Are you aware of your obligations under the Privacy Act and the Australian Privacy Principles (APPs)? Does your business have appropriate processes to manage the handling of personal information?

This week is Privacy Awareness Week. As an official partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, Cooper Grace Ward will be publishing a series of articles that relate to:

  • how your business can collect personal information;
  • how your business can engage in direct marketing;
  • how your business should handle requests to access and correct personal information;
  • the importance of a social media policy; and
  • how your business can organise internal privacy awareness and training.

Collecting personal information

Under APP 3, your business can only collect personal information if it is reasonably necessary for one or more of your business’ functions or activities. However, if that personal information is sensitive information, your business generally cannot collect it unless the individual has consented to the collection.

The term ‘collection’ is broad and encompasses gathering, acquiring or obtaining information from any number of sources, including:

  • the individual themselves;
  • other businesses;
  • public documents;
  • surveillance cameras; and
  • online web browsing tools such as cookies, embedded scripts, and device identifiers.

What is reasonably necessary for your business functions and activities?

There are many reasons why your business may seek to collect personal information. For example, collection of personal information may allow your business to:

  • inform customers about new products or services;
  • advertise and promote surveys and competitions;
  • complete customer transactions; and
  • respond to customer complaints and other inquiries.

As a general rule, the collection of personal information will be ‘reasonably necessary’ if your business cannot perform effectively or pursue business functions and activities without collecting that personal information.

Before collecting personal information for use in a function or activity, it is always worth considering whether a reasonable alternative exists.

What is sensitive information?

Sensitive information includes information about an individual’s:

  • health;
  • racial or ethnic origin;
  • political opinions or membership of a political association;
  • religious beliefs or affiliations;
  • membership of a professional or trade association or trade union;
  • sexual orientation or practices; or
  • criminal record.

If your business seeks to collect any sensitive information about an individual then, in most cases, the individual’s consent must be obtained before the collection.

Notification of collection

Under APP 5, your business is also required to notify the individual about the collection as soon as practicable after the personal information is collected.

Matters that should be notified to the individual can include:

  • the identity and contact details of your business;
  • the purposes for which the personal information has been collected;
  • whether the business will disclose personal information to a third party or to overseas recipients;
  • the consequences for the individual if the personal information is not collected; and
  • that your privacy policy contains information about how the individual may access personal information and complain about a breach of the APPs.

Your business can notify individuals of the collection of their information by incorporating a privacy notification statement that outlines all of the mandatory matters into application forms, client agreements, terms of trade or at the point of sale.

Why does it matter?

Failure to comply with the APPs may lead to penalties of up to $1.7 million (for corporations) and up to $340,000 (for individuals) if they seriously or repeatedly interfere with a person’s privacy.