Background:

Whilst RMIA is not bound by the Privacy Legislation, as the Act refers to Companies whose turnover is more than $3 million p.a. RMIA acknowledges and takes seriously its obligations under the Privacy Act 1998 (as amended by the Privacy Amendment Private Sector Act 2000) and the associated 13 Australian Privacy Principles (NPPs).

Policy:

Any personal information that RMIA’s members will provide us with will be treated in the strictest confidence. The information will be used by RMIA for the purposes for which it is gathered or could reasonably be expected to be used.

The core strategies include:

  • RMIA will take all reasonable steps to secure the confidentiality of your information.
  • Information collected from its members may be used to communicate and inform them about RMIA activities products and services.
  • RMIA will look to implement reasonable procedures that will ensure compliance with the Policy and the associated 13 Australian Privacy Principles (NPPs).

Definition: What is Personal Information

Personal information is defined as information or opinion about an individual whose identity is apparent or can reasonably be ascertained from the information. The definition covers paper files, electronic records, photographs, etc. Matters not included in the definition include:

  • Information about an individual that is contained in a publicly available publication;
  • A number of exemptions relating to law enforcement.

Summary of the Australian Privacy Principles

Principle 1 – Openness

An organisation must have documented and accessible policies with regard to the management of personal information and must also inform a person, upon request, of the sort of personal information that it holds, the purposes for which it is held and how the information is collected, held, used and disclosed.

Principle 2 – Anonymity

Unless unlawful or impractical, individuals must be given the option of not identifying themselves when transacting with an organisation.

Principle 3, 4 & 5 – Collection of personal information

An organisation is prohibited from collecting personal information unless the information is necessary for one or more of its functions. An organisation must not collect personal information other than in a lawful, fair and not unreasonably obtrusive way and must disclose certain information at or before the time it collects personal information, including its identity and the purpose for which the information is collected. Additionally (subject to some exceptions) organisations should only collect personal information about individuals from the individuals themselves.

Principle 6 & 7 – Use and disclosure of personal information & direct marketing

Subject to some exceptions, an organisation is prohibited from using or disclosing personal information for a purpose other than the primary purpose for which it was collected. Exceptions include:

  • where the individual has consented;
  • where the secondary purpose for which the personal information will be used is related to the primary purpose and a person would reasonably expect the personal information to be used or disclosed in that way; and
  • the use of non-sensitive personal information in direct marketing, subject to conditions, (which include a right for the individual to opt-out of further direct marketing after the first contact).

Principle 8 – Cross-border disclosure of personal information

Essentially this principle applies to transfers of information outside Australia, the intention being that effective privacy protection must be ensured in respect of such transfers, subject to limited exceptions, including where the individual has consented or where there is evidence of reasonable steps undertaken by the organisation to ensure that any information transferred will not be held, used or disclosed inconsistently with the NPPs.

Principle 9 – Government related Identifiers

In general terms there is a prohibition on the use by organisations for their own purposes of identifiers assigned by Government agencies (such as tax file numbers, and Medicare numbers).

Principle 10 – Data quality

An organisation must take reasonable steps to ensure the accuracy and currency of personal information in its possession.

Principle 11 – Data security

An organisation must take reasonable steps to secure the personal information in its possession from misuse and loss and from unauthorised access, modification or disclosure, and must destroy or de-identify the information if it is no longer needed.

Principle 12 – access to personal information

Other than in exceptional circumstances, an organisation is not permitted to collect sensitive information, defined to mean information or an opinion (which is also personal information, as defined) about an individual's racial or ethnic origin; political opinion; membership of a political association; religious beliefs or affiliation; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; criminal record; or health. Exceptional circumstances include where the individual has consented or where the collection is necessary for the protection of an individual who is physically incapable of giving or communicating consent.

Principle 13 - correction

An organisation must provide individuals with access to personal information held about the individual, other than in exceptional circumstances, and incorporate processes for the correction of the information on the request of the individual, or if there is some disagreement as to the correction, allow a statement to be associated with the information noting that the individual desires a correction.

Further information on the Australian Privacy Principles (APP) can be obtained from the Australian Privacy Principles guidelines issued by the Office of the Information Commissioner. The full text of the APPs can be found at the Information Commissioner's website: http://www.oaic.gov.au/