What's the Big Deal About Privacy?

13th July 2020

Highlights

  • Michelle Cowan, Senior Associate, Active Law, talks about the essentials of privacy for your tech organisation.

With the reported prevalence of computer hacking and scams in the media, it is timely that we pause to think about what privacy is, why it matters and how you as an ICT professional may be able to add value to your client relationships by understanding how their privacy obligations interact with the services you deliver.

What is Privacy?

The concept of private information means different things to different people depending on their age, experiences, work and position. From a legal perspective, privacy is a common point of contention. For that reason, substantial law has developed, and continues to develop, to clarify and regulate private information. 

The term ‘Privacy Law’ means the laws that deal with the regulation, storage, and use of personally identifiable information, personal healthcare information, and financial information of individuals, that can be collected by governments, public or private organisations, or other individuals. It also applies in the private sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information. 

The Law and Privacy

In Australia, both State and Federal jurisdictions have a range of legislative provisions that define, control and protect personal information. A breach of privacy can result in criminal charges, civil suits, employment sanctions, professional sanctions and penalties for breaching the relevant laws, so getting it right is very important. 

‘Personal information’ is defined by the Privacy Act 1988 (Cth)(Privacy Act) as:

“information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.”

The Privacy Act protects the privacy of individuals with regards to how Australian Government agencies and organisations, with an annual turnover of more than $3 million, handle their personal information. In addition, regardless of turnover, the Privacy Act covers any business that is:

  • a health service provider;
  • trading in personal information
  • a contractor that provides services under a Commonwealth contract;
  • an operator of a residential tenancy database;
  • a credit reporting body;
  • a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
  • employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009;
  • a business that conducts protection action ballots;
  • related to a business the Privacy Act covers;
  • a business prescribed by the Privacy Regulation 2013; and
  • a business that has opted in to be covered by the Privacy Act.

For those organisations, they will need to comply with the 13 Australian Privacy Principles (APPs) to collect, hold, use and disclose information about people in a responsible manner. For organisations handling sensitive information, the obligations and risks are higher.

If you have never looked at the APPs it could be worth taking some time to review them and put them into some practical context so you can understand what sorts of issues your clients may need to address through their IT systems and the sort of issues you may be able to assist small organisations to better understand, so they can establish the correct IT framework to comply with their privacy obligations.

Sensitive information

Sensitive information, including health information, attracts additional privacy protections compared to other types of personal information. Examples of health information include:

  • information about an individual’s physical or mental health;
  • notes of an individual’s symptoms or diagnosis and the treatment given;
  • specialist reports and test results;
  • appointment and billing details;
  • prescriptions and other pharmaceutical purchases;
  • dental records;
  • records held by a fitness club about an individual;
  • information about an individual’s suitability for a job if it reveals information about the individual’s health;
  • an individual’s healthcare identifier when it is collected to provide a health service;
  • any other personal information (such as information about an individual’s date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.

Helping your clients to get it right

Many Australian businesses and residents are discovering that the cost savings and convenience of dealing with overseas organisations can result in costly outcomes when they face a privacy breach. As people become more alert to the risks of privacy breaches, the IT sector may find their clients asking questions they had not thought to ask before. 

Particularly, for organisations functioning in the healthcare sector, that deal with large volumes of sensitive information, the challenges of complying with their privacy obligations can be daunting.

When you are advising clients, particularly small ones, consider how you can add value to your commercial relationship by using your expertise to help them identify and manage potential risks. Keep in mind that your clients need to understand that if they are covered by the APPs, they will need a privacy policy that is easily accessible and addresses the requirements of APP1

They will also need to be able to explain where and how private information is managed if they ever have to notify people that their privacy has been breached via the organisation. This will mean the organisation needs to understand where information is held, if stored on the cloud; what contracts are in place between the organisation and the storage provider; what country’s laws apply to that relationship; and what recourse they have (if any) if that third party experiences a breach.

We have recently seen the Australian government recommend that information be retained on shore to better protect it. As a result, small organisations will be looking for guidance and support about how they can better protect the private information of their clients. 

Managing privacy is so intrinsically linked to ICT that ICT professionals have an opportunity to build a professional brand on providing strategic services that make sure the system does all the things the client needs it to do, even if the clients don’t realise what those things are. 

This is general information only. The information provided is not and is not intended to be, legal or other professional advice, nor should it be relied upon as such. You should seek legal or professional advice in relation to your specific situation. If you or your clients need advice about privacy, the Active Law team can assist. They can be contacted at reception@activelaw.com.au or on 07 3160 0000.

 


Active Law is ACS Queensland’s Preferred Legal Partner. Active Law offer ACS Queensland members a 10% discount on legal services up to the value of $2,000 and a 5% discount thereafter.