Managing Risks Associated With Privacy

1
Managing Risks Associated With Privacy
Alison Baker- Senior Associate Hall Wilcox 24
November 2006
819234.3
2
IMPORTANTThis is not advice. Readers should
not act solely on the basis of the material
contained in this presentation. Items herein are
general comments only and do not constitute or
convey advice. Also changes in legislation may
occur quickly. We therefore recommend that our
formal advice be sought before acting in any of
the areas covered in this presentation.Alison
Baker (03) 9603 3568E-mail alison.baker_at_halland
wilcox.com.au
3
Overview

• The Privacy Act 1988 (Cth)
• The 10 National Privacy Principles (the NPPs)
• Privacy Codes
• Employee Records Exemption
• Consequences for non-compliance with the Privacy
  Act 1988 (Cth)

4
The Privacy Act 1988

• Most private sector organisations required to
  comply with 10 National Privacy Principles when
  collecting, using and disclosing personal
  information

5
The Privacy Act 1988

• Organisation means
• individual
• body corporate
• partnership
• unincorporated association
• trust

6
The Privacy Act 1988

• Small business operator with an annual turnover
  of 3 million or less excluded unless
• provides a health service and holds health
  records
• trades in personal information
• related body corporate not a small business
  operator

7
Personal Information

• Personal information means
• ...information or an opinion (including
  information or an opinion forming part of a data
  base) whether true or not, and whether recorded
  in a material form or not, about an individual
  whose identity is apparent, or can reasonably be
  ascertained, from the information or opinion.

8
The National Privacy Principles (the NPPs)

• The NPPs regulate the handling of personal
  information by organisations by regulating
• collection
• use
• disclosure
• security

9
NPP1 Collection

• Essential to organisations functions or
  activities
• Individuals must be aware of
• the identity of the organisation
• their ability to access that information
• the main purpose for collection
• the consequences of not providing the information

10
NPP2 Use and Disclosure

• Primary purpose
• Secondary purpose only if
• related to primary purpose and individual would
  expect use or disclosure
• individual has consented
• direct marketing (subject to criteria being met)
• research or statistical analysis for public
  health or safety
• to lessen or prevent a serious and imminent
  threat to life, health or safety
• to investigate, report or prevent unlawful
  activity
• authorised by law or court order

11
NPP1 NPP2 in Practice - Contractors

• Organisations may contract out aspects of their
  business to contractors
• Can involve contractors handling personal
  information
• The contract should clearly state how the
  contractor is to collect, use, disclose and keep
  secure personal information

12
NPP3 Data Quality

• Accurate
• Complete
• Up-to-date

13
NPP4 Data Security

• Protection from
• loss
• misuse
• unauthorised access, modification or disclosure
• Destroy or de-identify when no longer needed

14
NPP1 NPP4 in practice Due Diligence

• Organisations must comply with the NPPs when
  selling or buying a business
• Some due diligence protocols to follow
• The vendor should only disclose information that
  is necessary for the prospective purchaser to
  carry out due diligence investigations
• The prospective purchaser should only inspect and
  not collect documents containing personal
  information
• The number of people who have access to the
  personal information should be restricted
• The prospective purchaser should return or
  destroy personal information after due diligence
  is completed

15
NPP5 Openness

• Privacy Policy
• Clearly expresses policies and procedures
• Available upon request
• Meets requirements under the Privacy Act

16
NPP6 Access and Correction

• Individuals can access their personal information
• Individuals can correct their personal
  information
• Third party access to an individuals personal
  information only permissible on individuals
  request or with consent

17
NPP7 Identifiers

• Government / Agency identifiers
• e.g. Tax file number
• Prohibition on unnecessary disclosure

18
NPP8 Anonymity

• Provide option of remaining anonymous where
  reasonable and practicable

19
NPP9 Transborder Data Flows

• Overseas transfer of personal information for use
  or disclosure prohibited unless certain criteria
  met

20
NPP10 Sensitive Information

• Sensitive Information means
• information or an opinion about an individuals
• racial or ethnic origin
• political opinion
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs

21
NPP10 Sensitive Information cont...

• membership of a profession or trade association
• membership of a trade union
• sexual preferences or practices
• criminal record
• Health information about an individual

22
Privacy Code

• Application and approval by Privacy Commissioner
• Meets requirements under the Privacy Act
• Benefits and disadvantages

23
Employee Records Exemption

• Privacy Act does not apply
• to an act or practice engaged in by an
  organisation that is, or was, an employer of an
  individual and
• that is directly related to
• a current or former employment relationship
  between the organisation and the individual and
• an employee record held by the organisation
  relating to the individual

24
Employee Records Exemption

• Employee Record includes information about
• health of an employee
• employees engagement, training, disciplining or
  resignation
• employees termination
• employees performance or conduct
• employees hours of work
• employees salary or wages
• employees trade union membership

25
Workplace Relations Regulations 2006

• Employers have record keeping and disclosure
  obligations
• Records must identify
• the instrument that covers the employee
• the employees remuneration
• the employees starting and finishing times and
  total number of hours worked
• the accrual and balance of annual, personal or
  other forms of leave
• the amount of superannuation contributions that
  were paid and the fund to which the
  superannuation contributions were paid
• if the employees employment is terminated,
  details of the termination.

26
Workplace Relations Regulations 2006

• Employers must retain employee records for seven
  years
• Records must be made available for inspection by
  employee to whom the record relates and workplace
  inspectors

27
Employee Records Exemption and Recruitment

• Unsuccessful candidates are not in an employment
  relationship
• Unsuccessful candidates can access personal
  information collected, used or disclosed about
  them
• Notes about unsuccessful candidates can have
  legal implications
• Notes about unsuccessful candidates should be
  based on objective, bias-free methods

28
Unsuccessful Candidates

• Destroy or de-identify personal information held
  about unsuccessful candidates
• Inform unsuccessful candidates in writing of the
  destruction of their personal information
• Obtain consent of unsuccessful candidates to
  retain their personal information
• Inform unsuccessful candidates that they can
  access or change their personal information or
  withdraw consent at any time

29
Consequence of Non-Compliance

• Complaint to Privacy Commissioner
• Investigation of complaint
• Conciliation of complaint
• Possible award of damages
• Privacy commissioner awards / determinations
  enforced through Federal Court of Australia or
  Federal Magistrates Court of Australia

30

• Questions?
• Alison Baker (03) 9603 3568E-mail
  alison.baker_at_hallandwilcox.com.au