Data Protection Act of Australia . How does data protection law affect you?
Data protection laws are to protect individuals from the misuse of their personal information. These laws are to ensure that businesses collect only those details they require for the purpose of carrying out transactions or providing services. They also aim to protect individuals from having their personal information without their consent.
Data Protection Act of Australia
In Australia, the Privacy Act 1988 (Cth) regulates and governs the collection, use and disclosure of personal information. Personal information is the ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable. Even if the information or opinion is true or not. And whether the information or opinion is recorded in a material form or not’.
There are various examples of personal information, including:
1• Name and address
2• Date of birth
3• Email address
4• Financial details (credit card numbers, bank account numbers)
5• Health details (medical conditions, allergies, etc.)
6• Information relating to employment (salary details, etc.)
Consent as a ground for processing personal data under the Privacy Act 1988
Consent is one of the grounds for processing personal data under the Privacy Act 1988 (Cth). So, consent can be expressed or implied. Express consent is by an individual through a clear and positive action.
This can include ticking a box on a form or signing a contract. Implied consent occurs when an individual does not take action to remove themselves from contact with a business. Implied consent can also be from conduct – such as continuing to use a website. Or where it would be reasonable for the business to assume that they have consented.
At times, consent may also need to be from another party to provide consent on behalf of an individual. For example, if a parent consents on behalf of their child. In some cases, this secondary consent may also be in writing in order to comply with privacy legislation.
Obtaining consent may not be appropriate
There are situations when obtaining consent may not be appropriate; these are set out in Schedule 3 of the Privacy Act 1988.
These include:
1) when the collection of personal information is a requirement by law;
2) where it is unreasonable or impracticable to seek consent;
3) where it is not possible for an organization to seek consent (such as emergency services organizations);
4) when seeking consent would cause detriment to the individual;
5) where seeking consent would be unreasonably intrusive;
6) where seeking consent could prejudice enforcement-related activities conducted by government agencies;
7) where personal information is collected for journalistic purposes; and
8) where personal information is health information collected from a health service provider.
Australian Privacy Principles
While the Privacy Act 1988 (Cth) sets out the general rules for the collection, use and disclosure of personal information, it is important to note that the Act does not provide any specific guidance on:
1• How businesses must protect personal information from loss or misuse;
2• How businesses must keep personal information up to date; or
3• What happens if a business breaches an individual’s privacy.
In order to address these issues, the Australian Information Commissioner developed the Australian Privacy Principles (APPs). The APPs provide practical guidance on complying with privacy legislation. They also provide individuals with a set of rights regarding their privacy. In addition to this, the APPs provide businesses with a set of obligations which they must comply with when collecting and dealing with individuals’ personal information.