Privacy Act¶
Related Topics¶
Security systems and data access policies
HOW DO THE AMENDMENTS TO THE PRIVACY ACT 1988 (CTH) AFFECT YOUR RELATIONSHIP WITH POTENTIALITY?¶
Introduction
As of 21 December 2001, “organisations” have to comply with the National Privacy Principles (“Principles”) contained in the Privacy Act 1988 (Cth) (“Act”), or in some circumstances, an industry specific privacy code (“Code”). We note that Codes will have to provide at least as much protection to consumers as the Principles.
(Privacy Act: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/ )
Does the ACT apply to Potentiality? YES
1. Potentiality is an “organisation”
The Act applies to “organisations”, that is, generally all entities other than “small business operators”. An entity is generally considered to be a “small business operator” if it has an annual turnover of $3,000,000.00 or less.
However, entities that provide a “benefit, service or advantage” to third parties to collect “personal information” (see point 2 below) about another person from that third party are excluded from the definition of “small business operator”.
Accordingly, Potentiality will be considered to be an “organisation”, and is accordingly caught under the auspices of the Act, because in many cases it provides a benefit to schools who give it “personal information” concerning their members (“Members”).
2. What is “personal information?”
“Personal information” is defined under the Act generally to mean, amongst other things, information about an individual whose identity is apparent, or can reasonably be ascertained from, that information. Potentiality deals with the “personal information” of the Members.
3. Is Potentiality governed by the Principles or a Code?
Potentiality is currently governed by the Principles rather than a Code.
Does the ACT apply to Schools? YES
1. Schools generally are “organisations”
The Act will generally apply to schools. Schools (like Potentiality) are considered to be “organisations’ under the Act. Schools will not be considered to be ‘small business operators”, because they will be considered either to provide a benefit, service or advantage to third parties to collect “personal information” (see above), or, perhaps more clearly, “disclose personal information about another individual to anyone else for a benefit, service or advantage” (another exclusion from the definition of “small business operator”)
2. Is the School governed by the Principles or a Code?
You will be governed by one or the other. If you are not sure which, you should contact the Department of Education, Employment and Training ( http://www.deet.vic.gov.au ).
National Privacy Principles¶
If you require a copy of the Principles, Potentiality would be pleased to provide you with such. For your convenience, we set out below a summary of the Principles most relevant to your relationship with Potentiality.
(For a full list of the National Privacy Principles, please follow the link: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html )
We have received advice from our lawyers that neither you nor Potentiality will breach the Principles or any other provision of the Act through your relationship with Potentiality. If you are interested in a more detailed analysis, we would be happy to provide you with one.
1. Principle #1 Collection
An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.
An organisation must collect personal information by lawful and fair means and not in an unreasonably intrusive way.
When an organisation collects personal information of an individual, it must take steps to ensure that the individual knows the circumstances of the collection.
2. Principle #2 Use and disclosure
An organisation must not use or disclose personal information about an individual in circumstances differing from the primary purpose of collection (a “Secondary Purpose”), unless the individual has consented to the Secondary Purpose, or the Secondary Purpose is similar to the primary purpose, and the individual would reasonably expect the organisation to use or disclose the information for that Secondary Purpose.
3. Principle #4 Data security
An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4. Principle #5 Openness
An organisation must set out in a document clearly expressed policies relating to its management of personal information.
5. Principle #6 Access and correction
Organisations must generally provide individuals with access to their personal information.
6. Principle #9 Transborder data flows
An organisation may transfer personal information about an individual to someone in a foreign country only if the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds the Principles, or the organisation has obtained the individuals consent.
7. Principle #10 Sensitive information
An organisation must not collect sensitive information about an individual without their consent. Sensitive information is defined to mean, amongst other things, information relating to race, political opinion, religion, sexual preferences or criminal record, which identifies that individual.
If you have any further questions or concerns in relation to the Principles or your relationship with Potentiality, please do not hesitate to discuss them with us. Further information can be found at http://www.privacy.gov.au/publications/npps01.html
sub-pages¶
0 0