Introduction

The Privacy Act 1988 (Cth) controls the disclosure, use and handling of personal information about individuals by business, government and a range of non-profit entities. It does not restrict the use and passage of information by individuals about each other, or the receipt of information. There is no law against ordinary conversations.

​

The Act revolves around the Australian Privacy Principles (APP’s) which are made operational by a few key sections. Both government and private entities must adhere to the one set of 13 principles. The definitions tell us what sort of entities are caught by the Act. They are called organisations. Excluded are small businesses with a turnover of less that $3 million per annum. However an exception to the exclusion is made for small businesses that disclose personal information about another individual to anyone else for payment. That means private investigators.

​

The Office of the Australian Information Commissioner (OAIC) administers the Act and handles all complaints of breaches. There are a range of alternative dispute resolution mechanisms available, and matters only proceed to court if very serious. The OAIC can take legal action of its own accord. The opinions expressed here are all derived from official guidance notes from the OAIC, but the application to the investigations industry forms part of a two year long study into this and related areas of law.

​

Key Definitions

Collect

An organisation is said to collect personal information only if it gathers, acquires or obtains the information for inclusion in a record or generally available publication. If the information is not recorded then collection has not occurred.

​

De-identify

To de-identify information is to take any record of personal information and remove or alter details so that the individual it is about can no longer be identified. This includes not only names, but information from which the individual can be identified.

​

Organisation

An organisation is a private entity. An organisation can be any of the following:

• an individual (including a sole trader)

• a body corporate

• a partnership

• any other unincorporated association, or

• a trust

The reference to ‘an individual (including a sole trader)’ is about people doing business in their individual capacity. There is no law against gossip and casual chatter!

Exclusion

Excluded from the definition of Organisation are ‘small businesses operators,’ which are defined as any entity carrying on one or more small businesses, each one having an annual turnover of $3million or less.

Exceptions to the Exclusion

Small business operators are nevertheless not exempt if they involve, among other things:

• providing a health service to an individual and holding health information,

• disclosing personal information about another individual to anyone else for payment,

• providing payment for the collection of personal information about another individual from anyone else.

​

Personal Information

Personal information is any information or opinion about an identified individual, or an individual who is readily identifiable.

​

Primary Purpose

The purposes for the use and disclosure of personal information is divided into the primary purpose and secondary purposes. The primary purpose is that for which the information was provided. An organisation is free to deal with information for that purpose.

​

Secondary Purpose

A secondary purpose for the use or disclosure of personal information is any purpose other than the primary purpose, but related to it. There are conditions under which some possible secondary purposes are allowable.

​

Sensitive Information

Sensitive information includes information about an individual’s:

• racial or ethnic origin,

• religious beliefs or affiliations

• philosophical beliefs,

• political opinions or membership of a political association,

• membership of a professional or trade association or trade union,

• criminal record,

• sexual orientation or practices.

​

Australian Privacy Principles

APP 3 — Collection of Solicited Personal Information

An organisation must not collect personal information unless it is reasonably necessary for, or directly related to, one or more of the organisation’s functions or activities. Therefore collecting information that will not be used is disallowed.

If the information sought is sensitive information (eg: medical), an organisation must not solicit it from any source unless the individual consents to that.

An organisation must collect personal information about an individual only from the individual unless it is unreasonable or impracticable to do so.

​

APP 4 — Dealing with Unsolicited Personal Information

If an organisation receives personal information which it did not solicit, it must determine whether it is information that it could have collected under APP 3.

If the answer is ‘no’, then the organisation must destroy or de-identify that information if reasonable and lawful to do so.

​

APP 6 — Use or Disclosure of Personal Information

If an organisation possesses personal information about an individual then the entity must not use or disclose the information for any purpose other than the purpose of collection.

Exceptions include where:

• the individual has consented to the new use or disclosure.

• the individual would reasonably expect the use or disclose the information for a related secondary purpose.

• use or disclosure of the information is required or authorised by law or court order, or is done for government law enforcement.

 

APP 11 — Security of Personal Information

 

An organisation must take whatever reasonable steps it can to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification, and unauthorised disclosure.

​

APP 12 — Access to Personal Information

An organisation must, on request by the individual whose information it holds, give the individual access to that information. Exceptions exists that allow access to be denied. There are no requirements as to the format or formalities of a request. Exceptions include among other things, risks to safety, life or health, risks to the privacy of others, anticipated legal proceedings, copyright, and prejudice to action being taken against unlawful activities.

 

​