Privacy Legislation

Jump to anchors on this page

Definitions of personal, private and health information

National Privacy Principles (NPP)

The Privacy Act

Victorian state laws

How old and embarrassing matters can persevere online even after they're supposed to have been forgiven or forgotten.

A funny but disturbing Flash movie about privacy in the future when ordering a pizza.

Because so much information is gathered, stored and communicated by electronic means, there has been a great deal of discussion about protecting the individual's right to privacy. Governments have created new laws to ensure that all organisations - government and private - protect the data they collect from individuals from deliberate and accidental disclosure. Also some laws now restrict these organisations from using private details in ways that were considered legitimate in past years.

There are several laws relating to the collection and use of information, including:

• The Privacy Act 1988 (now incorporating the old Privacy Amendment (Private Sector) Act 2000)

• The Information Privacy Act, Victoria 2000

• The Health Records Act 2001, Victoria

• The Copyright Act 1968 (now incorporating the old Copyright Amendment (Digital Agenda) Act 2000)

What is 'personal information' about a person?

• name
• address
• age
• sex
• shopping habits
• your living arrangements, partners, children etc
• personal opinions

Note: 'personal information' does not include records held by an employer about an employee, so employment records are exempt from legislation, even if they hold health information.

What is ‘sensitive information’ about a person?

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association or trade union
• sexual preferences or practices
• criminal record.

What is 'health information' about a person?

• medical history
• current medical condition and treatments
• dental records
• genetic information
• notes and opinions of health service provider (e.g. doctor, psychiatrist)

National Privacy Principles

1. Collection
Organisations should only collect personal information that is necessary for one or more of its functions and activities.

2. Use and Disclosure
An organisation must not use or disclose information about an individual for any other purpose (a secondary purpose) other than the purpose for which the information was collected, except in a number of exceptions specified in the Act.

3. Data Quality
An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

4. Data Security
An organisation must take reasonable steps to ensure that the personal information that it collects is protected from misuse such as unauthorised access, modification or disclosure, or loss.

5. Openness
An organisation must set out in a document a clearly expressed policy on its management of personal information and make this document available to anyone who asks for it.

6. Access and Correction
If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual.

7. Identifiers
Identifiers, such as a Tax File Number or Medicare number that are not generated by an organisation cannot be adopted by an organisation as a means of identifying an individual or company. The exception to this is the Australian Business Number (ABN).

8. Anonymity
Where it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

9. Transborder data flow
An organisation in Australia or an external Territory may not transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country without the consent of the individual.

10. Sensitive Information
An organisation must not collect sensitive information about an individual unless the individual has consented, or law requires the collection. The various Australian states have their own laws regarding the use and management of information by their own state government agencies. The provisions of these state legislations are basically the same as the Commonwealth Privacy Act legislation but have a different area of jurisdiction.

The Privacy Act, 1988

(includes the 2000 Private Sector Act)

Commonwealth – affects Commonwealth government departments and now also large private sector ("non-government") organisations.

This Act sets out 'information privacy principles' - regulations for the handling of personal information by federal government, ACT government agencies, and private companies. Under this Act, people have the right to see and correct personal information held by public sector agencies.

Which organisations are subject to the Privacy Act?

• Commonwealth government departments and ACT government agencies
• private orgs with turnover over $3m per year*, or
• any sized private organisation that holds health information, such as medical practices, pharmacies and health clubs (note: this does not include organisations that only store health info in employee records), or
• any sized private organisation that buys or sells personal information for profit, or
• any sized private organisation that is contracted to provide a service to the Commonwealth

*Note: in 2001 98.9% of businesses turned over less than $3 million.

Key effects:

• Companies can’t pass on personal info to other people without approval.
• People can access info about themselves and correct any errors.
• Organisations must set up policies on email use and inform employees about them – especially if their emails are being monitored by management
• Individuals can opt out of a database
• Complaints about organisations’ use of information can be directed to the Privacy Commissioner.

This act aims to give people greater control over the way information about them is handled in the private sector.

VICTORIAN STATE LAWS

Information Privacy Act 2000 (Vic)

The Information Privacy Act 2000 establishes a regime for the responsible collection and handling of personal information in the Victorian public service sector (i.e. government departments). It also applies to organisations providing services funded by government departments.

The Information Privacy Act 2000 seeks to ensure the responsible collection and handling of personal information in the Victorian public sector.

The Act covers all personal information that identifies or could be used to identify an individual other than health information.

The Act will come into effect from 1 September 2001 and compliance with the legislation is required by 1 September 2002.

This legislation will cover the Victorian Public Sector and organisations providing services funded by government departments.

The key features of the Act are that:

• The Information Privacy Principles align closely with the Principles in the Federal Privacy Amendment (Private Sector) Act;
• The Victorian Privacy Commissioner has powers to address complaints;
• Provision exist for Codes of Practice relating to particular organisations or issues, to be approved by the Victorian Privacy Commissioner;
• Strong compliance provisions will exist.

Health Records Act 2001 (Vic)

The Health Records Act establishes privacy standards for the handling of all health information and the operation of all health services.

Health services are health, mental health, disability, aged care or palliative care services.

The Act will give individuals a conditional right of access to their own health information, which is contained in records held in the private sector.

The Act applies to all Victorian businesses (profit and non-profit, public and private sector) and everyone handling health information.

The Act also allows well-managed and de-identified health information (information that cannot be linked to a particular individual) to be used for planning and research.

SUMMARY

Organisations must ensure that all their staff obey the laws regarding the acquisition and use of data and information. New laws, and amendments to existing laws, are regularly passed in parliament.

Ironically, I have a feeling this discussion is based on an article someone else wrote. Unfortunately I can't remember who. If it's you, apologies, and thanks.