Protecting data: privacy and security
Privacy
Organisations operating online are subject to Australia’s privacy laws just as they are when they operate offline. These legal obligations apply to all personally identifiable information. The challenge in the online world is the ease with which information can be or become personally identifiable. Privacy obligations can attach to names, email addresses, photos and videos, among other things.
The National Privacy Principles (NPPs) are the baseline privacy standards which some private sector organisations need to comply with in relation to personal information they hold. They include the following:
- You can only collect personal information if it is necessary for the function or activity of your organisation.
- You should not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances.
- You must take reasonable steps to ensure that personal information collected is accurate, complete and up-to-date.
- You must take reasonable steps to protect the personal information collected.
- You can transfer personal information to a person or organisation outside Australia only in limited circumstances. These include the requirement that you reasonably believe that the recipient is governed by comparative privacy laws, or that the individual whose personal information you transfer consents to that transfer.
- Although you are allowed to collect and use personal information, you are generally not allowed to collect and use ‘sensitive information’ about individuals unless they first consent. There are only limited circumstances in which such sensitive information can be collected without the person’s consent. Sensitive information is defined in the Privacy Act and includes information regarding race, gender, political opinion, religious beliefs, philosophical beliefs, membership of a trade union or professional organisation, or sexual preference or practices.
- These principles also require you to explain your personal information collection and use practices to the people using your website at the time you collect their information.
Publishing a privacy policy on your website that outlines what information you collect from people, what you use it for and how you protect it, can assist your organisation in complying with these principles.
Further information about Australia’s privacy laws and the obligations upon business can be obtained from the Privacy Commissioner’s website.
