Focus: Privacy – December 2002
Small businesses join privacy party
In brief: Important Commonwealth private sector privacy laws, which will impose new obligations on small businesses, commence on 21 December 2002. Lawyer Damien van der Toorn examines which small businesses will be covered, how they are likely to be affected, and what they should be doing to comply.
- Which businesses will be affected?
- What will it mean for these businesses?
- What steps should small businesses be taking to comply?
- General private sector developments
The Privacy Act 1988 (Cth) currently regulates the way that large businesses (those with an annual turnover of more than $3 million) and health service providers (regardless of their size) deal with personal information. Small businesses that were to comply with the Privacy Act were given an extra 12 months to comply with the changes.
From 21 December 2002, some small businesses will be caught. The types of small businesses affected are:
- Small businesses that trade in personal information – where a business collects or discloses an individual's personal information for a 'benefit, service or advantage' (ie income, financial concessions, subsidies or other return). One example is buying or selling a mailing list.
- Small businesses related to a larger business – where a business is a holding company, or a subsidiary of, or otherwise related to, another company that is a larger business.
- Small businesses that are Commonwealth contractors – where a small business is providing services to Commonwealth agencies under contract or sub-contract (although the new provisions will apply only to services related to the performance of the contract, not in relation to other business activities).
If a small business falls within one or more of these categories, it must comply with existing provisions in the Privacy Act that apply to the private sector. These provisions protect the way organisations handle the personal information of individuals. Personal information is information or an opinion that identifies an individual or allows their identity to be readily determined from that information.
Organisations are required to comply with either a privacy code approved by the Federal Privacy Commissioner or the 10 National Privacy Principles (NPPs) in collecting, using and disclosing personal information.
Breaches of these principles can lead to complaints and investigations by the Privacy Commissioner. Remedies for a breach may include an apology, a change in practice, or financial compensation. However, the main damage to a business is likely to be to its reputation and loss of consumer confidence, particularly where the breach is reported in the media. Also, if businesses make statements about the way privacy will be protected and this is then not followed through, then the Federal Trade Practices Act may be breached, allowing the ACCC to step in.
Small businesses that fall within the new provision should be taking active steps to comply with the new laws. In particular, proprietors should develop a privacy plan that may include the following steps (as recommended by the Privacy Commissioner):
- appointing a person who is responsible for privacy;
- understanding and becoming familiar with obligations under the NPPs;
- looking at how personal information is currently handled, and planning any changes required by the NPPs;
- developing a complaints-handling process and keeping a record of how those complaints are handled; and
- ensuring staff understand the privacy obligations and observe the principles in dealing with customers.
Several other privacy issues have arisen recently:
Due diligence – Many businesses have expressed concern about the difficulty of complying with NPPs in handling personal information during due diligence processes (the process that potential buyers of a business use to assess the value of their prospective purchase). This can involve the collection of large volumes of personal information including employee, customer, trading partner and business associate information, as well as marketing files.
Bundled consents – The Privacy Commissioner has stated that bundled consents are against the 'spirit of the Privacy Act' and that tougher laws may be instituted to prevent this practice. Organisations are required to seek consent of individuals to use their personal information for certain purposes. A bundled consent asks individuals to consent to broad use of their information for wide purposes, often as a term or condition of providing a product or service. This can mean that people feel compelled to hand over their information without understanding exactly how it will be used.
New state privacy Acts – The Health Records Act 2001 has commenced in Victoria. The Act regulates the collection and handling of health information by establishing health privacy principles that bind most organisations in both the public and private health sector (including small businesses). (For more information, see an overview of the Act. The Health Records and Information Privacy Act 2002 has also been passed in New South Wales, though the provisions will not commence for another 12 months. The Act protects the handling of health information of individuals, whether that information is held by the public or private sectors. It will also allow individuals to access their health information and provide for an accessible complaints mechanism.
Privacy in human genetic information – The Australian Law Reform Commission has recently reported on important issues regarding privacy protection for human genetic information. The report discusses how privacy should be regulated in this area. Organisations that handle human genetic information are advised to read our summary of the proposed changes.
- Tracey HarripPartner,
Ph: +61 7 3334 3215