You are here: NTLawHbk » Privacy

Privacy

22 Sep 2016 - 16:29 | Version 15 |

Contributed by CarolineNorrington and current to 1 May 2016

Privacy laws only apply to some organisations

Privacy laws regulate the way personal information should be collected, handled, or communicated. As an individual, you have a right to complain if a regulated organisation breaches your privacy.

NT Government bodies are bound to follow privacy laws set out in the Information Act (NT) ( NTIA). Government bodies mean public sector organisations ( NTIA s 5), and include Departments, Councils, as well as some other bodies created by legislation. If a private business is performing a service for the NT Government, then they are also bound to follow the NTIA privacy laws when they are handling personal information in providing that service. The private business is not otherwise bound to follow the NTIA.

Commonwealth Government bodies are bound to follow the Privacy Act 1988 (Cth) (Cth PA).

Many private businesses are also bound to follow the Cth PA, including:
  • any business with an annual turnover of $3 million or more;
  • health service providers and businesses that trade in personal information regardless of their turnover;
  • credit providers.

Private individuals and small businesses that are not regulated by the Cth PA are not subject to particular privacy laws. If an individual breaches your privacy:
  • by secretly recording you, this may be a breach of the Surveillance Devices Act (NT) ;
  • by sharing information you have provided in confidence, this may be grounds to sue them for an equitable breach of confidence (see Wilson v Ferguson [2015] WASC 15);
  • in a way that results in sexual harassment in certain circumstances, this may be a breach of s 22 of the Anti-Discrimination Act (NT);

The rest of this chapter on privacy deals with the legislative frameworks that bind organisations.

Conduct that breaches Privacy Principles

The privacy rules that organisations are required to adhere to are:

Collecting unnecessary personal information

An organisation or agency should not collect your personal information unless they really need it in order to carry out their functions ( NTIA IPP 1; Cth PA APPs 3 and 4). An organisation should give you the option to enter into any transactions anonymously where practicable ( NTIA IPP 8; PA NPP 8), and should only collect 'sensitive information' in certain limited circumstances ( NTIA IPP 10; Cth PA APP 2). Sensitive information includes information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health ( NTIA s 4; Cth PA s 6). The Commonwealth definition of sensitive information also specifically includes biometric data. Sensitive information should usually only be collected if you consent, if collection is required by law or for legal proceedings.

Sneaky or intrusive collection of personal information

Wherever possible, an organisation should only collect personal information about you directly from you with your knowledge ( NTIA IPP 1, Cth PA APP 3). It should do so lawfully and fairly ( NTIA IPP 1; Cth PA APP 3). At the time of collecting the information the organisation should make sure that you are aware why your information is being collected, the purpose for which it will be used, the consequences of not providing the information, who that information is likely to be disclosed to, and the fact that you have a right to access that information ( NTIA IPP 1; Cth PA APP 3). At any time, you should be able to contact an organisation and find out the kind of personal information they hold, as well as how to go about accessing personal information that was collected from you ( NTIA IPP 5; Cth PA APP 1).

Using your personal information for an unauthorised purpose

Organisations are supposed to only use and disclose your personal information for the purpose for which they collected it, which is known as the 'primary purpose' ( NTIA IPP 2; Cth PA APP 6). Information can be used or disclosed for a secondary purpose with your consent.

Information can also be used or disclosed for a secondary purpose if it is related to the primary purpose, and is the kind of purpose for which you would reasonably expect the organisation to use your information. If the information is sensitive information, the secondary purpose must be very closely or 'directly' related to the primary purpose.

Information can also be used or disclosed for a secondary purpose if it is required or authorised by law, to prevent serious harm, to investigate wrongdoing and to assist law enforcement agencies. APP 7 limits the use of personal information for direct marketing to when a list of pre-conditions are met.

Failing to take proper care of your information

An organisation must take reasonable steps to protect your personal information from misuse, loss, unauthorised access, modification or disclosure ( NTIA IPP 4; Cth PA APP 11). What constitutes 'reasonable steps' varies on a case-by-case basis, and can depend on the size and available resources of the organisation. The organisation should use locks and passwords as appropriate. Your personal information should only be discussed by and made available to the employees who need it in order to do their job.

Keeping information that is past its 'use-by date'

NT Government and private sector organisations are required to destroy information about you which is no longer needed ( NTIA IPP 4; PA APP 11). Government organisations usually have 'disposal schedules', which are guidelines for the disposal of old and obsolete information. An organisation can keep information if they de-identify it, which means removing your name and any other details that would reveal that the information is about you.

Collecting and keeping inaccurate information

The organisation must take reasonable steps to ensure your information is accurate, complete and up to date ( NTIA IPP 3; Cth PA APP 10). Reasonable steps means what is reasonable in all the circumstances. You can ask an organisation to correct information they hold about you. If they refuse, they should provide you with reasons for that refusal ( NTIA IPP 6; Cth PA APP 13).

Whether information is 'complete' and 'up to date' will be judged according to the purpose or purposes for which the information is kept or is to be used or disclosed. For example, what is required of an organisation to act to ensure accuracy may be greater if the information comprises a record of serious criminal conduct than if it relates to your eye colour. And, it is likely to be greater if the organisation is about to make a decision to your detriment, than if the information is merely historical information that remains on a closed file.

Refusing to let you access your personal information

An organisation should provide you with access to your personal information ( NTIA IPP 6; Cth PA APP 12). Exceptions to this rule include where providing access would: be unlawful, prejudice the health and safety of an individual or the public in general, prejudice an investigation into unlawful behaviour, or prejudice the organisation if it is currently negotiating with you.

Note that for the NT scheme, IPP 6 provides an alternative scheme for accessing information to FOI (see Freedom of Information ). Like the FOI access scheme exemptions, there are a series of reasons why an organisation can refuse access to information. Many of the exceptions are similar to FOI exemptions but there are some differences. One of the exceptions arises if 'denying access is required or authorised by law'. This allows refusal of access to information based on any of the FOI access exemptions. In general terms, the requirements for, and procedures involved in, the FOI access scheme are more concrete, and spelled out in more detail, than the Privacy access scheme. Similar considerations apply in relation to access to information held by Federal agencies.

Giving you a number

Creating a number or code-name for you is known as giving you a 'unique identifier'. Examples include your tax file number or driver's licence. NT Government and private sector organisations are significantly limited in the creation, adoption and use of unique identifying numbers or codes ( NTIA IPP 7; Cth PA APP 9).

Letting your information leave the NT

An NT Government organisation should not transfer your information outside the Territory without your consent unless they are required to by law, or unless they are satisfied that the foreign recipient is bound to comply with rules similar to the NTIA IPPs ( NTIA IPP 9). Private sector organisations should not transfer your information outside Australia without your consent unless they are required to by law, or unless they are satisfied that the foreign recipient is bound to comply with rules similar to the APPs ( Cth PA APP 8).

Making a privacy complaint

You should first contact the organisation or agency who you believe has breached your privacy and ask to speak to the person responsible for privacy matters. Explain what you want or what you are unhappy with and see if the matter can be resolved at this level.

Northern Territory matters

If your concern is not resolved, you can complain to the Information Commissioner. Your complaint must be made within 12 months of becoming aware of the issue. There is no fee for making a complaint about a breach of privacy either to the organisation or to the Information Commissioner.

Please note that there are some exceptions to the IPPs. These include certain functions of courts and tribunals ( NTIA s 69), and law enforcement agencies ( NTIA s 70).

Federal matters

If your concern relates to a Federal Government agency or a private sector organisation that is bound by the Cth PA, you can complain to the Office of the Australian Information Commissioner. You should send a copy of your letter or any other written contact you have had with the organisation and a copy of any response you received from them with your complaint. You should lodge this complaint within 12 months of becoming aware of the issue. Upon lodging the complaint you should think about how you want the matter resolved and make this clear to the Commissioner.

The Commissioner will then investigate your complaint and attempt to resolve the matter by communicating with the organisation and you. This is the process of conciliation. The Commissioner may also make a decision if the matter cannot be resolved informally.

Use of surveillance

The use of surveillance devices by persons in the NT is covered by the Surveillance Devices Act 2000 (NT) (SDANT ). An individual or business cannot use a surveillance device to record your private activities or conversations without your consent. SDANT also sets out procedures which law enforcement officers such as police must follow when using such devices. Additional procedures for law enforcement officers are set out in the Surveillance Devices Act 2004 (Cth).

Meaning of 'private'

A private activity or conversation is one carried out in circumstances which indicate that the people involved desire it to be observed only by themselves. A private conversation can be private even if it is carried on in a public place. On the other hand, an activity or conversation where the parties ought reasonably to expect that they may be observed or overheard is not private.

What is a surveillance device?

Surveillance devices include: a device which monitors the information being placed on or retrieved from a computer, an optical device such as a camera or telescope, a listening device that allows someone to listen to or record a private conversation, and a tracking device. Devices such as glasses or hearing aids which are used to overcome a physical impairment are not surveillance devices for the purposes of the legislation.

Penalties for unlawful use of surveillance devices

There are a number of offences which are relevant to unlawful surveillance devices:
  • It is an offence to publish a record or report of a private conversation or private activity made with a surveillance device (except in some limited circumstances) ( SDANT s 15). A surveillance device includes most devices which record visual or audio information of conversations or activities ( SDANT s 4);
  • It is an offence to sneakily record private conversations or activities to which you are not a party ( SDANT ss 11, 12, and 13), although it is allowable in very serious emergencies (SDANT ss 43, 44).
  • Being in possession of a surveillance device that is an 'interception device' (for example, for tapping a phone) is a Federal offence ( Criminal Code (Cth) s.474.4).
  • Possessing any surveillance device that is intended for unlawful use is an offence ( SDANT s.66).

Stalking and harassment

If someone is keeping you under surveillance and not necessarily using a surveillance device, other applicable offences may include unreasonably disrupting your privacy ( Summary Offences Act (NT) s.47), and unlawful stalking ( Criminal Code (NT) s.189).

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback