5. Data Privacy Laws: Avoiding The Trip-Wires Of Complex Regulations
Data protection in Australia is currently a mix of Federal and State/Territory legislation. The Federal Privacy Act 1988 (Cth) and its National Privacy Principles applies to private sector businesses and its Information Privacy Principles apply to all Commonwealth Government and Australian Capital Territory Government agencies (“Privacy Act“).
Australian States and Territories (except for Western Australia and South Australia) each have their own data protection legislation applying to State Government agencies (and private businesses interaction with them). These acts are:
- Information Act 2002 (Northern Territory);
- Privacy and Personal Information Protection Act 1998 (New South Wales);
- Information Privacy Act 2009 (Queensland);
- Personal Information and Protection Act 2004 (Tasmania); and
- Information Privacy Act 2000 (Victoria).
There is also various other State and Federal legislation that relates to data protection. For example, the Telecommunications Act 1997 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW) and the Workplace Surveillance Act 2005 (NSW) all impact privacy/data protection for specific types of data or for specific activities. Our focus here, however, is on the application of the Privacy Act to private sector businesses.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (“New Act”) was passed by the Australian parliament in December 2012 and comes into force from March 2014. The New Act contains significant reforms to the Privacy Act, including replacing the National Privacy Principles for the private sector and Information Privacy Principles for Commonwealth and Australian Capital Territory Government agencies with a single consolidated set of principles referred to as the Australian Privacy Principles (“APPs“). The New Act also significantly strengthens the powers of the Australian Information Commissioner to conduct investigations and ensure compliance with the amended Privacy Act.
Given the New Act does not come into force until March 2014, here we outline the obligations currently imposed under the Privacy Act and highlight only those key new obligations which will come into force from March 2014.
International Data Privacy Laws
International laws governing the transference and sharing of data vary wildly from country to country with some of the strictest being in Europe. At their most basic, these laws restrict a company’s ability to collect, store, transmit or examine “personally identifiable data.” This term is generally defined to include anything that could be used to identify a specific individual, including name, address, job title, telephone number or email address – in other words, it covers almost every form of data that would be relevant to an audit, internal investigation or compliance risk assessment.
To better illustrate how these laws impact an auditor’s job, imagine a somewhat routine task such as investigating whether or not one or more employees may be engaged in improper activities. What specific steps you can take to accomplish that review is directly tied to where the individual employees are based and where their data is stored.
If the employees or their data were in France, for example, you would likely have to consult with Works Council, a group of employee representatives, to make sure they agreed on the legal basis for the examination of personal data and that your approach was tailored to exclude anything marked “private” or “personal.” In addition, you may also be required to register your review with CNIL, the French Data Privacy Authority. Then depending on a variety of factors, you may not be able to transmit any evidence or probative information back to the United States for review. Noncompliance with restrictions like these can subject you and your company to criminal and civil sanctions.
If you’re used to performing these investigations in the United States, where corporate emails can generally be reviewed when the company alone determines such a step is warranted, these limitations can be hard to believe – especially when all you’re trying to do is confirm that the company and its employees are behaving ethically, legally and within the bounds of corporate policies and procedures.
Make sure you understand and respect the laws of any country, particularly those that deal with data privacy and protection, before you begin your audit.
The myth of King Midas ends on a good note. When he cried to the Greek gods, they turned everything he touched back to normal. But for all of us here in reality, there’s no turning back. The best we can do is keep these issues at the forefront of our minds and make sure that the conveniences and advantages of technology always outweigh the potential for chaos it can invite.
How can we work together? Please contact me if you have any Compliance issues, Trade Mark services, Licensing, Intellectual Property (IP) or Commercial Law needs.
Sweeny Legal announces its IP Dashboard available now, in Wollongong and beyond. Tomorrow’s Lawyer Today.
This Service saves you time, it is convenient, and saves on costs. Alternatively I can come and visit your Office and review your needs
Contact me if you need commercial assistance or if you need commercial agreement drafting of any kind or IP advice, for example,
Commercial and IP Agreements, Business Relationship Agreements or License Agreements.
Please contact Sweeny Legal or Brandsworth Licensing should you require any assistance with any Intellectual Property (IP) rights, Commercial Agreements of any type, or IP Business Strategies.
Phone: 02 4228 1864
Mobile: 0417 699 645
eFax: 02 4204 1684 – comes to my email – perfectly secure
Contact Sweeny Legal