The event seeks to raise awareness of privacy issues, the importance of protecting personal information, and assist organizations in meeting their obligations under the scheme of federal, state, and territory privacy laws in Australia.

The theme of PAW 2023 was 'Privacy 101: Back to Basics' in which the OAIC reminded organizations that going back to basics and focusing on compliance at the collection phase to protect personal information. Rapid developments in legal technology have highlighted the need to get the basics right and ensure a strong robust privacy foundation to support the increasing use of technology and data to deliver services.

Where should businesses look to get the basics right?

The Australian Privacy Principles (APP), which are a set of principles that form the basis of the privacy protection framework under the Privacy Act 1988 (Cth) (Act) in Australia, prohibit organizations from using or disclosing personal information for a purpose other than for which it was collected.

PAW saw the OAIC, and other government bodies, offer a range of webinars and resources in relation to this theme and the privacy framework. These explained the practical ways to implement the privacy regime into organizations and businesses. For example, a PAW Lighting Talk by the Office of the Victorian Information Commissioner (OVIC) discussed the importance of focusing on compliance at collection as it is the first step in the information life cycle. This was further highlighted on the OAIC's website in the PAW 2023 resources section.

Key takeaways

PAW sought to increase the understanding of collection requirements in organizations, so they are more readily able to meet their privacy obligations, better manage risk, and reduce compliance costs.

Organizations must understand why they collect personal information before commencing collection. This Privacy by Design approach enables them to adopt business practices which manage privacy risks and legal compliance proactively.

Reasonably necessary collection

The OAIC emphasized an organization is generally only able to collect personal information where it is 'reasonably necessary' for the organization's functions or activities (APP 3). Assessing what is 'reasonably necessary' is an objective test that the OAIC has stated it will interpret narrowly. While an organization may have a wide range of 'functions' or 'activities,' it cannot over-collect personal information.

The OAIC reminded organizations they are only able to use and disclose an individual's personal information:

• for the 'primary purpose' it was collected in accordance with the consent provided by the individual;
• in ways that an individual would reasonably expect; or
• if an exception at law applies (APP 6).

PAW highlighted that over-collection increases an organization's obligations with limited additional commercial value. For example, an organization must take reasonable steps to protect the personal information it collects and destroy it once it is no longer needed (APP 11). If an organization over-collects personal information, its compliance costs to manage and destroy that information will increase. Unless the 'primary purpose' in the collection statement has been widely defined and validly consented to, the organization will bear those compliance costs without deriving any additional use of the information.

Minimize collection

Over-collection of personal information drastically increases an organization's risk in the event of a data breach. Under the Act's Notifiable Data Breach Scheme (NBD Scheme), organizations are required to notify affected individuals and the OAIC when a data breach occurs which is likely to result in serious harm. If organizations over-collect data, they are more susceptible to suffering a notifiable data breach, increasing their obligations under the NDB Scheme.

What does this mean for your organization?

With the conclusion of PAW, organizations should reflect on the week by going back to basics and adopting business practices which manage Privacy by Design. For many organizations, going back to basics involves assessing their privacy practices at the collection stage. Scaling back collection will mitigate the risk of data breaches, minimize the risk of suffering data breaches and compliance costs, and reduce the risk of suffering a financial penalty under the Act from mismanagement of personal information.

Katherine Sainty Director
[email protected]
Ottilia Thomson Graduate Lawyer
[email protected]
Sainty Law, Sydney