LEGAL CLINIC: Untangling privacy amendments

On December 21, 2000,the Privacy Amendments (Private Sector) Act 2000 received Royal Assent. This Act extends the existing Commonwealth privacy legislation to the private sector. What this means is all businesses with a turnover greater than $3 million, or which sell any customer information or maintain sensitive information such as health information must comply with 10 national privacy principles. These principles govern the way businesses collect, maintain, use and disclose that information. It also gives people whose information is kept by a company the right to access that information, restrict its use and ensure it is correct.

Significantly, the Act does not by default apply to small businesses (turnover less than $3 million) other than those dealing in personal information. There is however, a growing expectation by the public that all companies will safeguard their personal information. For that reason, it would be good practice for all organisations, including small businesses to comply, at least in principle, with the Act.

The Act will come into force in two stages. After December 21, the Act will apply to all businesses with a turnover greater than $3 million. One year later, the Act will extend further to businesses with a turnover less than $3 million that either sell any information to third parties or collect information on behalf of third parties, as well as those businesses who maintain "sensitive" information.

Organisations covered by the Act must either comply with the new privacy principles (see breakout box) or with a privacy code approved by the Privacy Commissioner.

The most important thing business operators should be doing at present, regardless of whether the privacy legislation will apply to them, is looking at how personal information is collected and managed within their organisation. It would be prudent to implement policies to fit within the national privacy principles.

The main activities an organisation should undertake when preparing for the new privacy regime include:o Conducting an audit on what personal information is currently being collected.o Changing collection processes (and databases where appropriate) to ensure only relevant data is collected and there is a record of all necessary permissions for the use of that data.o Establishing appropriate controls for access to and use of information.o Drafting and publishing a privacy policy document which should be made available to the public both via the organisation's Web site and on request.o Implementing training to staff involved in the collection of information to ensure awareness of the Act.

The grace period provided by the government for the implementation of this legislation recognises the time and expense necessary to implement information controls. There is still plenty of time for organisations to get their houses in order prior to the legislation coming into effect. It would be a good idea to start sooner rather than later to avoid any last minute rush to comply.

If you require further information regarding the national privacy principles and what you should be doing, you can either contact our offices or the Office of the Federal Privacy Commissioner or visit their Web site at

Privacy a matter of principle

The national privacy principles go into significant detail as to how organisations can collect and use personal information and the rights of individuals. For most businesses they can be summarised as follows:

1. You can only collect information necessary for legitimate business purposes.

2. With some exceptions (including reasonable direct marketing), you can only use information for the purpose for which it was collected.

3. You must inform people of information collected about them and give them the right to correct that information.

4. You must protect the information and keep it current.

5. You must have written policies available to the public that state how you use and manage personal information.

6. You must not collect sensitive information; such as race, membership of organisations, sexual preferences, religious and or philosophical beliefs or criminal records without the consent of the individual.

7. You must allow people to transact business with you anonymously unless this is not permitted by law.

8. You must not use any government or official identifiers such as tax file numbers in the collection of information.

Colin Goldrick is a solicitor and industry advisor with Griffith Hack Lawyers, contact him on