a business with an annual turnover of less than $3 million
• a registered political party or
• a state or territory authority.

However, a small business operator will be deemed to be an APP entity, and therefore required to comply with the Privacy Act if they:

• operate another business with a turnover of $3 million or more
• provide a health service or otherwise hold health information (other than in an employee record)
• disclose, or collect, personal information about another individual for a benefit, service or advantage
• are a contracted service provider for a Commonwealth contract or
• are a credit reporting body.

The key features of the Privacy Act include:

• the 13 APPs which are the principles that govern the way in which personal information is to be collected, used, disclosed and stored. We have included a summary of the APPs in section 4 below. The full text of the APPs can be viewed on the Australian Information Commissioner’s website.
• the credit reporting provisions of the Privacy Act (further explained in section 10 below), which govern the way in which credit-related personal information is to be collected, used, disclosed and stored. These provisions will be particularly relevant to entities that are credit providers (or agents of credit providers), credit reporting bodies, or that otherwise handle or deal in credit-related personal information and
• the obligation to comply with an ‘APP code’, which is a written code of practice usually specific to a particular entity or industry. In particular, there is a Credit Reporting Code (CR Code) which imposes on entities handing credit information additional obligations to those set out in the credit reporting provisions of the Privacy Act.

Accordingly, APP entities must be aware of the full scope of the obligations imposed upon them according to the nature of their business activities.

The Privacy Act generally affords a higher level of protection to ‘sensitive information’ given the mishandling of it can generally have a more detrimental impact on the relevant individual.

‘Sensitive information’ is defined under the Privacy Act and includes information about an individual’s racial or ethnic origin, political opinions, professional or political or religious affiliations or memberships, sexual orientation or practices, criminal record, health, genetics and/or biometrics.

As an example, APP 3, which deals with the collection of solicited personal information, prohibits (with some exceptions) the collection of sensitive information unless the individual to whom it relates consents to the collection and the information is reasonably necessary for the collecting entity’s functions or activities.

The collection of non-sensitive information is otherwise generally permitted where it is reasonably necessary for the collecting entity’s legitimate functions or activities.

An entity operating outside Australia will still have obligations under the Privacy Act if the entity has ‘an Australian link‘. An entity will have an Australian link for the purposes of the Privacy Act if, generally speaking, the entity was formed in Australia, has its central management and control in Australia, or is otherwise carrying on a business and collects or holds personal information in Australia.

This expands the reach of the Privacy Act to overseas entities, or Australian subsidiaries of overseas entities, who are engaging in business-related acts within Australia, even if the business is otherwise predominantly conducted outside of Australia.

The Australian Information Commissioner has also pointed to specific indicators that an entity is carrying on a business within Australia, including where an entity has an agent or agents within Australia, websites offering goods or services to Australia, purchase orders being actioned within Australia, or personal information being collected from a person who is physically in Australia.

If an APP entity is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the APP entity may face penalties of up to:

• $1.8 million for corporate bodies and/or
• $360,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).

An APP entity will interfere with an individual’s privacy if (among other things) it:

• breaches an APP
• breaches an APP code that is binding on the relevant entity (noting that the Australian Information Commission may impose an APP code on a particular organisation or industry)
• breaches the credit reporting provisions of the Privacy Act
• breaches the CR Code
• breaches a provision of a Commonwealth contract for which it is to provide services and/or
• handles a tax file number contrary to the Tax File Rule (which has been issued by the Australian Information Commissioner pursuant to the Privacy Act).

Generally, related bodies corporate can share personal information, provided they comply with the APPs and any applicable APP code. Where personal information is disclosed from one related body corporate to another, the Privacy Act requires the personal information to be handled (by the related body corporate to which it is disclosed) in accordance with the purpose for which it was initially collected (by the related body corporate from which it is disclosed).

Employee information is, generally speaking, excluded from the ambit of the Privacy Act.

Specifically, where an employer engages in an act or a practice that is directly related to:

• a current or former employment relationship between the employer and an individual and
• an ’employee record’ held by the employer relating to the individual
• the act or practice will not be covered by, and therefore need not comply with, the Privacy Act.

An ’employee record’ refers to a record of personal information relating to the employment of the employee. This includes, but is not limited to, health information about the employee and/or personal information about, discipline, resignation, termination, terms of employment, personal contact details, wages or salary, performance or conduct, periods of leave and/or memberships of professional bodies.

Accordingly, employers need not comply with the Privacy Act and the APPs to the extent they are dealing with an employee record in a manner that is directly related the employment relationship.

This does not mean, however, that employers can handle personal information about its employees with general disregard. Where the personal information does not fall within the employee records exemption (i.e. the personal information is not an employee record and the employer’s act or practice is unrelated to the employment relationship), compliance with the Privacy Act will be required.

Specifically, compliance with the Privacy Act is required with respect to:

• personal information about prospective employees (unless and until they are employed by the employer)
• personal information about contractors, company officers, volunteers and/or work experience students and/or
• personal information contained in, and obtained from, personal emails or other IT/phone use, which does not directly relate to the employee’s employment.

Additionally, employee information is likely to be subject to common law obligations of confidentiality and, in some states, health records legislation.

The employee records exemption has also been marked for possible repeal in the future, which would result in employers having to handle employee information in accordance with the Privacy Act.

The credit reporting provisions of the Privacy Act and the CR Code set out the ways in which entities are to handle credit-related personal information.

The credit reporting provisions of the Privacy Act are long and complex and impose obligations and prohibitions on credit reporting bodies and credit providers (and agents of credit providers).

An entity captured by the credit reporting provisions is required to take steps (often in addition to those set out in the APPs) to ensure compliance with the Privacy Act. Such obligations include, in some circumstances, acting with the express consent of the individual to whom the information relates. Additionally, specific obligations will depend on the type of information being handled. For example, a credit provider can only access and use information about an individual’s history of debt repayments if the credit provider is a ‘licensee’ under the National Consumer Credit Protection Act 2009 (Cth).

On or before 22 February 2018, APP entities will also be required to notify the Australian Information Commissioner, and affected individuals, if the APP entity experiences a data breach that is likely to cause an individual serious harm. This obligation is designed to enable affected individuals to take steps to protect themselves.

The Privacy Act includes health information within its definition of ‘sensitive information’. Health information is therefore afforded a higher standard of protection.

Additionally, both private and public sector entities need to be aware of obligations that may arise under state-based legislation, including:

• Health Records and Information Privacy Act 2002 (NSW)
• Health Records Act 2001 (Vic) and
• Health Records (Privacy and Access) Act 1997 (ACT).

These laws also impose obligations on employers in Victoria and the ACT when handling health information about their employees. While health records law in NSW contains an employee records exemption for private sector employers, such employers may nevertheless be bound by the NSW legislation if the health information is unrelated to their employment.

Health and other sensitive information will also be subject to common law principles of confidentiality.

The use of surveillance and/or listening devices is governed by both state/territory and federal legislation. Obligations in relation to surveillance will depend on the type of device (e.g. computer and/or video surveillance, geographical tracking and/or the use of listening devices), the nature and purpose of the surveillance, the specific activity being observed/recorded including whether it is occurring in the workplace or not and, in some cases, whether it occurs in the private or public sector.

While each jurisdiction differs, generally speaking, the use of surveillance and/or listening often requires consent and/or notification. However, exceptions may apply, including where the use of such a device is necessary to protect a party’s lawful interests, for an enforcement-related purpose, and/or is in the public interest. Specific obligations may also be impacted by whether the person using the surveillance or listening device is a party to the activity/conversation and whether the activity/conversation is private or in a private space.

Hall & Wilcox is well placed to advise on privacy law compliance and any other issues arising from the handling of personal information.