Privacy Act sets boundaries for personal data collection

How long has it been since your company's staff and customer privacy policy was reviewed?


Businesses operate in a very active, transparent, fast paced business environment where emails, social media interaction, websites, online shopping etc are an everyday occurrence. The Privacy Act 1993 promotes and protects individual privacy and imposes controls on the collection, use and disclosure of personal information.

To be effective in running a business we need to have access to relevant, accurate and timely information. The way data is collected and the information used must meet specific legal requirements.

Businesses retain information on employees, customers or member groups. Much of this is personal and confidential - eg names, contact details, email addresses - and as such, is subject to the Privacy Act legislation designed to protect individuals from misuse of personal information by others. It gives them the right to see their personal information and prevents it being processed if it is likely to cause damage or distress. In addition it lays down rules for how that information may be used.

"Personal information" is any information about an individual (a living natural person) as long as that individual can be identified.  The Privacy Act identifies 12 distinct principles in relation to privacy protection - here are three examples:

Purpose of collection of personal information
Information must be collected for a lawful purpose and necessary for that purpose.

Source of personal information
Personal information must be collected directly from the individual concerned - with some exceptions including where the information is publicly available or where the individual has authorised its collection.

Collection of information
Where information is collected from an individual that individual must be aware of several specific matters including that the information is being collected and the purpose for which it is being collected. 

Employers and their employees should never share anyone's personal information with others unless they are satisfied with the proof of identity of the enquirer and/or where the relevant individual has given explicit permission. Examples of misuse include sharing staff details or customer mailing lists with others.

How's the privacy policy at your place, and do your employees understand their responsibilities?

Back to News