Privacy Obligations in Community Organisations

This factsheet gives you some basic information on privacy issues in community organisations. Sections include:

• Do I Need to Comply with the Privacy Act 1998?
• Does Everyone Need to Comply?
• How Do I Comply?
• Health Records
• Useful Web Resources

Back to Human Rights: Human Rights Practice

Do I Need to Comply with the Privacy Act 1998?

If your association holds personal information about any individual, trades in personal information, provides health services or holds certain categories of employee or other personal information then you may need to comply with the Privacy Act 1988 (Cth).

"Personal information" is defined broadly in the Privacy Act 1998 as being:

"information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

The Privacy Act 1988 applies to private sector organisations (including not-for-profit organisations) such as:

• Individuals who collect, use or disclose personal information in the course of business;
• Companies incorporated under the Corporations Act 2001;
• Incorporated associations; and
• Unincorporated associations, partnerships or trusts.

Does Everyone Need to Comply?

Businesses and associations with an annual turnover of $3 million or less (referred to in the Privacy Act 1988 as "small businesses") generally are not required to comply with the Act. However, since 21 December 2002 some small businesses and associations in this category are now required to comply with the Act. The small business or association will need to comply with the if it:

• Is related to a business or association (i.e. a holding company, subsidiary company or other affiliated association or organisation) that has an annual turnover greater than $3 million;
• Provides a health service and holds health information other than in an employee record;
• Trades in personal information (i.e. discloses personal information about another individual to anyone else for benefit, service or advantage or provides a benefit, service or advantage to someone else to collect personal information about another individual); or
• Is acting as a contract service provider to the Commonwealth government (even as a subcontractor under a head contract).

How Do I Comply

Complying with the Act will generally involve letting people know:

• That you collect personal information;
• What you will do with this information and to whom you may disclose it;
• What information you hold about them if they ask; and
• How you will keep the personal information safe.

If your association is required to comply with the Privacy Act 1998 you should consider conducting a "privacy audit". Basically this involves reviewing your association's information handling practices to ensure that:

• You collect personal information by fair and lawful means;
• At the time you collect personal information from an individual you provide details about the purpose for collecting the personal information, how you will use the personal information that you have collected and to whom you will disclose it;
• You have appropriate arrangements in place for providing individuals with access to the information you hold about them, including procedures for the correction or alteration of the information;
• You have adequate security measures for the protection of personal information in hard copy and electronic form;
• That any outsourcing arrangements you may have in place involving the transfer of personal information comply with the requirements of the Privacy Act 1998; and
• You have appropriate storage facilities for personal information and you dispose of personal information when it is no longer required for the purpose for which you originally collected it.

Health Records

The Health Records (Privacy and Access) Act 1997 (ACT) covers health records held in the public sector in the ACT and also applies to acts or practices in the private sector not covered by the Privacy Act 1998. If you are a health service provider or handle health related personal information this Act may apply to you.

The Health Services Commissioner at the ACT Human Rights Commission can provide more information about the use of the Health Records (Privacy and Access) Act 1997.

Useful Web Resources

• The website of the Office of the Privacy Commissioner provides further information about the operation of the Privacy Act 1988

Back to Human Rights: Human Rights Practice

This website does not constitute legal advice. ACTCOSS does not warrant or guarantee the currency, accuracy or completeness of information contained on this website. For further information, read our disclaimer.