7/5/2001

"New privacy rights for consumers will change business practices forever," said Privacy Commissioner, Malcolm Crompton, today as he released Draft National Privacy Principles Guidelines for public comment. "The consumer is about to find out more about their new privacy rights, and I'm here to make sure these rights are protected. Organisations collecting, dealing in and passing on an individual's personal information will need to respond" he said.

"I'm encouraging consumers to take responsibility for their new privacy rights on 21 December 2001, by participating in the public comment of the Draft National Privacy Principles Guidelines" he said. The new law extends the coverage of the Act to the private sector.

"These guidelines establish the ground rules for implementing the National Privacy Principles(NPPs). They aim to provide a comprehensive reference point for interpretation of the principles. For example, these guidelines point out that most direct marketing will be illegal if the consumer has not been informed or contacted. Further, organisations will not be able to re-use personal information for on-line direct marketing or SPAM without your consent" said Mr Crompton.

The final guidelines will form the basis of educational tools that the Office of the Privacy Commissioner will develop to directly target the information needs of consumers and business.

"I will be consulting widely to get maximum input to these guidelines" said Mr Crompton. "It is essential that comment on the draft guidelines is received from consumers and industry. We need to test the guidelines for readability, practicality and content to make sure they deliver good privacy outcomes" he said. Consultations end 6 July 2001 and the final National Privacy Principles Guidelines will be published early October 2001.

"Consumers concerned about their privacy are beginning to question the legality and practices of some organisations. The best way of protecting your privacy is to ask questions before handing over personal information," said the Privacy Commissioner.

The Privacy Commissioner is committed to fostering an Australian culture that respects privacy by working with, and providing expert advice to, key stakeholders and the broader Australian community about the Privacy Act 1988. The Act protects personal and sensitive information (such as health information), through the National Privacy Principles or approved codes. This protection is backed by strong enforcement mechanisms.

"It is important to me that I work with business and the community to establish a privacy culture that works for the whole of the Australian community", said Mr Crompton.

Background

• Draft guidelines focussing specifically on the information handling practices of health service providers in the private sector will be issued next week.
• Draft guidelines on Public Key Infrastructures for the public sector will be issued later this week.

Draft National Privacy Principle Guidelines (HTML version402kb orWord 6  573kb  or Rich text version 1.6mb  or PDF 848kb  or ZIP format 148kb)

What will the Privacy Act 1988 change on 21 December 2001

(These are based on real cases)

Scenario 1: Recruitment Agency (Access)

A woman registers with a recruitment agency and provides the organisation with personal information including resume, work history and references. The recruitment agency may also include comments regarding her skills and abilities on its database.

Over the course of a few months the woman becomes unhappy with the type of jobs being offered to her and wants to see what information is held in the agency's database. Under the new legislation, the recruitment agency will be required to give her access to the database. If she can establish that the information is incorrect the organisation will have to correct the information.

Remember, opinions about the individual's work ability or personality are considered personal information.

Tip: Develop procedures and processes to manage requests for access to the database.

Scenario 2: Online direct marketing (Consent)

A man buys a mobile phone from a telecommunications company and signs a contract. When purchasing the mobile phone he completes the standard contract providing his name and contact details including an email address for receiving billing and warranty information.

Sometime later the company sends direct marketing material to his email address. He does not recall agreeing to this. Under the new legislation, the Privacy Act 1988 allows an organisation to use personal information for direct marketing only if it is impracticable for the organisation to gain consent first. However, in the Draft National Privacy Principles Guidelines the Privacy Commissioner takes the view that it always be "practicable" to seek prior consent for online direct marketing.

Tip: Gain consent up-front. Ask customers at the time of collecting the information if the organisation can send them direct marketing material.

Scenario 3: Charity (Collection)

A woman who wants to make a financial donation to a cause contacts a charity to request information regarding its charity programs. During the telephone conversation she reveals that she attends a Mosque regularly. She did not expect that information to be recorded.

In response to her request, she receives literature in which the charity refers to her as "a committed Muslim". She is angered that this information was collected and stored about her. Under the new legislation, organisation will not be allowed to collect sensitive information such as religious beliefs or affiliations without consent.

The woman could contact the charity and ask them to remove this information as she did not give her consent. If the organisation refuses to fulfil her request she could lodge a complaint with the Privacy Commissioner.

Tip: Always ask the individual's permission before collecting sensitive information (as defined by the amended Privacy Act 1988 S6).