• forIndividuals
  • forBusiness
  • forCommunity
search
About usFact sheetsPrimary legislationWhat's new?
DictionaryTeachingContact usSite mapLinks
click to go home


Our Fact Sheets provide a detailed account of 29 areas of law as they apply to the Internet

Fact Sheets



IIA releases draft Cybercrime Code of Practice in July 2003

Use of client information

Client information privacy


1. Client information and privacy law

In Australia there is no general legal right to privacy. Privacy protection is afforded through the operation of certain Federal, State and Territory laws, as well as the common law of contract, tort and confidential information.

New privacy laws limit the type of personal (or client) information that can be collected by a business or organisation. For example, a business cannot collect sensitive information about a person (eg religious or political beliefs) without their consent.

The information a business collects must be relevant to an approved purpose which is determined by the business activities of an organisation. For example, a credit reporting business in the business of providing data on peoples credit worthiness may collect information about a persons credit history.

2. Limits on the collection and use of client information

New privacy laws commence in December 2001 for most businesses. These laws establish the National Privacy Principles (NPPs) as minimum privacy standards for the private sector including small businesses. The NPPs (at www.privacy.gov.au/) regulate the transfer of personal information.

NPPs relevant to the collection and use of personal information include:

(a) Collection of personal information is only allowed if necessary for the function or activity of your business.

(b) Personal information should not be used or disclosed without the consent of the individual concerned.

(c) A business must take reasonable steps to ensure personal information collected, used or disclosed is accurate, complete and up to date.

(d) Your business must take reasonable steps to protect personal information held and must not hold data longer than it needs.

(e) A business must clearly express and make available policies on the use and management of personal information.

(f) A business must provide individuals on request with access to information held about them.

(g) Where lawful and practical, individuals must have the option of remaining anonymous when entering into a transaction with a business.

(h) A business must not collect sensitive information about individuals unless the individual consents, or if your organisation is required to do so by law.

3. Businesses covered by the NPPs

The new laws only cover businesses with an annual turnover of more than $3 million.

A business (includes partnerships, trusts and individuals operating a business) will not be covered by the new laws if it is a small business with an annual turnover of $3 million or less and:

(a) is not related to a business with an annual turnover of $3 million or more;

(b) does not provide a health service or hold health records;

(c) does not disclose personal information about an individual for a benefit, service or advantage; and

(d) does not provide a benefit, service or advantage to collect personal information.

4. Databases containing customer information

A database is a collection of data arranged in a systematic way to allow for the easy and efficient retrieval of information. It is usually in an electronic form. Many businesses collect customer information and store that information in databases.

Under the NPPs, businesses with a turnover exceeding $3 million cannot transfer or receive personal information about an individual to any third party for a benefit, service or advantage. This means you cannot sell a customer database that contains personal information about your customers.

5. Cookies and privacy

A cookie is a record stored on a computer when a user visits a particular website. Each time a computer is used to access the same site, the information which was previously received is sent back to the website by the browser. The cookie indicates to the website server that a person has been to the site before and what parts of the website have been visited.

A cookie itself is unlikely to contain personal information but if linked with other identifying information, can be used to build a personal profile. For example, information provided in an electronic transaction at the site or in subscribing to a free newsletter or mailing list.

Generally one website will not be able to read cookies issued and lodged on a user's computer by another website. Agreements between websites to share cookie information may allow a very developed profile to be developed about auser's surfing patterns provided identity is established by other information. It is this type of arrangement that the new privacy laws are aimed at prohibiting without the person's consent.

Web browsers can be set so that a person can disable or display a warning prompt for cookies and other settings. The capacity of a browser to accept cookies can be turned off.

Cloaking technologies also exist to provide a user with untraceable encrypted email and anonymous browsing and internet chat.

6. Breach of the National Privacy Principles

A person may make a complaint to the Privacy Commissioner who has the power to:

(a) investigate complaints;

(b) investigate an act or practice that may be a breach of privacy even if no complaint has been made; or

(c) seek an order (injunction) from the court to stop your business from engaging in conduct that does or would breach the law.

If a business fails to comply with a decision of the Privacy Commissioner, the Privacy Commissioner can ask a court to order the business to comply. A business that fails to comply with a court order commits an offence.


Other relevant Articles on this site:
Best practice model
Databases
Terms and conditions of website
Digital signatures
Electronic communications policy

Other relevant Fact Sheets:
Database Protection
Electronic Transactions Act
Keeping Electronic Records
Privacy
Workplace Net Control

End Notes

"Life without liberty is like a body without spirit", Kahlil Gibran, The Vision
forCommunity/