The below article from 23 July 2014 has been provided by Dan Brush and Alison Cairns, CBP Lawyers.
In brief - Councils will need to comply with privacy policies of businesses that share their collected data with councils
Recent changes to national privacy laws imposed new requirements on the collection and management of personal information in Australia. These laws do not directly apply to councils, but they do apply to most of the businesses that councils deal with on a day to day basis. To the extent that those businesses share their collected data with councils, the new privacy requirements will impact councils.
Australian Privacy Principles and personal information
The new privacy laws impose obligations on how "personal information" can be collected, managed and transferred in Australia. These obligations are set out in the Australian Privacy Principles (APPs).
Personal information is defined to be any information or opinion about an identified person, or a person who is reasonably identifiable from that information or opinion. Common examples are: a person's name, address, telephone number, date of birth, medical records and bank account details.
What does this mean for local councils?
The new privacy laws do not directly apply to local governments (although state or territory privacy laws with similar provisions may apply).
The new privacy laws created new civil penalties (not applicable to councils) and can be expected to move privacy compliance up the risk management agenda of many businesses.
Councils will need to demonstrate compliance with APPs
The privacy policies of Australian businesses now commonly include a commitment to ensuring that third party recipients of personal information from the business handle that information in accordance with the privacy laws.
This means that at a practical level, local governments may face increasing pressure from their suppliers and contractors to demonstrate compliance with the APPs. APP requirements potentially relevant to local governments include:
- personal information must not be collected unless it is reasonably necessary for a function or activity of the organisation
- personal information may only be used or disclosed for the purpose for which it was collected
- generally, personal information must not be used for direct marketing unless the person concerned has consented to that or has a reasonable expectation of it
- personal information must not be disclosed overseas, unless the disclosing organisation has taken reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs
- organisations must take reasonable steps to protect the personal information they hold from interference, misuse, loss, and unauthorised access, modification or disclosure
- organisations must, at an individual's request, give that person access to the personal information the organisation holds about him or her
organisations must take reasonable steps to correct personal information to ensure it is accurate, up to date, complete, relevant and not misleading
Click here for more information
© 2014. Copyright in this material is retained by the authors.
A licence to publish in this format has been granted to Legalwise Seminars Pty Ltd. Apart from any fair dealing for the purposes of private study, research, criticism or review, as permitted under the Copyright Act 1968, no part of these materials may be reproduced by any process without written permission of the author.
The statements, analyses, opinions and conclusions in these materials are those of the author and not of Legalwise Seminars Pty Ltd which acts only in the capacity as convenor of educational courses.
No part of any paper can be regarded as legal advice. Although all care has been taken in preparing all papers, readers must not alter their position or refrain from doing so in reliance on any paper. Neither the author nor Legalwise Seminars Pty Ltd accept or undertake any duty of care relating to any part of any paper.
All enquiries should be directed to Legalwise Seminars Pty Ltd.
Legalwise Seminars Pty Ltd (ABN 40 049 329 749) (ACN 102 742 843)