What is the Privacy Act?
The Privacy Act 1988 (Cth) (the Act) commenced operation in Australia in 1990. The Act established a national law that regulates how personal information, including sensitive information (explained below) is collected, used, stored and disclosed. The Act also gives individuals access and correction rights in relation to their own personal information, including sensitive information.
For the purposes of the Act:
- personal information is any information or an opinion about an identified individual, or an individual who is reasonably identifiable (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.
- sensitive information is personal information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record, or biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.
Throughout the rest of this section and unless stated otherwise, where we refer to ‘personal information’ we include reference to ‘sensitive information’.
What does the Act regulate?
The Act regulates:
- activities which occur within Australia which deal with personal information about individuals living in Australia;
- activities which occur outside Australia but which deal with personal information about individuals living in Australia; and
- activities which occur within Australia but which deal with personal information about non-Australians.
What are the Australian Privacy Principles?
The Act establishes 13 privacy principles to be known as the ‘Australian Privacy Principles’ (or APPs). This will be a single set of principles that will apply to both Commonwealth government agencies as well as private sector organisations in Australia.
The APP’s regulate:
- how an organisation collects, uses and discloses personal information that could identify an individual;
- the quality, security and storage of that information; and
- the treatment of sensitive information, health information and employee records.
The following is a limited high-level summary only of some of the APP requirements:
- individuals must now have the option of not identifying themselves, or of using a pseudonym when dealing with an organisation unless the organisation is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or it is impracticable for the organisation to deal with individuals who have not identified themselves;
- there are new requirements for entities that transfer personal information including sensitive information overseas. First, they are now responsible to ensure that the overseas recipient does not breach the APPs, and if they do they will be responsible for the privacy breaches of the overseas organisation. Second, at the time of collecting the information an organisation will need to inform the individual whether it is likely to disclose their information to overseas recipients, and if so, the countries in which such recipients are likely to be located;
- the entity that collects any personal information including sensitive information, must only collect such information if it is reasonably necessary for, or directly related to, one or more of its functions or activities. If it is not, then the information must not be collected. Further, the collected information can only be used for the purpose for which it was collected and if it is intended to be used for a different purpose then that information cannot be used;
- the organisation that collects any personal information including sensitive information must at or before the time or, if that is not practicable, as soon as practicable after, it collects the information about an individual, notify the individual concerned that it has collected the information and the purpose for which it is to be used;
- organisations have limited use of unsolicited personal information including sensitive information - the organisation must, within a reasonable period after receiving the unsolicited information, determine whether or not they could have properly collected the information. If it cannot establish that it could have collected the information, then provided it is lawful to do so, it is required to de-identify the unsolicited information; and
- an organisation must regulate the use and disclosure of personal information held by it for direct marketing purposes - the current method for addressing this is to include an ‘opt out’ mechanism and only marketing to individuals who have not opted out. However, organisations will, if requested, need to be able to explain how they obtained an individual’s personal information. Individuals can also request an organisation not to use or disclose their personal information in order to facilitate direct marketing by third parties.
Any entity regulated by the Act must be familiar with the APPs.
The Office of the Australia Information Commissioner maintains a website with useful information and links, including the APPs. The site can currently be accessed at: http://www.oaic.gov.au/
What are the procedures for complying with the Act?
For entities that are regulated by the Act, compliance with the Act means that they need to implement practices and procedures that:
- make someone responsible for privacy compliance including privacy enquiries and complaints and that the organisation documents a compliance plan for how they propose to comply with the Act;
- ensure that personal information is, essentially, only used or disclosed for the reason it was collected in the first place; and
- when requested, allow individuals an opportunity to review and correct any personal information held in regards to them.
The REINSW will, to the extent that the Act applies, comply with its obligations under the Act. The REINSW is a member-based organisation whose members are mainly real estate organisations and agents in New South Wales.
The REINSW provides educational and professional development courses to Member and non-Member agents and to the general public.
Personal information including sensitive information (together referred to as ‘personal information’, below) may be collected by REINSW about any student. Personal information will be collected during the enrolment process for a course and during the provision of the learning. The personal information provided or collected from other sources is necessary for REINSW to: (a) consider and assess the learning requirements and needs of the student; (b) if an application for learning is received and learning is subsequently scheduled, REINSW may also use the information including personal information, as required to supply or to procure the supply by third parties of the learning to the student; (c) as part of REINSW’s obligations as a Registered Training Organisation governed by the Vocational Education Training Quality Framework, to supply information including personal information in relation to the student, to the Australian Skills Quality Authority (ASQA) (the national regulator for Australia’s vocational education and training sector), the National Centre for Vocational Education and Research (NCVER), the Department of Education and Communities (DEC) and any other relevant government body or authority; (d) if after learning is supplied, to provide (if appropriate) verification or certification of completion of the relevant learning; (e) if after learning is completed and upon request by the student’s employer who funded the learning, to provide that employer with the student’s learning records and assessment results; (f) process any payment (including without limit the exchange of personal information with the relevant payment provider); and (g) comply with any applicable law.
Personal information collected about the student that receives learning, may be disclosed by REINSW for the purpose for which it was collected to other parties including to third parties engaged by REINSW, ASQA, NCVER, DEC and any other relevant government body or authority, authorised persons (including the student’s employer who funded the learning and those requesting verification or certification of completion of the relevant learning), and to relevant payment providers and otherwise as required by any applicable law. If the information including personal information is not supplied by the student, REINSW may not be able to carry out or procure the services referred to above effectively or at all.
REINSW takes reasonable precautions to protect the personal information it holds from misuse, loss, and unauthorised access, modification or disclosure.
REINSW may also use the attendees information including personal information (but not including any sensitive information) for marketing and research purposes, to analyse and improve benefits, products and services and to inform the student of benefits, products and services provided by REINSW, its related entities, preferred suppliers, contractors or other third parties which REINSW consider may be of value or interest to students; unless the student tells or has told REINSW not to. If the student does not wish to receive information about benefits, products and/or services then, to opt-out of receiving that information, they can either make the appropriate selection on the relevant enrolment form or by contacting the Membership Team, for that purpose, at firstname.lastname@example.org or on (02) 9264 2343. Students should allow 10 business days before any opt-out becomes effective.
The student has the right to request access to any personal information held by REINSW which relates to them, unless REINSW is permitted by law (including the Act) to withhold that information. REINSW may charge a reasonable fee where access to personal information is provided (no fee may be charged for making an application to access personal information). Any requests for access to the student’s personal information should be made in writing to the Privacy Officer (specified below). The student has the right to request the correction of any personal information which relates to them that is inaccurate, incomplete, irrelevant, misleading or out-of-date.
If a student requires any further information about REINSW’s management of personal information or has any queries or complaints, they should contact:
The Privacy Officer
The Real Estate Institute of NSW
30-32 Wentworth Avenue, Sydney NSW 2000