Under Australian privacy laws all government departments and certain businesses and organisations must comply with strict legal requirements when handling and storing personal, sensitive and health information. Failure to comply could result in up to $10 million in fines.
Who is bound by Privacy Laws?
The following organisations are bound by Australian Privacy Principles (APPs) and the Privacy Act:
- All Government departments (State, Territory and Federal);
- Organisations with an annual turnover of more than $3 million (including not-for-profits, incorporated associations and charities);
- Organisations that provide health services (although
the health service does not need to be the primary activity). These include:
- Private hospitals, day surgeries, medical practitioners, pharmacies and health professional offices;
- Naturopaths, physiotherapists and chiropractors;
- Gyms and weight loss clinics;
- Childcare centres, private schools, private tertiary education institutions;
- Organisations that disclose personal information about an individual to a third party for a benefit, service or advantage;
- Organisations that collect personal information from a third party for a benefit, service or advantage.
- Credit reporting bodies.
- Organisations that are contracted as service providers under a Commonwealth Government contract.
- Any organisation that is related to a body corporate that meets the above criteria.
- Organisations that voluntarily opt into the Privacy Act.
Some exemptions apply, including but not limited to: political parties, journalism and certain requirements regarding dealing with employee records.
What you need to know?
If your organisation falls into one of the above-mentioned categories then you will need to comply with the APPs, which set out the minimum legal standard for protecting the privacy of a person’s personal, sensitive and health information.
Some key points of the APPs are summarised as follows:
- Personal information must be collected directly from the person it belongs to, unless it is impossible to do so.
- If an organisation receives unsolicited information it must consider whether the information was collected lawfully.
- Organisations must notify a person at or before the time of collection of personal information. This usually requires a collection statement to be included in any forms or other materials given to the person.
- A person should be informed about the purposes of which their personal information will be used.
- An organisation cannot use or disclose personal information for a purpose other than for the purpose in which it was collected, unless consent has been provided. For example, organisations should not use personal information for marketing purposes unless consent has been provided.
- An organisation must provide an individual with access to their personal information, if requested.
There are higher levels of protection under the Privacy Act for the collection of sensitive and health information, and this information should not be collected unless the individual has provided express consent.
To ensure internal compliance, organisations should have privacy protection procedures in place and conduct a privacy audit to determine if they are legally collecting, using, storing and disclosing personal, sensitive or health information.
Organisations should also consider reviewing any commercial contracts for privacy law impacts and/or obligations, especially for any Government contracts.
If you would like to know more about your privacy obligations or require assistance with conducting a privacy audit, please contact us on 89416355 to book an appointment or contact the writer at firstname.lastname@example.org.