In brief - Councils will need to comply with privacy policies of businesses that share their collected data with councils
Recent changes to national privacy laws imposed new requirements on the collection and management of personal information in Australia. These laws do not directly apply to councils, but they do apply to most of the businesses that councils deal with on a day to day basis. To the extent that those businesses share their collected data with councils, the new privacy requirements will impact councils.
Australian Privacy Principles and personal information
The new privacy laws impose obligations on how "personal information" can be collected, managed and transferred in Australia. These obligations are set out in the Australian Privacy Principles (APPs).
Personal information is defined to be any information or opinion about an identified person, or a person who is reasonably identifiable from that information or opinion. Common examples are: a person's name, address, telephone number, date of birth, medical records and bank account details.
What does this mean for local councils?
The new privacy laws do not directly apply to local governments (although state or territory privacy laws with similar provisions may apply).
The new privacy laws created new civil penalties (not applicable to councils) and can be expected to move privacy compliance up the risk management agenda of many businesses.
Councils will need to demonstrate compliance with APPs
The privacy policies of Australian businesses now commonly include a commitment to ensuring that third party recipients of personal information from the business handle that information in accordance with the privacy laws.
This means that at a practical level, local governments may face increasing pressure from their suppliers and contractors to demonstrate compliance with the APPs. APP requirements potentially relevant to local governments include:
- personal information must not be collected unless it is reasonably necessary for a function or activity of the organisation
- personal information may only be used or disclosed for the purpose for which it was collected
- generally, personal information must not be used for direct marketing unless the person concerned has consented to that or has a reasonable expectation of it
- personal information must not be disclosed overseas, unless the disclosing organisation has taken reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs
- organisations must take reasonable steps to protect the personal information they hold from interference, misuse, loss, and unauthorised access, modification or disclosure
- organisations must, at an individual's request, give that person access to the personal information the organisation holds about him or her
- organisations must take reasonable steps to correct personal information to ensure it is accurate, up to date, complete, relevant and not misleading