It’s become increasingly common for businesses to trade in personal information. Maybe it’s even something that you’re looking to incorporate into your own business model. Or perhaps you’re concerned that your business is inadvertently trading in personal information, and you want to be informed about the consequences of doing so.
When you’re working out whether your business is allowed to trade in personal information, it is important to understand your obligations under privacy law. This is a tricky legal area to navigate, and getting things wrong could see you facing hefty penalties!
What’s The Difference Between Personal Information And Sensitive Information?
Before you can determine whether your business will trade or is trading in personal information, it’s first important to understand what ‘personal information’ actually is, and how it differs from ‘sensitive information’.
According to the Privacy Act, personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
Simply put, personal information is any information that could identify an individual, and can include things such as:
- Name or date of birth
- Contact details (e.g. a residential or business address, or a phone number)
- Internet protocol (IP) address
- Location information from a mobile device
- Credit information
- Voice print or facial recognition biometric
- Sensitive information
- Tax file number information
- Employee record information
Ultimately, whether information will be considered to be ‘personal information’ depends on whether the individual can be identified or is reasonably identifiable in the particular circumstances.
Sensitive information is a category of personal information.
It includes information or an opinion surrounding issues such as an individual’s:
- Racial or ethnic origin
- Sexual orientation or practices
- Religious or philosophical beliefs and affiliations
- Political opinions or associations
- Trade association or union membership
- Criminal record
- Health or genetic information
- Biometric information or templates
Sensitive information generally carries a higher level of privacy protection compared to other types of personal information, as mishandling this type of information has the potential to have a bigger detrimental impact on the relevant individual.
Did You Know?
Personal information does not have to be true and can also include information that’s already publicly available. It’s important to remember the definition of personal information is really broad, and not just captured by the Privacy Act.
Does Your Business Trade In Personal Information?
Now that you understand what constitutes ‘personal information’, the next step is to work out what it means to ‘trade in personal information’.
Trading in personal information involves buying or selling personal information without the consent of the relevant individuals. For example, if a business buys or sells a mailing list without the consent of the individuals contained on that list, the business will be trading in personal information.
Whether your business is said to be trading in personal information generally comes down to the question of consent.
If you collect and/or disclose personal information to someone else for some sort of commercial gain without the consent of the individual(s) to whom the information belongs, you will likely be considered to be trading in personal information. Conversely, if you have the consent of the individual concerned, you will not be trading in personal information. This applies even if you give or receive payment for the personal information.
Another circumstance in which you will not be considered to be trading in personal information is if you are sharing the information because you are authorised or required to do so by law.
The Privacy Act & The Australian Privacy Principles
If your business trades in personal information, you will need to comply with the Privacy Act and the Australian Privacy Principles (APPs).
The APPs are a set of 13 principles you must follow in order to comply with the regulatory framework established by the Privacy Act. You need to understand your obligations under the APPs to avoid interfering with the privacy of an individual, and to also avoid regulatory action and penalties.
The APPs govern the standards, rights, and obligations surrounding:
- How personal information can be collected, used, and disclosed
- Your business’ obligations with regards to governance and accountability
- What rights individuals have when it comes to accessing their personal information
- The integrity and correction of personal information that has been collected
Your Business’ Obligations Under The APPs
We’ve put together a quick summary of your business’ obligations under the APPs. Abiding by these principles will ensure you don’t get into legal trouble when trading in personal information.
APP 1. Open and transparent management of personal information
- Your business must take reasonable steps to implement practices and procedures that ensure compliance with the APPs (and other binding registered APP codes), as well as to ensure that your business is equipped to deal with related inquiries and complaints.
APP 2. Anonymity and pseudonymity
Individuals must have the option of dealing anonymously or under a pseudonym.
There are two exceptions that arise in certain circumstances:
- Where your business is required or authorised by law, or a court or tribunal order, to deal with identified individuals; or
- Where it is impracticable to deal with individuals who have not identified themselves.
APP 3. Collection of solicited personal information
When you can collect personal information differs according to whether your business is an agency or an organisation, and whether the information contains sensitive information.
- If your business is an agency, you may only solicit and collect personal information that is reasonably necessary for, or directly related to, for your business’ functions or activities
- If your business is an organisation, personal information can only be collected or solicited if it is reasonably necessary for your business’ functions or activities
- Generally, if the information is sensitive information, the individual concerned must consent to the collection of that information
In terms of how personal information can be collected, the same requirements apply to all types of businesses and all types of personal information. The requirements do not differ for sensitive information. Personal information must be solicited and collected by fair and lawful means, and, in the majority of cases, from the individual concerned.
APP 4. Dealing with unsolicited information
There may be some situations in which your business receives personal information by accident, or where you have not asked for such information.
If you find yourself in this situation, you should ask yourself whether that information could have been collected under APP 3. Generally speaking, if you would not have collected the information under APP 3, you will need to de-identify and destroy the information as soon as practicable.
APP 5. Notification of the collection of personal information
Your business must ensure that individuals from whom you have collected personal information are aware of certain matters. These include:
- Your business’ identity and contact details
- The facts, circumstances, and purposes of collection
- Whether the collection of personal information is required or authorised by law
- What happens if personal information is not collected
- Your business’ usual disclosures of personal information
- Whether you are likely to disclose personal information to overseas recipients and, if practicable, where these recipients are located
APP 6. Use or disclosure of personal information
Unless an exception applies, your business can only use and disclose personal information for the purpose for which it was collected
APP 7. Direct marketing
Unless an exception applies, your business must not use or disclose personal information for the purpose of direct marketing.
Individuals also have the right to request your business not to use or disclose their personal information in relation to direct marketing.
APP 8. Cross-border disclosure of personal information
Before your business shares personal information to an overseas recipient, you will need to take reasonable steps to ensure that that recipient will comply with the APPs.
This is a necessary and important measure for your business to take, as you will be held accountable for the acts and practices undertaken by the overseas recipient in relation to the information you have disclosed.
APP 9. Adoption, use or disclosure of government related identifiers
Generally, organisations and some specific agencies must not adopt, use or disclose government related identifiers.
APP 10. Quality of personal information
Your business has an obligation to take reasonable steps to make sure that any personal information it has collected is accurate, current, and complete.
APP 11. Security of personal information
Your business will need to take reasonable steps to protect personal information it has collected from being misused, interfered with, or lost. Reasonable steps must also be taken to protect this information from unauthorised access, modification, or disclosure.
Generally, when your business no longer needs the personal information for the purposes in which it was collected, reasonable steps must be taken to ensure that the information is de-identified or destroyed, unless an exception applies.
APP 12. Access to personal information
In most cases, individuals from whom your business has collected personal information have a right to access the information about them.
APP 13. Correction of personal information
Your business must take reasonable steps to correct personal information. In particular, your business should make sure any collected information is accurate, current, complete, relevant, and not misleading.
The Office of the Australian Information Commissioner has a more in-depth explanation of the APPs here.
What Is The GDPR And Why Do You Need To Know About It?
The European Union (EU) introduced the General Data Protection Regulation (GDPR) in May 2018.
You might be wondering why we’re mentioning regulations from halfway around the world. As it turns out, the GDPR applies not only to businesses established in the EU, but also any business that supplies goods or services to, or uses the personal data of, individuals residing in the EU.
‘Personal Information’ vs ‘Personal Data’
You may have noticed that when it comes to the GDPR, we’re talking about personal data as opposed to personal information.
That’s because, where the APPs refer to ‘personal information’, the GDPR refers to ‘personal data’. It is important to be aware of the differences, though slight, between the two terms.
As we noted above, personal information relates to information or opinions that could identify an individual.
In contrast, personal data is any piece of information that relates to an identifiable person. This can include a broad range of identifiers, including a name, an identification number or online identifier, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.
The GDPR provides a useful guide to what can be considered personal data here.
Consent & The GDPR
Under the GDPR, your business will need to show that an individual has consented to their personal data being collected.
Consumer Rights & The GDPR
The GDPR also provides a more comprehensive list of consumer rights than the APPs.
- The right to the erasure of personal data: Your customer can ask you to erase their personal data in certain situations, such as if you no longer require the data for the purpose of initial collection, if they withdraw consent to the processing of their data, or if the data was wrongfully collected.
- The right to data portability: Your customer has the right to ask for you to hold their personal data in a structured, commonly used and machine-readable format.
- The right to object to the processing of personal data: Your customer can, at any time, object to the processing of their personal data.
It’s Best To Get Consent
If you’re still unsure about what you can and can’t do, it’s a good first step to be transparent and honest with the people from whom you collect personal information. Not only does this help your business avoid breaching any privacy laws and regulations, but it can also help you build trust with your customers.
Understanding what you can and can’t do with your customer’s personal information can be quite complex.
Don’t hesitate to get in touch at firstname.lastname@example.org or call us on 1800 730 617 for a free, no-obligations chat.
Get your FREE quote now.
We'll get back to you within 1 business day.