Legislation and the Privacy Code
The Privacy Amendment (Private Sector) Act 2000 will come into effect on December 21 2001 and will amend the Privacy Act 1988 so that provisions in relation to the use, collection, disclosure and handling of personal information will apply to the private sector. The amendments will affect many organizations that have not previously been regulated in relation to personal information privacy. Some organizations will be exempted from complying with the provisions, including small businesses (defined as having a revenue of less than $3 million per year), media organizations and political organizations. Organizations can elect to be bound by a privacy code that has been approved by the privacy commissioner.
This process of code development and approval is familiar to members of the telecommunications industry that are already regulated in this area.
The ACA Code
One code that has already been developed is the Australian Communications Industry Forum (ACIF) code, known as the Protection of Personal Information of Customers of Telecommunications Providers.
This code was developed and released in December 1999 by the ACIF for voluntary application. It was also registered with the Australian Communications Authority (ACA) on May 1 2000. According to Section 136 of the Telecommunications Act 1997 once a code is registered by the ACA it effectively regulates certain sections of the telecommunications industry (including carriers, content service providers and carriage service providers - according to Section 121 of the act).
The code was drawn from the National Principles for the Fair Handling of Personal Information reissued by the privacy commissioner in January 1999 after consultation with business groups. These principles were later developed into the National Privacy Principles (NPPs), which constitute Schedule 3 of the Privacy Act amendments. In its explanatory statement to the code the ACIF noted that that it was drafted with the intention of complying with the then proposed legislative scheme, which would be introduced by the federal government based on the privacy commissioner's national principles.
The code was also drafted to complement provisions in Part 13 of the Telecommunications Act 1997 under which the use and disclosure of the content of communications and any person's personal affairs or particulars is limited. Breaches of certain provisions in Part 13 are punishable by terms of imprisonment. (Prosecutions under Part 13 will not preclude a complaint by an individual under the Privacy Act amendments, for interference with privacy, from being heard.)
Legislation and the Privacy Code
If a person in the telecommunications industry is not complying with an applicable code, the ACA may give written notice directing the person to comply. If the person still does not comply, proceedings may be initiated in the Federal Court for a civil penalty breach of the Telecommunications Act. A civil penalty for a breach may be a fine of up to $250,000 (or $50,000 for individuals).
Under the Privacy Act amendments the privacy commissioner must approve a privacy code developed by an industry before that code can apply to the industry. If an organization is not bound by a privacy code (ie, a privacy code is not registered with the privacy commissioner) it must still comply with the NPPs.
Industry codes approved by the privacy commissioner under the Privacy Act may include a complaints handling mechanism. Under the amendments an individual whose privacy has been breached may make a complaint to the privacy commissioner. The privacy commissioner (or relevant code adjudicator) may make a judgment of whether a breach has occurred, which will be enforceable in the Federal Court or the Federal Magistrates Court. The commissioner may also award compensation to a complainant by way of damages.
The Privacy Amendment (Private Sector) Act 2000 will also amend provisions in the Telecommunications Act 1997 in relation to industry codes. Under the amendments the ACA will be required to consult the privacy commissioner:
- when considering whether to register a code that deals with personal information privacy;
- before issuing a direction to a person that it must comply with a registered code, which deals with personal information privacy; and
- before issuing a formal warning to a person who contravenes a registered industry code.
These provisions are necessary because a privacy code that regulates the telecommunications industry could be registered with both the ACA and the privacy commissioner. Hopefully, the consultation required between the ACA and the privacy commissioner will result in codes that are, if not identical, then at least similar enough so that the telecommunications industry will know with which provisions it is required to comply.
If an ACA code is not also registered with the privacy commissioner, then the telecommunications industry will have to abide by the NPPs in order to comply with the amended Privacy Act 1988. Having an industry code under the Telecommunications Act 1997 that includes the NPPs will be a step in the right direction. The ACIF began that journey when it used the privacy commissioner's national principles to draft the current ACA code.
Members of the telecommunications industry that have already been complying with the current ACA code should be satisfied that they are ready for the effective date of the amendments of the Privacy Act and are ahead of the rest of this previously unregulated private sector.
For further information on this topic please contact Jane Fogarty at Blake Dawson Waldron by telephone (+61 2 9258 6000) or by fax (+61 2 9258 6999) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer