Summary

Since the introduction of the new Australian Privacy Principles (APPs), there has been speculation as to which sector might be the first to have their privacy practices assessed by the Privacy Commissioner. Industries such as sport, health, and the banking industry were each considered likely suspects for a test-case of the new requirements.

Last week, the Office of the Australian Information Commissioner (OAIC) answered that question when it published a report of its assessment into the privacy practices of a health services provider.

The report provides a helpful guide for organisations in a wide variety of industries to understand their privacy requirements, and how the OAIC will look to apply the new Australian Privacy Principles. The report's recommendations provide a useful yardstick for organisations to measure when reviewing their own privacy practices.

 Which APP's were assessed?

Calvary Hospital, a private sector organisation which provides health, aged and community care, was considered an ideal candidate for assessment by the OAIC and the Department of Health. In particular, the assessment was designed to review Calvary's privacy policies to ensure compliance with the requirements of APP 1 and APP 5.

  • APP 1 requires organisations to handle personal information in an open and transparent manner.
  • APP 5 sets out matters that an organisation has to inform individuals about at the time of, or as soon as practicable after, the collection of their personal information.

APP1 and APP5 are two principles relevant to all organisations that handle personal information.

OAIC's Guidelines

The OAIC has released a set of guidelines for organisations to consider when drafting their privacy policies. In assessing Calvary, the OAIC evaluated Calvary's policies, including draft collection notices, privacy brochures, and online privacy resources available on its website. OAIC used these guidelines as a measure.

The message for business is that those organisations who adopt practices in line with the OAIC guidelines will, for the most part, be compliant with their privacy requirements. The tricky part is that the OAIC has indicated that simply relying on the guidelines alone may not ensure total compliance. All business are different, and organisations need to apply the guidelines to their specific situation.

What are the take home lessons?

APP1 compliance

As set out above, APP1 requires that organisations handle privacy information in an open and transparent manner. Generally, this requirement can be complied with by adopting and implementing a privacy policy.

The guidelines list a number of matters that should be included in a compliant privacy policy. This includes information on:

  • whether the organisation’s policy is easy to understand;   
  • whether it is specific and tailored to its business;   
  • whether it covers the types of information collected; and   
  • how the information is held and disclosed.

The OAIC's guideline in relation to APP1 is available here. 

The OAIC has stressed however, that the checklist alone will not ensure compliance, and that there are other mandatory matters that must be included in an organisation's privacy policy; such as:

  • the type of personal information collected and held by the organisation;   
  • how the organisation collects and holds personal information;   
  • the purposes for which personal information is collected, held, used and disclosed;   
  • how an individual may access their personal information and seek its correction;   
  • how an individual may complain if the entity breaches privacy requirements; and   
  • whether the entity is likely to disclose personal information to overseas recipients.

                                                                                                                                                                                                                                      ^top APP1: Tips from Calvary

As to lessons learnt from the OAIC's review into Calvary's compliance with APP1, the following tips should be noted:

  • Where an organisation is part of a group or structure, the policy must indicate whether it applies to the whole group, or individual businesses within the group. By way of example, if there are differences in the way in which different parts of the group handle personal information, separate policies should be used. Where a central policy is used, the organisation needs to be mindful of how the APPs apply to each business in the group, and other jurisdictional or legislative issues;   
  • The OAIC has expressed concern about the use of 'bundled' consent, particularly in relation to direct marketing. Bundled consent is where consent for direct marketing is combined with other consent relating to the personal information. Where a business bundles consent, a risk is created that the consent is not 'voluntary'. If information obtained via a bundled consent is going to be used for direct marketing purposes, it should be expressly stated in the privacy policy.   
  • The privacy policy should be cross-referenced with other organisational documents, pamphlets or brochures, either hard-copy or electronic, regarding privacy;   
  • The OAIC is keen to ensure that privacy policies are easily accessible to the public, and a link at the bottom of a website home page is a commonly used and acceptable practice;   
  • Organisations should indicate whether or not personal information will be disclosed overseas. If no overseas disclosures will be made, it should be specified that is the case. Also, where an organisation collects a variety of information of which some is collected under legislation, the organisation's privacy policy should indicate which information is collected under legislation, and which is not; and   
  • Under APP 2, an organisation should have processes in place to deal with individuals on an anonymous basis, unless it is impractical to do so. The OAIC prefers organisations to specify in their privacy policy those situations where anonymous collection of information would be impractical, as much as possible.

APP 5 compliance

APP5 requires an organisation that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters, or to ensure the individual is aware of those matters, either at the time of collection or as soon as practicable thereafter.

The OAIC's guideline in relation to APP5 is available here.

The OAIC has indicated that "reasonable steps" is tied to the sensitivity of the personal information. In short, the more sensitive the information, the more onerous the steps will need to be on the organisation to provide notification of the matters in APP5. For organisations in the health services industry, it is possible that much of the information they collect will be considered 'sensitive information.'

APP 5: Tips from Calvary

As to lessons learnt from the OAIC's review into Calvary's compliance with APP5, the following tips should be noted:

  • Organisations in a group structure must clearly and consistently specify which business is collecting the personal information;   
  • Organisations should identify the differences between how the personal information collected will be used, and how it may be disclosed;   
  • Ideally, methods of contact (phone, email) should be fixed, such that they will not change with staff turnover;   
  • If information is to be disclosed overseas, this must be indicated as well as how and why such disclosures occur;   
  • The full privacy policy should be referenced in the collection notice (if hard copy), or linked (if electronic).

Conclusion

Although the APPs represent a 'principles-based approach' to privacy regulation in Australia, the clear indication from the OAIC is that businesses are obliged to comply with certain mandatory matters. Should things go awry, organisations that can demonstrate OAIC requirements have been implemented into their business practices will be viewed more favourably than those companies that haven't yet turned their mind to privacy matters.

The OAIC has not yet flexed its muscles and tested its expanded powers to ensure privacy compliance in most industries, and certainly no business wants to be that test case.