December 19 2002

"Australian's privacy rights are about to be extended to include personal information held by small businesses that trade in personal information, do contract work for commonwealth government or are related to a business with a turn over of $3 million or more," said Federal Privacy Commissioner Malcolm Crompton.

"On 21 December this year, more small businesses will be required to comply with the Privacy Act, and I expect them to have systems in place by that date to meet their obligations," said Mr Crompton. "These small businesses are in addition to those small businesses that are health service providers. Health service providers have been required to comply since 21 December 2001 regardless of size."

"Australians have been making good use of new privacy protections this year. Small businesses, covered by the Act, who choose to ignore their compliance responsibilities run the risk of having my Office investigate a privacy complaint about them. They also run the business risk of losing the trust of their customers which could mean that they lose business as a result of poor privacy practices." said the Commissioner.

"Businesses sceptical about how important privacy is need to be aware that close to 25,000 people rang our Privacy Hotline this year asking for advice about privacy, and more than 900 people lodged a complaint with me for the Office to investigate. Approximately two thirds of these complaints and enquiries relate to business's new responsibilities to manage personal information in accordance with the Privacy Act."

"The things people are worrying about include:

• organisations collecting information without respecting privacy - collecting it unfairly, collecting it without needing it, or collecting it without telling the individual what's going on
• organisations using personal information in ways that breach privacy: not using it in the way that people expected it to be used (particularly for direct marketing), or passing it on to other organisations or individuals inappropriately
• people not being able to get access to their records, or correct them when they are wrong. Health information is a particular concern here.

"These are all potentially breaches of the Privacy Act," he said.

"Businesses that get privacy wrong face an increasingly aware and active consumer" warned the Commissioner. "More than 40% of Australians have refused to deal with an organisation because of concerns over the use and protection of their personal information. Consumers want to know how their personal information will be used, and increasingly, will respond where they feel their privacy has been invaded. Organisations face the danger of substantial damage to their public image if a story about mishandling of personal information becomes public."

Mr Crompton observed that "a large proportion of businesses have been working hard to get privacy right. Even in those cases where my Office is called in to investigate, we have found, in the main, that businesses co-operate, and implement our advice as to how to improve their privacy practice."

"This year we have seen the privacy debate reach into some very significant areas. Key issues have been:

• bundled consent - where consumers are being asked to consent to a broad range of uses and disclosures of their information in one shot
• email surveillance - what is acceptable?
• publicly available information - what are people's and business''s expectations about how this information will and can be used?
• use of Biometric security tools - using biometrics to enhance privacy
• privacy and security - how do we achieve both?
• identity fraud - we can protect ourselves from this increasing problem and protect our privacy at the same time
• privacy and genetic information - how should our genetic information be protected?

"Most small businesses will not be covered by the Act. Only those that: are health service providers, trade in personal information, are related to a larger business or are a contractor to Commonwealth agencies will need to comply. Many small businesses have already taken up the option to opt in to coverage under the Privacy Act.

"My approach is to help businesses to comply with the Act. My Office has set up a small business web page, and a set of three publications that directly target the information needs of small business to help them determine whether they are covered, and what to do if they are.

"The above mentioned publications are available from the Office web site @ www.privacy.gov.au, or you can ring the Privacy Hotline on 1300 363 992.

Related Documents:

Small Business GuidesOpt in Register FormOFPC research: Community attitudes towards privacy in Australia, 2001

Privacy Examples:

Housing: A woman found she could not rent a property because she was listed on a tenancy data base five years ago. The incident related to damage to a property that a subsequent insurance investigation established was not her fault. She would be entitled to have her record corrected.

Health: A man asked his Doctor for access to his medical record. Because the organisation in question had not requested ID as part of their normal approach to providing access, the file had already been incorrectly provided to someone else. The Privacy Act requires organisations to protect personal information from misuse and unauthorised use, or unauthorised disclosure to others.

Finance: A woman wanted to follow up on an insurance company's decision not to pay a claim, by getting access to the information on which the company based its decision. There are exceptions to where organisations are required to provide access to personal information, but even where these apply, organisations must consider the use of intermediaries to organise some sort of access.

Web surfing: An IT software company was collecting information such as browser versions from its clients without telling them. Their intention was to save their clients' time. Nevertheless the Privacy Act requires them to advise their clients that they are collecting this information.

Employment: A man was approached to see if he was interested in a job. He was, so he submitted references and his resume, was interviewed a number of times, and was then offered the job. The offer was withdrawn two weeks later without explanation. The man asked what personal information had been collected about him and from whom. The organisation concerned declined to supply the information. Again, organisations are generally obliged to provide access, and where exceptions apply, they must consider the use of intermediaries to organise some sort of access.

Shopping: A woman attempted to buy a CD. When she went to pay, the retailer requested her private address. The woman did not provide it, and the retailer refused to sell her the CD. The Privacy Act requires organisations not to collect personal information unless it is necessary for one or more of its functions. It also requires organisations to provide individuals with the option of not identifying themselves, where this is lawful and practicable.