“The Australian Privacy Principles (APPs) became part of the Privacy Act 1988 (Cth) (Privacy Act) on 12 March 2014.
The APPs generally apply to governmental agencies, individuals, and companies that are not a small business operators or registered political parties. The small business operator exception applies where annual turnover for the previous F/Y (or current for new businesses) was $3 million or less. In this article, we provide a summary of recent cases which may be of interest..
Access to personal information: Ben Grubb and Telstra Corporation Limited  AICmr 35
When requested, Telstra refused access to ‘metadata’ collected in relation to the individual’s Telstra mobile phone service including cell tower logs, usage details, duration of usage, and websites visited. The Office of the Australian Information Commissioner (OIAC) found Telstra breached their obligation to provide access to personal information held about the individual unless an exception applied and was ordered to provide the information requested at no cost within 30 days, except for information
which unreasonably impacted the privacy of others (inbound call numbers). Metadata that companies collect, including statistical information (Google Adwords or Analytics) must generally be available to individuals upon request, unless an exception applies.
Inadvertent disclosure: ‘EQ’ and Great Barrier Reef Marine Park Authority  AICmr 11
A government agency inadvertently included the name of an individual being investigated, the type of activity and other details of the case that led to a journalist researching and identifying significant personal information about the individual involved.
The government agency inadvertently breached its obligations in respect of the use and disclosure of personal information, resulting in a written apology, review of internal process and a $5,000 payment to the individual for non-economic loss being ordered.
Protecting personal information from misuse, loss or unauthorised disclosure: ‘CM’ and Corporation of the Synod of the Diocese of Brisbane  AICmr 86
The disclosure and use of personal information within a company needs to be related to the ‘primary purpose’ for which it was collected. Disclosure and use must also account for the possibility of the information being misused, lost or disclosed without consent of the individual concerned.Where information is collected for a specified purpose, the disclosure of the collected information to other persons is not automatically reasonable even where the disclosure is related to the specific purpose for which it was collected.
Privacy obligations require consideration of proper handling,confidentiality and disclosure processes such that if functions can occur without the disclosure of the complainant’s personal information,the information should not be disclosed. Failure to comply with this requirement may incur fines, damages and reputation loss. At ARETE Group we have expertise and experience in drafting or reviewing privacy policies,
assisting in the implementation of processes complaint with the APPs and reviewing / advising on potential breaches of the Privacy Act.