The Privacy act
The Privacy Act 1988 was introduced to protect the privacy of individuals and regulate how their personal information is handled. This includes the collection, use, storage and disclosure of personal information in both the federal public and private sectors.
In 2014 and 2017, the Privacy Act was amended to enhance the protection of privacy in Australia, with 13 Australian Privacy Principles (APPs) applied to all organisations with revenue greater than $3 million.
Specifically, Australian Privacy Principle 11 relates to the security of personal information stipulating that organisations must ‘take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.’
What is Personal Information?
Personal information includes a range of information, or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion. Personal information may include:
◊ An individual’s name, address, signature, phone number or date of birth
◊ Employee record information
◊ Internet protocol (IP) addresses and location information from a mobile device
The Office of the Australian Information Commissioner (OAIC) has produced a guide on how to protect personal information and will refer to this guide when assessing whether an entity has complied with its information security obligations in the Privacy Act. Australian Privacy Principle 3 contains provisions relating to the collection of solicited and unsolicited personal information and furthermore extra provisions deal with the protection of an individual’s sensitive information.
Under the heading “Serious and repeated interferences with privacy” of The Privacy Act 1988.
“…an entity contravenes this subsection if:
- the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or
- the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.”
Civil Penalty Contravention: 2,000 penalty units.
The Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act came into effect in 2012. The maximum penalty for ‘serious and repeated interferences with privacy’ is:
- $2.22 million for government agencies and private organisations 100% 100%
- $444,000 for individuals 20% 20%
Notifiable Data Breaches Scheme
The Notifiable Data Breach (NDB) legislation (2018) is an addition to the Privacy Act 1988 and aims to increase the level of responsibility an organisation has with securing personal information of staff, stakeholders and customers. Under the Notifiable Data Breaches (NDB) Scheme, any organisation or agency the Privacy Act 1988 covers, has a legal obligation to notify an individual when information regarding them is breached. Data breaches that can cause serious harm to individuals must also be reported to the Office of the Information Commissioner (OAIC).
Personal information is an important asset to any organisation and must be protected. When it comes to data breaches, it’s essential that your business or organisation has a privacy framework in place. Should a breach occur, ensuring this framework includes a response plan is vital. You’ll need to secure the threat and notify anyone who may be harmed by the information taken. The consequences of a data breach under the Notifiable Data Breaches (NDB) scheme could cost you millions.
Who does the NDB apply to?
The NDB scheme applies to any agency, organisation or entity that is covered by the Privacy Act 1988 (Cth). Businesses, organisations and entities (with a $3 million or higher turnover per annum in any financial year since 2001) are also covered. Any business that is included in the following categories are also captured under the scheme, regardless of their turnover:
These entities include:
- Health service providers
- Credit reporting bodies
- Entities related to an APP entity
- Entities that trade in personal information
- Employee associations registered under the Fair Work (Registered Organisations) ACT 2009
- Entities that ‘opt-in” to APP coverage under the Privacy Act.
Regardless of what personal information you store, it’s essential to maintain a strong defence against cybercrime and have steps in place to safely store and destroy information.
The GDPR is the European Union’s General Data Protection Regulation legistlation. Some Australian businesses covered by the Australian Privacy Act 1988, may need to comply with the GDPR if they:
- have an establishment in the EU, or
- offer goods and services or monitor the behaviour of individuals within the EU
The GDPR specifically applies to information that concerns an individual person – which does create some overlap with the Australian Privacy Act. Our current law (section 6(1) of the Privacy Act) already governs the use and protection of ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
According to the Office of the Australian Information Commissioner in the Australian Government, there are 3 main aspects of the GDPR that define an infringement subject to the maximum penalty:
- Not adhering to the data processing principles in Articles 5, 6, 7, and 9
- Not adhering to the data subjects’ rights under Articles 12 to 22
- Not adhering to the requirements relating to the transfer of personal data to a recipient in a third country or an international organisation, under Articles 44 to 49.