The Privacy Act protects personal information about individuals handled by organisations (including small businesses and not for profit organisations) subject to the Privacy Act. The ten National Privacy Principles (NPPs) in the Privacy Act set the minimum standards for handling personal information.
Small businesses subject to the legislation will need to consider how they are to implement the provisions. They may choose to be bound by a privacy code approved by the Federal Privacy Commissioner. If they are not bound by a privacy code the NPPs in the legislation will apply to them. More information about Privacy codes can be found in the Meaning of Terms.
Personal information is information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes information such as a person''s name, address, financial information, marital status or billing details. Some personal information is sensitive information. This includes information about ethnicity, religion and health. Sensitive information is explained further in Meaning of Terms.
The NPPs are principles or rules about collecting, using and disclosing personal information.
The NPPs also cover keeping information secure, paying attention to data quality and accuracy, being open about collection and information handling practices, providing anonymity where possible and protection when transferring personal information overseas.
There are some special rules about handling sensitive information including health information.
People have rights under the NPPs to know what information a small business holds about them and to access and correct the information.
A summary of the NPPs can be found below.
As well as exemptions for most small businesses the Privacy Act also has exemptions for the media and for political parties.
The Privacy Act does not apply to employment records used for employment purposes in your business.
Information Sheet 12-2001 Coverage of and Exemptions from the Private Sector Provisions, available from the Office website, gives more information about the types of businesses and practices to which the Privacy Act applies.
Privacy Act Enforcement
The Privacy Act gives individuals the right to complain if they think a business, including a small business subject to the Act, has not complied with the NPPs in handling personal information about them.
The Privacy Commissioner can investigate, conciliate and, if necessary make determinations about complaints. The Privacy Commissioner will usually only investigate a complaint if the individual has first tried to resolve it directly with the small business concerned.
Remedies for a privacy complaint might involve an apology, a change in practice or compensation.
For more information go to Information Sheet 13-2001 The Federal Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act available from the OAIC website www.oaic.gov.au.