Information Privacy Protection in Australia
For more than five years Australian business groups, including the Business Council of Australia and the Australian Chamber of Commerce and Industry, have been lobbying the Australian Government to use its Senate majority to substantially overhaul the company tax law regime in Australia. Combined with efforts by the Australian government to promote Australia as a financial center and its government’s friendly relations with the US, Australia has increasingly become an appealing location for international expansion by U.S. businesses. Additionally, the Australian Treasury Department is said to be considering offering tax breaks to foreign multinationals in order to encourage them to establish regional headquarters in Australia.
Global business expansion into Australia necessitates many considerations, and among them should be an analysis of the impact of Australian privacy laws on the business generated as a result of the expansion. Australian privacy law consists of several sets of principles that were enacted as part of the Federal Privacy Act 1988 (Cth). The eleven Information Privacy Principles apply to Commonwealth and ACT government agencies. Additionally, there are ten National Privacy Principles (NPPs) which apply to parts of the private sector and all health service providers. The NPPs were approved on December 21, 2001 and are found in the amendment to the Privacy Act 1988 (Privacy Amendment (Private Sector) Act 2000 (Cth)). The Principles became effective on July 21, 2001, and compliance was required on December 21, 2001, and on December 21, 2002 for small businesses not exempt from the Act. The NPPs expanded on the National Principles of Fair Handling of Personal Information issued earlier by the Federal Privacy Commissioner in February 1998 in response to growing calls for privacy regulation in the private sector. The Principles apply to “organizations” (defined to include natural persons as well as business entities) that are not small business operators, a registered political party, agency or State or Territory authority. “Small business” is defined as a business with annual “turnover” of $3,000,000 (AU) or less. However, these small businesses can choose to opt-in to coverage by the National Privacy Principles by submitting an application to the Privacy Commissioner, resulting in being placed on a public register. This procedure is free of charge. A small business which has opted in may also opt out by notifying the Privacy Commissioner in writing, again at no cost.
The Australian approach differs from both the United States’ “opt out” approach to information sharing, which uses a mix of industry specific rules and public declaration of intent to share by companies. It also differs from the EU system, with its “opt in” approach that requires express consent by the individual to any use or sharing of personal information. The Australian legislative approach is one of “co-regulation.” The Explanatory Memorandum that accompanied the bill characterized the approach as one where self-regulatory codes of practice can be given official recognition by the Privacy Commissioner. Organizations and industries have been encouraged to develop codes of practice, using the NPPs as a benchmark, which can be submitted to the Commissioner for official approval. Thus, the private sector is also given the opportunity to create its own privacy codes.
In the absence of an officially approved privacy code, the NPPs apply to the collection, holding, use, disclosure and transfer of personal information, or in other words, the “life cycle” of personal information. In summary, the NPPs govern personal data security as follows:
1. Collection of personal information is limited to that which is necessary for an organization’s functions or activities, and generally with an individual’s informed consent.
2. Use and Disclosure must be for the primary purpose for which it was collected, with exceptions for direct marketing, public health and safety, and law enforcement.
3. Data Quality must be maintained by taking reasonable steps to make sure the data it uses or discloses is accurate, complete and up-to-date.
4. Data Security must be assured by reasonable steps to protect data from unauthorized use and access. Such steps include procedures for destruction or de-identification of information no longer needed.
5. Openess by means of disclosures of and availability of its policies with respect to the type of information it holds, for what purposes, and how it collects, holds, uses and discloses information.
6. Access to and Correction of personal information must be available to individuals for a reasonable fee.
7. Identifiers issued by the government may not be used as its own identifiers for individuals.
8. Anonymity must be available wherever lawful and practicable when entering into transactions with an organization.
9. Transborder Data Flows without the consent of the individual are permissible only where the organization reasonably believes the information will be granted a similar level of protection as under the NPPs.
10. Sensitive Information (e.g., race, ethnic origin, political opinions, religion, sexual preferences, criminal record or health information) must not be collected.
There are a number of exemptions from the application of the NPPs. They include small business operators, as discussed above (unless they are involved in the health care industry); a journalism exemption for acts done by a media organization in the course of journalism; and a political party exemption. Most notable and controversial, however, is the exemption for employee records held by a business. While there have been discussions within the Australian government to remove that exemption, nothing concrete has been done at this stage. An 'employee record' means a record of personal information relating to the employment of the employee, and while it is broadly defined, employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, emails that an employee has received from third parties outside the organization may not necessarily be an employee record. It is important to review the data to be transferred with counsel to determine that it falls within the definition.
With respect to Principle 9, Transborder Data Flows, it is incumbent on the organization to determine if the country to which the data will be transferred affords protections of personal information similar to that afforded by the NPPs. The Office of the Federal Privacy Commissioner has indicated that countries which are assessed by the European Union to have an adequate level of protection to satisfy the requirements of Article 25 of the European Union Directive 95/46/EC on the Processing of Personal Data and on the Free Movement of Such Data (1995) are likely to meet the requirements of National Privacy Principle 9 (NPP 9) under Australian Privacy Laws. However, a U.S. company will be entitled to the benefits of that designation only if it complies with the Safe Harbor Principles agreed to by the U.S. Department of Commerce and the EU. Australia has not recognized or developed model contract clauses such as those approved by the European Commission, that provide U.S. companies an alternative to Safe Harbor designation. If an organization does not fall within any of the exemptions, the organization should consult with legal counsel as to how to comply.
Compliance with Australia’s NPPs should be part of a company’s strategy and planning whether it is expanding its business or actually outsourcing business functions to Australia. Obtaining individual consent to sharing and use of information wherever possible is a prudent measure. Businesses need to be clear on what laws affect them and implement policies and procedures to address the requirements.