Commonwealth Numbered Regulations - Explanatory Statements Commonwealth Numbered Regulations - Explanatory Statements[Index] [Search] [Download] [Related Items] [Help]
PRIVACY (PRIVATE SECTOR) AMENDMENT REGULATIONS 2007 (NO. 3) (SLI NO 236 OF 2007)
EXPLANATORY STATEMENT
Select Legislative Instrument 2007 No. 236
Issued by the Authority of the Attorney-General
Privacy Act 1988
Privacy (Private Sector) Amendment Regulations 2007 (No. 3)
The Privacy Act 1988 (the Act) requires, among other things, that the acts and practices of private sector organisations comply with the National Privacy Principles (NPPs) when collecting, using, disclosing or storing personal information, subject to specified exemptions.
Subsection 100(1) of the Privacy Act 1988 (the Act) provides that the Governor‑General may make regulations, not inconsistent with the Act, prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.
The primary purpose of the Regulations is to amend the Privacy (Private Sector) Regulations 2001 (Principal Regulations) to provide that a small business which operates a residential tenancy database (RTD) and undertakes certain acts and practices will be an organisation for the purposes of the Act. The effect of this amendment is that a small business operator of a RTD who collects, maintains, uses or discloses personal information is required to comply with the Act, in particular the NPPs. This amendment removes any uncertainty about the application of the NPPs to RTD operators.
Subsection 6C(1) of the Act states that small business operators are excluded from the definition of ‘organisation’ for the purposes of the Act. The actions of a small business operator are therefore exempted from the operation of the Act. A small business is defined under subsection 6D(1) as a business with an annual turnover of $3 million or less for the previous financial year.
Paragraphs 6D(4)(c) and (d) of the Act provide that the small business exemption does not apply to small businesses who trade in personal information. However, where a small business that trades in personal information can show that an individual consents to the use and disclosure of their personal information (subsections 6D(7) and (8)), then the small business exemption will apply. This may create uncertainty as to whether the NPPs apply to any or all personal information held by a RTD operator, depending on whether it regularly collects personal information with the consent of individuals or not.
Public concern over the use of RTDs led to the establishment of a joint Standing Committee of Attorneys-General and Ministerial Council on Consumer Affairs Working Party on RTDs. The Working Party in its Report on Residential Tenancy Databases (Working Party report) recommended that the Commonwealth make certain the application of the Act to RTDs by making regulations under section 6E of the Act to prescribe RTDs as organisations for the purposes of the Act. This recommendation followed on from a similar recommendation made by the Privacy Commissioner in her report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. The Government supported the recommendation of the Working Party report and the Regulations give effect to the Government’s response.
A Regulation Impact Statement (RIS) was prepared detailing the cost-benefit assessment of the recommendations put forth in the Working Party Report. The RIS found that while there can be administrative costs and inconvenience incurred by a small business operator (relative to the size of the firm) when complying with the Act, strong privacy regulation is favoured where small businesses pose a high risk to privacy. It was found that regulation under section 6E was justifiable as RTD operators deal in a lot of personal information about tenants, receive a significant number of complaints and the consequences of error, inaccuracy or compromise of the personal information can lead to significant difficulties for tenants securing access to rental accommodation. The Regulations make clear to all RTD operators that the Act applies to their operations.
Subsection 6E(2) of the Act provides that regulations may prescribe particular acts and practices of small business operators as those of an organisation for the purpose of the Act. The Regulations amend the Principal Regulations by inserting new regulation 3AA.
Details of the Regulations are set out in the Attachment.
The Regulations are a legislative instrument for the purposes of the Legislative Instruments Act 2003.
These Regulations will commence on 1 December 2007 to allow small business operators of RTDs sufficient time to comply with the requirements of the Act.
The Australian Government consulted with the Office of the Privacy Commissioner as well as relevant RTD operators, tenants unions, real estate and privacy stakeholders on the amendments.
ATTACHMENT
PRIVACY (PRIVATE SECTOR) AMENDMENT REGULATIONS 2007 (No. 3)
Regulation 1 describes how the Regulations are to be cited.
Regulation 2 provides that the Regulations commence on the 1 December 2007.
Regulation 3 provides that the Privacy (Private Sector) Regulations 2001 (the Principal Regulations) are amended in accordance with Schedule 1 to the Regulations.
Schedule 1, Item 1 – After regulation 3
This item inserts a new regulation 3AA – ‘Small business operators treated as organisations’ after regulation 3 of the Principal Regulations.
New subregulation 3AA(1)
Section 6C of the Act contains an exemption for small business operators. A small business is defined under subsection 6D(1) as a business with an annual turnover of $3 million or less for the previous financial year. Subsection 6D(3) defines a small business operator as an individual, body corporate, partnership, unincorporated association or trust that operates one or more small businesses, without carrying on a business that is not a small business. New subregulation 3AA(1) prescribes a small business operator that operates a residential tenancy database as an ‘organisation’ for the purposes of subsection 6E(2) of the Act. The effect of this subregulation is that where a small business is found to operate a residential tenancy database as defined in new subregulation 3AA(3), it will fall outside of the small business exemption.
New subregulation 3AA(2)
New subregulation 3AA(2) prescribes the particular acts and practices relevant to the operation of a residential tenancy database by a small business operator as the acts and practices of an organisation for the purposes of subsection 6E(2) of the Act. By describing the acts and practices relevant to the operation of a residential tenancy database, all small business operators that operate a residential tenancy database would be captured regardless of whether they in fact describe themselves as such a business.
Note 2 to subsection 6E(2) provides that regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. The relevant acts and practices are prescribed in new paragraphs 3AA(2)(a)-(c).
New paragraph 3AA(2)(a) prescribes any act done or practice engaged in by a small business operator, in connection with collecting personal information for the purpose of establishing or maintaining a residential tenancy database, as an act or practice of an organisation for the purposes of the Act.
New paragraph 3AA(2)(c) prescribes any act done or practice engaged in by a small business operator, in connection with using or disclosing personal information that is stored on a residential tenancy database, as an act or practice of an organisation for the purposes of the Act.
New subregulation 3AA(3)
New subregulation 3AA(3) provides a definition of residential tenancy database. The definition focuses on two elements of a residential tenancy database which would be outlined in new paragraphs 3AA(3)(a) and (b). Both paragraphs 3AA(3)(a) and (b) need to be satisfied in order for a database to be considered a residential tenancy database.
New paragraph 3AA(3)(a) defines a residential tenancy database as a database that stores personal information in relation to an individual’s occupation of residential premises as a tenant. The definition ensures that any database operated by a small business operator that stores the personal information of tenants is included.
New paragraph 3AA(3)(b) requires that, in addition to fulfilling the requirements in new paragraph 3AA(3)(a), it is a database that can be accessed by a person other than the operator of the database or a person acting for the operator. This encompasses those databases where a third party can access the database directly (whether by paying a fee or not) or it can be accessed by the operator of the database on behalf of a third party.
By defining residential tenancy databases as databases accessible by persons other than an operator or a person acting for that operator, parties that maintain in-house databases for their own risk assessment or internal purposes are not intended to be captured. An example of a database that is not a residential tenancy database would be one operated by a real estate agency for access only by a person employed by that agency.