Five minutes to midnight: the new privacy laws

Of course, most brokers will have received instructions, training, manuals and attended seminars on privacy sponsored and provided by the financiers with which they deal. These organisations are mostly concerned with the effect of the new laws on consumer credit reporting. This is quite understandable as consumer credit has always been the most difficult area of privacy law. There is a new Credit Reporting Code and requirements for membership of an External Dispute Resolution scheme, something quite familiar to most brokers.

What many brokers may not realise is the effect of the new laws on their own businesses quite apart from the collection of credit information for financiers. One of the most valuable assets of any business which provides personal services, like a broker, is the client list. This contains personal information such as names, addresses, contact numbers, email addresses and even birthdays. For most brokers, the “small business” exemption will apply at the point of collection. This exemption is lost, however, if the broker wants to supply this personal information to any third party, such as buyer of their business. At that point, consent to the transfer must be obtained from each and every client on the list. This may be an expensive exercise which may induce negative responses and feelings on the part of clients. It may actually devalue the very asset the broker is trying to sell.

Most brokers operate websites many which allow for the collection of “diagnostic” information about visitors to their websites, many of whom will never become clients and, therefore, will never provide any of the consents about information collection and use which Privacy Act compliance requires. This diagnostic information can be very useful for internal management of the business and the website itself. It can also be used for marketing purposes. While such diagnostic information does not always identify individuals, sometimes it can and its use, without consent, will be a breach of the Act.

While employee records are themselves exempt from the application of most provisions of the Act, personal information collected from job applicants, who are not yet employees, is not. Job applications often contain very personal information and, if disclosed to third parties without the consent of the applicant, can be the basis for quite serious breaches of the Australian Privacy Principles, leading to possible fines.

Fortunately, all these problems, and others, can be addressed relatively simply by combinations of notices and consents. All businesses, whether accessing the credit reporting system or not, need to review their Privacy Policies, their Consent Forms and the ways in which they collect, store, secure, use, share and transmit personal information.

While the world won’t end on 12 March 2014 and the Office of the Information Commissioner is unlikely to come down with a heavy hand on every non-compliant business immediately, that date is still significant. If, two or three years down the track, your business is the subject of a privacy complaint or audit, the Commission will be able to look back as far as that date to assess what you did about complying with the new privacy laws. Best to get things right up front and early.

Dr Paul O'Shea, director and principal solicitor of O’Shea Lawyers Pty Ltd

Dr Paul O’Shea is the director and principal solicitor of O’Shea Lawyers Pty Ltd. He has conducted some of the leading cases in consumer credit law.  He has advised governments, consumer groups and industry. Dr O’Shea has published widely and conducted many seminars for the Queensland Law Society, state and federal governments and private agencies in Australia, Singapore, Thailand, Brunei and China and is currently a member of the Investment, Life Insurance and Stock Broking Panel of the Financial Ombudsman Service. He also has advised other industry dispute resolution schemes and has been a member of the Banking and Finance Committee of the Queensland Law Society for more than 15 years.  He is the author of The Legal Environment of Business published by Thomson Reuters and his most recent publication is a chapter on “Regulatory Powers” in the 2013 Federation Press book Consumer Law and Policy in Australia and New Zealand.