Australian legislation recognises 13 official Australian Privacy Principles (“APPs”) which must be complied with by any company with an annual turnover of more than $3 Million in the past financial year. Failure to honour those principles will attract serious penalties. Under the legislation Personal Information (or PI as the jargonistas call it) is defined as any information or opinion (including information or opinion on a database), whether true or not, and whether recorded in a material form or not, about any person whose identity is apparent from, or can reasonably be ascertained from the information or opinion.

Any business to which the APPs apply must have an up to date privacy policy (the APPs were introduced in March 2014) that is published free of charge and in an appropriate form (for example, by publishing it on the business’ website).

The prescribed matters the privacy policy must address include:

  • the kind of personal information that is collected and held;
  • how that personal information is collected and held;
  • the purposes for which the information is collected, held, used and disclosed;
  • how somebody may access and, if necessary, correct the information;
  • how somebody can complain about the use of the information; and
  • whether the information is likely to be disclosed to overseas recipients, and if so, the countries in which such recipients are likely to be located.

If any business collects its customers’ or staff’s government-related identifier, such as their Medicare number or Tax File number, it is not permitted to use them as its own identifier unless that is expressly required by law, or it is reasonably justifiable to do so.  Where government-related identifiers are collected, they may not be stored unless a very good reason to do so can be demonstrated.  For example, it is ok for a business to store its staff’s Tax File numbers for taxation purposes, but that doesn’t entitle it to store a customer’s Tax File number.

Of course that’s just the tip of the iceberg, and today more than ever before, Corporate Australia needs to educate itself on Privacy. With computer fraud and identity theft the new news of the 21stcentury, both businesses and individuals need to know precisely where their rights and obligations start and finish.