Privacy law update - how is your business affected?


Privacy law update - how is your business affected?

Since the commencement of the federal privacy legislation, applying to private businesses from 21 December 2001, there have been a number of developments.


Get unlimited access to all of our content.


Since the commencement of the federal privacy legislation, applying to private businesses from 21 December 2001, there have been a number of developments.

Some important aspects affecting privacy law in Australia are noted below - under federal and Victorian law.

Federal law

Extracts from the federal Privacy Commission's web site are set-out below. 

21 December 2002 an important date for some small businesses

From 21 December 2002 some small businesses with an annual turnover of $3m or less will be covered by the Privacy Act.

Does your small business need to comply with the Privacy Act?

Is your small business:

  • a health service provider?
  • trading in personal information?
  • related to a larger business? or
  • a contractor to Commonwealth agencies?

If so, it may need to comply with the Privacy Act. Information Sheet 12 gives more information about coverage of the Privacy Act.

The majority of small businesses that do need to comply with the Privacy Act should find the requirements straightforward and not difficult or expensive to manage.

Small businesses covered by the Act will need to review how they handle personal information including how they collect, use, disclose personal information and how they keep it secure.

In practical terms complying with the Privacy Act is likely to mean:

  • telling people you collect personal information and what you will do with it;
  • only using personal information about people in ways that they might expect;
  • not passing personal information on without telling people;
  • giving people the chance to see any information you hold about them if they ask;
  • keeping personal information safe; and
  • if people ask, telling them how you handle personal information in your small business.

These obligations are set out in the National Privacy Principles. As well, the Privacy Act exempts employment records where information about employees is only used for employment purposes.

If employee information is the only personal information held then there are probably no obligations under the Privacy Act.

Small businesses can choose to be covered by the Privacy Act

A small business not covered for any other reason can opt-in or choose to have the business covered by the Privacy Act. Businesses opting to be covered by the Privacy Act are making a public commitment to good privacy practice. This has the business benefit of assuring current and prospective customers that the business is accountable for the way it handles their personal information. Businesses may also opt-in, if they are not sure if the Privacy Act applies, to be certain about their obligations.

Since the beginning of the year a number of small businesses have decided to voluntarily comply with the new Act, ahead of the December 2002 deadline.

Privacy is Good for Business

Building trust with clients and improving the bottom line is what compliance with the changed Privacy Act can do for small businesses.

Respect for personal information as the most important factor in customer service, ahead of quality of product, price and efficiency. Getting privacy right is good business.

Malcolm Crompton, Federal Privacy Commissioner

General privacy information

- issued by federal Privacy Commission

Access to publicly available information

'The federal Privacy Act does not prevent organisations from using the white pages or other public sources of information, rather it is intended to make the collection more transparent to the community at large,' said Timothy Pilgrim, Deputy Privacy Commissioner, in response to a press release put out by the Fundraising Institute Australia.

'There appears to be some misunderstanding of how the Privacy Act applies in these circumstances. The Privacy Act already requires organisations to collect personal information fairly and to tell people how their information is being used and how to contact the organisations that hold their information,' said Mr Pilgrim.

'The Privacy Commissioner has issued a consultation paper to seek views from industry and the community about what is fair and reasonable in circumstances where information is collected from publicly available sources.'

'There is a high level of public concern about how sources such as the Australian Electoral Roll and the White Pages are used by organisations. For example, our research shows that 70% of respondents feel that the electoral roll should not be accessed for marketing purposes,' said Mr Pilgrim.

'Fundraisers and marketers are currently making extensive use of these information sources. It is not clear, however, that people fully understand that sometimes, when they provide their personal information for inclusion in a public list for a specific purpose, it could be used for other purposes. There may well be a range of uses that are within public and business expectations, but public debate is needed in order to strike the appropriate balance,' said Mr Pilgrim.

The Privacy Commissioner issued a discussion paper at the end of June 2002 to aid discussion and suggest approaches to achieve the right balance.

The paper is available at the Public Consultation section of the Commission's website.

Helpful list

Privacy Commissioners and other regulators handling privacy complaints - Australia

Privacy Commissioners - overseas

Victorian Government information

Commonwealth Government information

Privacy news and journals

Australian non-government privacy interest groups

Overseas non-government privacy interest groups


Victorian health legislation seems to have the same purpose and aim as federal legislation - but extends to cover public health entities in Victoria.

Health Records Act 2001 (Vic)


The purpose of this Act is to promote fair and responsible handling of health information by -

  1. protecting the privacy of an individual's health information that is held in the public and private sectors; and
  2. providing individuals with a right of access to their health information; and
  3. providing an accessible framework for the resolution of complaints regarding the handling of health information.

Objects of Act

The objects of this Act are -

  1. to require responsible handling of health information in the public and private sectors;
  2. to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information;
  3. to enhance the ability of individuals to be informed about their health care or disability services;
  4. to promote the provision of quality health services, disability services and aged care services.

The law imposes obligations on business in relation to the collection, handling, retrieval and disposal of 'health information', and applies to all persons or organisations that handle or collect health information, regardless of size or turnover.

The Victorian legislation is designed to bring Victorian government agencies and organisations plus local councils under a privacy regime. NSW did a similar thing re public health government and related agencies.

The federal legislation relates to private sector, federal and ACT government agencies, but not State government bodies.

The point of all the legislation is essentially the same - to protect individuals' privacy.

Victorian Information Privacy Act 2000

The Victorian Information Privacy Act 2000 set new standards for the way Victorian government organisations, statutory bodies and local councils collect and handle personal information. Non-government organisations that work for government under contract may also be covered, depending on the contract.

The Information Privacy Act came into full effect on 1 September 2002.

What is 'personal information'?

'Personal information' means recorded information or opinion, whether true or not, about an identifiable individual. Personal information can be almost any information linked to an individual, including name, address, sex, age, financial details, marital status, education, criminal record or employment history.

The Information Privacy Principles cover:

  1. Collection
  2. Use and disclosure
  3. Data quality
  4. Data security
  5. Openness
  6. Access and correction
  7. Unique identifiers
  8. Anonymity
  9. Transborder data flows
  10. Sensitive information

The Privacy Commissioner has the power to serve a compliance notice on an organisation. Failure to comply with such a notice is an offence, carrying a $60,000 penalty or $300,000 penalty for a body corporate.

Need help? - Privacy toolkit CD 

WorkplaceInfo has produced a privacy compliance toolkit. The WorkplaceInfo Privacy Toolkit CD is interactive, allowing businesses to critically assess their situation within the privacy legislative framework, understand what the law means to you and customise documentation to produce privacy procedures and policy. Click here for more information and an order form or email or call WorkplaceInfo on 1800 620 391


Post details