Decision casts doubt on what constitutes ‘reasonable steps’ to inform an individual that their personal information has been collected.
National Privacy Principles (NPP) 1.3 and 1.5 require an organisation that is collecting personal information about an individual to take “reasonable steps” to ensure that the individual is aware of certain information.
The Privacy Commissioner has provided extensive guidance on what constitues “reasonable steps”.
Importantly, for organisations seeking a practical and cost-effective approach to the implementation of NPP 1.3 and 1.5, the Privacy Commissioner has said:
- Determining what is reasonable involves balancing a number of factors, including the cost to the organisation in providing the information.
- If it is unreasonable to give a detailed notice at the time of collection it may be reasonable to give brief general information about the purpose of collection at that time along with advice about where more comprehensive information can be obtained later, such as on a website.
- In some circumstances it may be reasonable to take no or limited steps to ensure awareness of the relevant information.
The recent decision in SF v Shoalhaven City Council  NSWADT 94 would cause some concern to organisations that have relied on these statements by the Commissioner in determining what are reasonable steps to make the NPP 1.3 and 1.5 information available.
In this case Shoalhaven City Council installed Closed Circuit Television Cameras (CCTV) in Nowra CBD. There were signs indicating the presence of CCTV camera coverage in the area. The signs also contained the Council logo and a contact phone number for anyone wishing to contact the Council for further information.
One of the issues considered in the case was whether the Council had complied with section 10 of the Privacy and Personal Information Protection Act 1998 (the Act) which is the equivalent of NPP 1.3.
The judicial member held that although the signage provided by the Council was sufficient to inform individuals that the cameras were in operation and, by implication, that personal information was being collected it was not sufficient to inform individuals of all of the information required by section 10. Further, the fact that an individual might take steps to inform themselves of the information did not relieve the Council of the need to comply with section 10 of the Act.
The implication from the judgement was that the signs should have contained all of the information required by section 10 of the Act.
The judicial member did not discuss whether what the Council had done constituted taking “reasonable steps”. In particular the member did not consider the cost to the Council in erecting signs containing all of the required information or whether, as suggested by the Privacy Commissioner, it was appropriate to provide limited information at the time of collection with advice about where more comprehensive information could be obtained.
How will this decision affect organisations?
In our opinion a court may reach a different conclusion than the tribunal in this case. However as the Privacy Commissioner was involved in this decision, organisations should take it into consideration in determining the risk associated with not providing individuals with all of the information required by NPP 1.3 or 1.5 at the time of collecting their personal information. This issue will become even more significant from 12 March 2014, when the new Australian Privacy Principles will prescribe a larger range of privacy-related details and potentially impose even more onerous notification obligations.