Information Privacy Law as a Current and Evolving Issue
Due to Facebook-Cambridge Analytica, Lloyd v Google LLC, and COVID-19-related contact tracing regimes imposed around the world giving rise to widespread collections and exchanges of data and personal information, the concerns around the role and operation of privacy law has been on an upslope.
Organisations such as schools, businesses, restaurants, cafes, churches and their related entities must pay attention to how privacy affects their obligations and expectations to ensure that the privacy of the individual is of principal importance. While discussions surrounding the right to privacy continue to evolve, three considerations are key to understanding the existing law:
- The right to privacy is expressed in Article 12 of the Universal Declaration of Human Rights (UN) which laid foundations for human rights protections independently developed by national jurisdictions. The right to privacy is becoming more recognised by Australian jurisdictions, for example, under Queensland legislation, “a person has the right not to have the person’s privacy… unlawfully or arbitrarily interfered with…”;
- As illustrated in cases such as Kaye v Robertson, progress in the area’s development has been indicated by introduction of Article 8.1 of the European Convention of Human Rights and discourses in the USA regarding the possibility and nature of torts (civil wrongs) in invasion of privacy; and 
- As appears the case with most other common law jurisdictions, information privacy law in Australia remains an area under development. Legislation, especially the Privacy Act 1988 (Cth), leads guidance, though as seen in Grosse v Purvis and Giller v Procopets, modern Australian courts have hinted at the potential existence of invasion of privacy torts.
We will discuss the application of current Australian information privacy law and its application to organisations (mentioned earlier) that manage the personal information of individuals.
The Australian Privacy Principles (APPs)
In a contemporary business backdrop characterised by increased internet usage, data exchange, and information handling, the Privacy Act 1988 (Cth) prescribes thirteen (13) Australian Privacy Principles (“APPs”) for organisations generally with annual turnovers exceeding $3 million (and other specified entities such as health service providers, including schools and churches, and credit reporting bodies). Generally, the APPs engage with the following matters:
- Open and transparent management of personal information, especially requiring organisations to publish, circulate, and make available privacy policies which are clearly expressed, up-to-date, and indicative of how collected personal information will be handled.
- Anonymity and pseudonymity, allowing individuals the option of not identifying themselves or using pseudonyms in lieu subject to some exceptions.
- Collection of solicited personal information, generally only permitting organisations to collect personal information where reasonably necessary for their legitimate activities.
- Dealing with unsolicited personal information, requiring organisations which receive unsolicited personal information to determine whether it would ordinarily have had grounds on which to collect that personal information and deal appropriately according to that determination. Such course may include destruction, deletion, or de-identification of information they are not entitled to hold.
- Notification of the collection of personal information, requiring that organisations notify individuals when their personal information is being collected at or before the time of collection, generally encouraging incorporation of collection statements into forms or other material via which the personal information is collected.
- Use or disclosure of personal information, prohibiting organisations from use or disclosure of personal information for any purpose outside of the stated purpose of collection (subject to limited exceptions).
- Direct marketing, prohibiting organisations from using collected personal information for direct marketing purposes unless the providing individual consents to it or reasonably expects it. The individual must also be allowed to opt out of receiving the direct marketing communications.
- Cross-border disclosure of personal information, requiring organisations to ensure that any personal information disclosed to an overseas recipient (i.e. outside ambit of Australian legal regimes) is dealt with by the recipient in a manner compliant with the APPs, generally holding the Australian organisations liable for relevant breaches.
- Adoption, use, or disclosure of government-related identifiers, prohibiting organisations from adoption, usage, or disclosure of government-related identifiers such as passport numbers, tax file numbers, or licence numbers subject to limited exceptions including where required or authorised by law or necessary to verify an individual’s identity.
- Quality of personal information, generally requiring organisations to ensure personal information lawfully collected, used, disclosed, and held is accurate, up-to-date, and complete.
- Security of personal information, requiring organisations to take reasonable steps to protect the personal information from, among other things, unauthorised access, modification, or disclosure, misuse, and loss.
- Access to personal information, generally requiring organisations to accommodate requests by individuals for access to their collected personal information, and
- Correction of personal information, requiring organisations to take reasonable steps to correct held personal information where satisfied that the personal information is inaccurate or where an individual requests the correction, and notify same correction to any third parties the personal information was disclosed to in an incorrect form.
Complaints to the Office of the Australian Information Commissioner (OAIC)
Organisations must pay special care and attention to critical obligations such as the provision of privacy-related policies and development of information collection (and subsequent notification) procedures. Without stringent processes which adhere to privacy law obligations, organisations face the risk of having penalties imposed on them by the Office of the Australian Information Commissioner (OAIC), the governing body tasked with responding to privacy complaints and ensuring that relevant organisations are attentive and compliant with Privacy Act.
Failing to comply with the APPs may lead to significant penalties. For example, if an organisation is held to have seriously or repeatedly interfered with an individual’s privacy by breaching the APPs, the organisation may face penalties of up to $2.1 million for corporate bodies.
COVID-19 and Privacy Law
The COVID-19 pandemic has affected how Australians view their right to privacy and how such privacy may be managed by various organisations. The most obvious implication on privacy law as a result of COVID-19 is the enacting, within state jurisdictions, of health directions or orders pertaining to the collection and use of contact-tracing information. In most Australian states and territories, contact-tracing is required by relevant organisations to prevent the risks associated with community transmission of the coronavirus.
The federal jurisdiction to impose organisations’ obligations to comply with the APPs remains. Organisations which are required to collect the personal information of individuals for the purposes of contact-tracing, mandated by state or territory directions or orders, are permitted to do so under the Privacy Act. However, those businesses who collect contact-tracing information and are not required to do so under their relevant state or territory laws, must ensure that the collection of personal information is done appropriately and in-line with the relevant APPs.
It is important to remain vigilant in the protection of an individual’s personal information. Remember, should a serious risk of harm arise, there are obligations for organisations to respond appropriately. When assessing an organisation’s privacy policies or procedures, an important element of consideration is the systems (online and offline) which are used to collect, store, use and disclose personal information.
In a study conducted by the OAIC, it was found that 86% of Australians perceived fraud and data breaches (including identity theft and data security) as the biggest privacy risk faced today. Undoubtedly, this perspective should prompt organisations to consider their current practices of information privacy.
How We Can Help
Corney & Lind Lawyers is committed to guiding its clients through the complexities and challenges posed by ever-evolving information privacy law.
1 Green v Group Ltd & Ors  EWHC 954 (Ch); Lloyd v Google LLC  EWCA Civ 1599.
2 Universal Declaration of Human Rights  (United Nations), art 12.
3 Human Rights Act 2019 (Qld) s 25.
4 Kaye v Robertson  FSR 62; Cason v Baskin (1945) 20 So. 2d 243.
5 Grosse v Purvis  QDC 151; Giller v Procopets (2008) 24 VR 1.
6 See Privacy Act 1988 (Cth) §14-§15 & schedule 1.
7 ibid, §13G.
8 Privacy Amendment (Notifiable Data Breaches) Act 2017 sch 1.
9 Office of the Australian Information Commissioner, Australian Community Attitudes to Privacy Survey 2020 (September 2020) 26.