|
NEWS - PLANNING
New privacy laws to stretch business resources
11/27/2001
Businesses around Australia are in the final stages of preparing for the new national privacy laws that take effect on December 21.
Many have likened the experience, and the expense incurred, to the hype surrounding the Y2K bug. But there are fundamental differences.
Unlike Y2K, the increased costs associated with the new privacy regime are permanent. They will not go away after December 21. And while Y2K affected the entire community equally, it is now clear that the new privacy rules for business are far more onerous than those that apply to public sector agencies.
This has long-term implications. Competitive neutrality between government and private sector businesses may be at risk if public sector enterprises have greater powers to preserve the secrecy of their essential data and business methods.
After December 21, the new laws allow individuals to seek access to personal information about them held by businesses. It will soon become apparent to business that it will take time and resources to process these requests. In the public sector, such requests are dealt with under freedom of information laws. Government departments and agencies have specialist resources dedicated to those tasks.
Businesses are allowed to refuse an application for access, but only on limited grounds. Public servants have broader grounds on which to refuse access under FOI legislation.
Initially this is understandable, as FOI applications can cover a very broad scope. They do not have to be confined to personal information about the applicant, but can include requests to see Cabinet papers, documents relating to dealings with foreign countries and military information. Such information is generally not accessible under FOI legislation.
There are some grounds for refusing access under FOI legislation that could also be available to the private sector, but are not.
For example, the new privacy laws do not entirely exempt access to information on the grounds of legal professional privilege.
To refuse access to personal information in privileged material that relates to an existing or anticipated legal proceeding will require businesses to refuse on a combination of grounds. There is no guarantee of success.
There also appears to be no basis for an organisation to refuse access to personal information contained in simple legal advice.
Another, and more surprising, example is section 24 of the Freedom of Information Act, which entitles federal public servants to deny access where processing the request would "substantially and unreasonably divert the resources of the agency from its other operations".
This ground is not available to the private sector for personal information collected after December 21.
Relief is allowed for personal information collected before December 21. But as many business records are kept electronically and added to and amended progressively, when does pre-December 21 electronic data become post-December 21 data?
Businesses will also be under some time pressure to provide access. While the new privacy laws contain no express time limits, the Privacy Commissioner's guidelines suggest - borrowing from public sector FOI procedure - that simple requests should be addressed within 14 days and complicated applications in 30 days. And who is going to pay for all this?
Costs are recoverable from the individual, but businesses will most likely be under community pressure to keep charges to a minimum.
The new laws are clear that an organisation cannot charge an individual for lodging a request for access. Charges can only be imposed for processing an application and those charges cannot be "excessive".
The Privacy Commissioner's guidelines suggest that businesses may like to consider not charging more than the "marginal cost of giving the particular access" and waiving or remitting the cost for people receiving a benefit or pension.
Businesses will probably not be able to recover any loss of income caused by the diversion of resources.
It is extremely likely that consumer rights advocates and interest groups will put business under the microscope to ensure compliance with the letter and spirit of the new laws.
It seems inevitable that examples will be made of some businesses, resulting in substantial losses to their reputation and consumer confidence.
|
|
|
