HCi Journal

The Privacy Act

Important: please read this disclaimer.

We've noticed that a lot of our clients are struggling to come to terms with the changes to the Privacy Act.  This special edition of the HCi Journal is designed to give you a little background about the Act and how it affects you.

The Privacy Act has actually been around since 1988, but until 2001 did not affect businesses or charities.

The original version of the Act was mainly about privacy of information held by Government departments, and other organisation such as credit reporting agencies.

But in 2001 the Act was amended so that it applied to commercial organisations outside banking and finance.

The new version of the Act is actually an implementation of a set of guidelines put out by the Organisation for Economic Cooperation and Development (OECD).

Other countries that have implemented these guidelines in the form of national laws include:

  • New Zealand
  • Hong Kong
  • Canada
  • some European countries

More countries will inevitably follow suit, so that eventually we'll be effectively looking at an international law like the copyright convention.

Which organisations are affected?

The Act will be brought into force in stages. The first stage will take effect on 21 December 2001, and affect only larger business and charities, plus all health providers.

Some of the smaller organisations that escape the initial implementation will be caught at 21 December 2002, when the Act comes into force for all organisations that buy or sell personal information, or smaller subsidiaries of large organisations.

What is the Act about?

The Act applies to personal information.

Personal information has to be about an identifiable individual or individuals. For example, a list of names, addresses, salaries and tax payments is personal information. But the same list with the names and addresses removed is not. It's not personal unless one or more people can be identified from it.

The information can be facts, such as your age or gender. Or it can be opinions, such as whether a salesperson thinks you're likely to buy.

The source of the information doesn't matter. If a company writes down their opinion about a customer, or if they collect another company's records or opinions, it's still personal information and still caught by the Act.

But if the information is in the public domain (for example, your name address and phone number already in the White Pages) then it's not personal.  Even if this public domain information is mixed with other data (eg a company's estimate of the nett worth of individuals in your suburb) it's still not personal.

There's a special type of personal information called 'sensitive' information. This is generally the kind of information that you're not allowed to use in deciding whether to employ someone. The Act makes a distinction between personal and sensitive information, and they have to be treated slightly differently.

Exclusions

Some things are specifically excluded from the Act.

For example, employee records, or records of former employees, are excluded, including reference checks, annual reviews, and so on.

The New Zealand law covers word of mouth - information that isn't written down, but is just in someone's head. The Australian law excludes this. If it's not recorded in some way, the Act doesn't apply to it.

Journalists and politicians get an exemption, and any work done for the Government does as well. There's also an exception for household use - your private diary, for example.

Structure of the Act

The Act is particularly complicated because it has been modified so many times since it was introduced. The new commercial privacy requirements have been "bolted on" to an existing piece of legislation. The whole thing now runs to more than 240 pages.

The existing Act covers the actions of Government, and some organisations operating in the finance and credit area.

As part of that coverage there are a set of requirements in the Act called the "Information Privacy Principles". These are the actual guts of the legislation, as it applies to Government departments.

The Information Privacy Principles are easily confused with the National Privacy Principles, also contained in the Act, which apply to businesses and charities. 

The Act works with a person called the Privacy Commissioner, who had authority under the original Act, but has taken on additional responsibilities under the amended act.

There are two ways in which organisations can comply with the Act. They can either do nothing, and be bound by the National Privacy Principles, or they can formally apply to be bound by a Privacy Code.

Privacy Codes have to be approved by the Privacy Commissioner, and must contain the same requirements as the National Privacy Principles, but they can have some modifications, such as a mechanism for adjudication such as an industry body.

Enforcement

The Privacy Commissioner has teeth. Anyone can complain to the Commissioner that they've been mistreated under the Act, and there can also be class actions.

The Privacy Commissioner doesn't even need a complaint, but can instigate an investigation on their own.

After an investigation, the Commissioner can decide that compensation should be paid. This can include costs for the person making the complaint, and can include an amount for hurt feelings or humiliation. The Act does not place a limit on the amount.

The Commissioner can call on the Federal Court system to enforce these decisions.

Risks

Organisations that don't comply with the Act in their collection, storage or use of personal information face major commercial and public relations risks.  It is imperative that all organisations assess their risk in relation to the Act and take appropriate action as soon as possible.

The Act applies to many kinds of uses that organisations have previously considered benign, and to information that you may not previously have considered to be 'personal'.

Implementation

We have developed two tools to help organisations comply with the Act:

  • a half-day on-site training course covering the Act in detail
  • a set of pro-forma policies and procedures

To help our clients comply, we are offering a fixed-price Privacy Act implementation which includes:

  • an initial privacy audit
  • training for key staff
  • unlimited-time license for the continued use of our training materials for new staff
  • customisation of the pro-forma policies and procedures to bring them into line with exactly what you do in your organisation
  • implementation of an ongoing programme of internal audits by your staff, so that you are not reliant on any external body for ongoing compliance
  • a formal legal check by Tress Cocks & Maddox

If you would like to know more about this service, please contact us immediately.  There has been a sudden rush of interest in the Act.

This article may be reproduced only with the permission of HCi (email HCi ). Copyright HCi, 2001.
More articles from the HCi Journal

HCi has formed a new consulting arm called Realisation.  Click here to visit the Realisation site for further information.