Jessica Lobow and Martin Slattery recently co-presented at the Carroll and O'Dea Charity Law Legal Seminar on questions of Privacy Policies and document retention, from a preventative and operative perspective. Below are some highlights from Jessica's paper, which was directed at preventative measures.

Most organisations can say that they have a Privacy Policy. It is often a stock standard policy that was acquired at the time they developed their website. However, it may not satisfy current compliance requirements.

An issue of concern is the conflict between the obligation to permanently de-identify and destroy information, and the obligation to maintain records where they may be necessary as evidence in legal proceedings.

In March 2014 there were significant changes to federal privacy laws. These changes impacted most entities 1 which handle personal information about individuals, including most Australian companies, charities and some government agencies. Charities and Not- for- profit organisations, unless exempted, need to comply with the Australian Privacy Principles (APPs).

The changes of 2014, empowered the Privacy Commissioner to take enforcement steps in relation to breaches of Privacy Act 1988 (Cth) and imposed civil penalties which could be up to $1.1m for corporate entities and $220,000 for individuals. They also include penalty of imprisonment, and there are penalties for any persons, who aid, abet or knowingly assist in breaches of the Privacy Act 1988 (Cth).

In respect to retention or destruction of information, APP 11 specifically states:

  1. An APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
  2. An APP entity must take reasonable steps to destroy or de-identify this personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.This requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information.

There is no clear guidance as to what's "needed" means, making it very difficult for charities and not for profit organisations to determine how long personal information should be retained.

In contrast, some legislative guidance can be found in respect to document retention, such as under the Australian Charities and Not- for- profits Commission Act 2012, (Cth). Organisations in the charity sector are required to retain financial and operational records for a minimum of 7 years. The potential conflict with APP 11 is obvious.

In addition to the requirement to de-identify personal information that is no longer required, (there is an exception if reputation will be damaged for the deliberate destruction of documents), a person can be found criminally liable for destruction or de identifying under section 317 of the Crimes Act NSW 1900 (Cth) (and corresponding states legislation) as it is an offence to intentionally destroy documents that a person knows are, or may be, required as evidence in a judicial proceeding, if done in order to prevent the documents being used in such proceeding. The person charged under this section may be liable to imprisonment for 10 years.

Recommendation: Not-for-profit organisations and charities should allocate all obligations with respect to the Privacy Act 1988 (Cth) and document retenion to a specially nominated committee, which meets regularly, and reports regularly to the organisations board and executive.The committee should be briefed to put in place policies, and procedures to deal with securing the storage of documents and ensuring the integrity and authenticity of records and the training of staff. The privacy policy should be regularly reviewed and kept up to date with the new laws.

Footnotes

1Turnover above $3m or entities electing to adopt the federal privacy principles

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.