Privacy Guidelines - Are you Complying?

The new Privacy laws took effect from December 21 and at the same time the Office of the Federal Privacy Commissioner (OFPC) released A Short Guide for the Private Health Sector (December 2001).

Commissioner Malcolm Crompton says that for the first time, many private sector organisations will be required to make sure individuals understand what will happen to their information, and how they can access and correct their records. Australians have had these rights when dealing with federal government agencies since 1988 when the Privacy Act 1988 came into effect.

Crompton encourages organisations not just to see privacy as a compliance issue, but as a way of enhancing good relationships with their clients and customers.

As well the OFPC has launched its redesigned website making it easier for visitors to navigate around the Privacy topic. Check it out at www.privacy.gov.au.

If you would like a copy of A Short Guide for the Private Health Sector (December 2001) send us an e-mail to probono@probonoaustralia.com.au.

And list brokers, Action Mailing Lists has provided a list of key points that your organisation must adhere to….are you complying?

1) Implied consent for use and disclosure of personal information can be legitimately inferred from an individual’s failure to “opt-out”
provided the option to opt-out is clearly and prominently presented.

2) Generally, business to business communication involving use of personal information will be considered to be within the individual’s reasonable expectation and implied consent.

3) Information from generally available publications will remain accessible for direct marketing purposes.

4) Organisations who transfer customer information to suppliers under contracts that ensure the security / privacy of the information will not have to tell customers all about these suppliers.

5) Normal cross-selling activities will no longer be potentially in breach of the legislation.

6) Guidelines will no longer infer that personal information is the property of the individual.

7) In dealing with complaints, the Privacy Commissioner will only issue a public determination as a last resort, where efforts to conciliate have failed.

8) If it is lawful and practicable to do so, give people the option of interacting anonymously with you.

9) Only collect personal information that is necessary for your functions or activities.

10) Use fair and lawful ways to collect personal information.

11) Collect personal information directly from an individual if it is reasonable and practicable to do so.

12) Get consent to collect sensitive information unless specified exemptions apply.

13) At the time you collect personal information or as soon as practicable afterwards, take reasonable steps to make an individual aware of:
a) why you are collecting information about them;
b) who else you might give it to; and
c) other specified matters.

14) Take reasonable steps to ensure the individual is aware of this information even if you have collected it from someone else.

15) Only use or disclose personal information for the primary purpose of collection unless one of the exceptions in the guidelines applies (for example, for a related secondary purpose within the individual’s reasonable expectations, you have consent or there are specified law enforcement or public health and public safety circumstances).

Note that:
a) If the information is sensitive the uses or disclosures allowed are more limited. A secondary purpose within reasonable expectations must be directly related and the direct marketing provisions of the guidelines do not apply.

16) Take reasonable steps to ensure the personal information you collect, use or disclose is accurate, complete and up-to-date. This may require you to correct the information.

17) Take reasonable steps to protect the personal information you hold from misuse and loss and from unauthorised access, modification or disclosure.

18) Take reasonable steps to destroy or permanently de-identify personal information if you no longer need it for any purpose for which you may use or disclose the information.

19) Have a short document that sets out clearly expressed policies on the way you manage personal information and make it available to anyone who asks for it.

20) If an individual asks, take reasonable steps to let them know, generally, what sort of personal information you hold, what purposes you hold it for and how you collect, use and disclose that information.

21) If an individual asks, you must give access to the personal information you hold about them unless particular circumstances apply that allow you to limit the extent to which you give access – these include emergency situations, specified business imperatives and law enforcement or other public interests.

22) Only adopt, use or disclose a Commonwealth Government identifier if particular circumstances apply that would allow you to do so.

23) Only transfer personal information overseas if you have checked that you meet the requirements of the legislation.

24) Providing an opt-out clause in direct-marketing material gives
consumers enough opportunity to choose not to receive more material.

25) Normal cross-selling activities will no longer be considered to be potentially in breach of the legislation.

If you would like to share your anecdotal experience of the new Privacy provisions drop us an e-mail toprobono@probonoaustralia.com.au.