23 February 2017

Transport operators often ask us about privacy issues. This is usually because they handle sensitive information (such as criminal records and drug and alcohol test results) or because they receive requests from their customers for various personal records for compliance and safety purposes. In this article, we set out ten of the most commonly asked questions with brief answers.

Of course, these answers are intended as general guidance only and you should seek specific legal advice in relation to your own circumstances.

1. When does a business need to comply with the Privacy Act?

Businesses that need to comply with the Privacy Act (the Act) include all private sector and not-for-profit organisations that have an annual turnover of more than $3 million. While most small businesses with an annual turnover under $3 million do not need to comply with the Act, there are certain circumstances where a small business does need to comply. This checklist on the Office of the Australian Information Commissioner website provides a useful summary.

2. What is ‘personal information’?
The Act defines ‘personal information’ as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Personal information can include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person. It can also include a vocation reference or assessment or commentary on performance, attitude or aptitude.

Whether an individual can be identified or is reasonably identifiable depends on context and circumstances. For example, providing drivers’ licence copies with names and addresses obscured but with photographs included may be ‘personal information’ if the recipient could recognise the driver from the photograph.

3. What is sensitive information?

Sensitive information is a form of personal information that is given a higher level of privacy protection under the Act. The Act defines ‘sensitive information’ as:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin;

(ii) political opinions;

(iii) membership of a political association;

(iv) religious beliefs or affiliations;

(v) philosophical beliefs;

(vi) membership of a professional or trade association;

(vii) membership of a trade union;

(vii) sexual orientation or practices;

(ix) criminal record;

that is also personal information;

(b) health information about an individual;

(c) genetic information about an individual that is not otherwise health information;

(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

(e) biometric templates.

For transport operators, drug and alcohol test results, medical screening tests and criminal record checks would all be classified as ‘sensitive information’.

4. When must a business have a privacy policy?

If a business must comply with the Privacy Act (see question 1), it must have a written privacy policy about the management of personal information by the entity.

5. What needs to be in a privacy policy?

The Australian Privacy Principles (APPs) (contained in schedule 1 of the Act) set out rules which regulate the collection, handling and disclosure of personal information. The APPs provide that a privacy policy must contain the following information:

(a) the kinds of personal information that the entity collects and holds;

(b) how the entity collects and holds personal information;

(c) the purposes for which the entity collects, holds, uses and discloses personal information;

(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e) how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f) whether the entity is likely to disclose personal information to overseas recipients; and

(g) if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

6. Are employment records covered by the Privacy Act?

Certain private sector employee records are exempt from the operation of the Act. Section 7B(3) of the Act provides:

An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt … if the act or practice is directly related to:

(a) a current or former employment relationship between the employer and the individual; and

(b) an employee record held by the organisation and relating to the individual.

This means that a private sector employer does not need to comply with the APPs when it handles current and past employee records for something that is directly related to the employment relationship. However, records relating to prospective employees, and subcontractors and employees of subcontractors are not covered by this exemption.

7. Is de-identified personal information covered by the Privacy Act?

De-identified personal information is not covered. This is because, consistently with the definition of ‘personal information’ discussed above, the relevant individual would not be ‘reasonably identifiable’. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

8. What should I do if I receive a request from one of my customers to provide personal information in relation to my drivers or my subcontractors’ drivers?

The answer differs depending on whether the driver is a subcontractor or a current or former employee.

Subcontractors: The APPs provide that individuals’ personal information may only be used or disclosed for the purpose for which it was collected (the primary purpose), unless one of the exceptions to the rule apply. Usually, the records of a subcontractor will not have been collected for the purpose of provision to a customer or third party. However, there are a number of exceptions to this general rule. The most relevant exception from a transport operator’s perspective is where the individual has consented to the use or disclosure of their personal information for another purpose. Transport operators should therefore seek consent (preferably in writing) from a subcontractor before releasing their personal information. This issue can also be dealt with by using a collection statement that explains the purpose of collecting the information at the time the records are obtained.

Current and former employees: As discussed above, employee records are excluded from the operation of the Act if the records are directly related to a current or former relationship between the employer and the individual. This means that transport operators are usually able to provide information to other companies about a person who works for or used to work for the business. However, best practice would be to seek consent from an employee before releasing their personal information, particularly in the case of sensitive information (see question 9 below).

9. Is providing copies of criminal record checks of employees covered by the Privacy Act?

It is clear that criminal record checks are sensitive information. However, it is unclear whether information about an employee’s criminal record is an ‘employment record’ and therefore covered by the exception for employee records. The Australian Human Rights Commission recommends that:

It is best practice for employers to follow privacy principles as closely as possible when dealing with information relating to a person’s criminal record. Breaches of privacy in relation to criminal record can complicate relations between an employee and employer, and may lead to claims of discrimination and breaches of the Privacy Act 1988 (Cth). Employers may also face a potential claim under common law for breaches of privacy and wrongful disclosure of confidential information.

(see ‘On the Record – Guidelines for the Prevention of Discrimination in Employment on the Basis of Criminal Record’)

We therefore recommend that transport operators seek their employee’s consent before disclosing their criminal record.

10. What are the consequences of breaching the Privacy Act?

Individuals or corporations that seriously or repeatedly interfere with the privacy of an individual are liable for fines of up to $360,000 (for individuals) or $1.8 million (for corporations).

 

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.