Privacy implications for Family History Societies
Despite what you may have been told, Family History Organisations are required to comply with the new private sector provisions of the Australian Privacy Act from 21 December 2001.
Section 6C(1) of the Privacy Act deems that the following entities are exempt from the provisions of the act:
- The entity carries on a small business and meets the test to be a small business operator.
- The entity is a registered political party.
- The entity is a Commonwealth Government 'agency'.
- The entity is a State or Territory authority or a prescribed instrumentality of a State or Territory.
Section 6C of the Privacy Act sets out the types of entities that may be an organisation subject to the act. These are:
- an individual;
- a body corporate;
- a partnership;
- any other unincorporated association; and
- a trust.
We would also point out that any one has always had the right under common law to take any organisation to task if they are aggrieved, regardless of any new privacy laws. The difference now is that the enactment of such laws has raised people's awareness and they may be tempted to undertake such a civil action. Regardless of whether they are successful or not, we suspect there would be very few FHS and their management keen to endure such an ordeal!
NZ members also have no option but to conform to the NZ legislation. This paper embraces the requirements for both NZ and Australian FHS.
The Privacy Act applies to 'personal information', which is information about any identifiable individual. Societies might hold personal information about members and former members, ranging from just the person's name, address and phone number through to offices held, awards, skills, references and so on. A FHS society will also hold personal information about people other than members. Society minutes and correspondence may contain further personal information. Clearly FHS hold considerable personal information about people.
We are now subject to the act and so we may as well get used to it! If you wish to make yourself more familiar with the issues, check out the web sites ...
- http://www.privacy.gov.au/ - The Office of the Federal Privacy Commissioner
- http://www.privacy.org.nz/ - The Office of the New Zealand Privacy Commissioner
It should be noted that Australia and NZ have an obligation to their people to legislate privacy protection in the private sector since they signed the OECD Privacy Guidelines.
There are a few principles that must be adopted by FHS who look to adopting best practice in their dealings with their members and the public and these are outlined below:
OBJECTS OF THE PRIVACY ACT
- To establish a single scheme relating to the appropriate collection, holding, use, correction, disclosure; and transfer of personal information held by government and private sector organisations.
- To meet international obligations in regard to personal information.
- To recognise the individual's interest in protecting their privacy.
FAMILY HISTORY SOCIETIES' RESPONSIBILITIES
- FHS should disclose to the individual how they will use their personal information before collecting this data.
- FHS should not use personal data for any reason other than they state.
- FHS should not knowingly pass on personal data to a third party without gaining specific
written consent from the individual first unless the disclosure of the information is required by
- Blanket written consent to pass on personal data is
inappropriate as neither the FHS or individual can
foresee future needs.
- It is appropriate that FHS retain the records of written consent.
- Blanket written consent to pass on personal data is inappropriate as neither the FHS or individual can foresee future needs.
- FHS must keep personal data secure and allow appropriate access
- FHS must allow access by an individual to their own
- FHS must update or correct personal data when
advised by the individual that it is incorrect.
- FHS must keep personal records up-to-date.
- FHS must not collect personal information held by a third party without the consent of
that party and
the individual concerned unless entitled to do so by law.
- FHS should prepare and distribute widely a Privacy Statement which should outline their
responsibilities about collecting personal data.
- individuals must have the right and opportunity to require non-disclosure of personal data by the FHS except where the disclosure of the information is required by law.
- Individuals must be given the opportunity to update
and/or correct personal information held by FHS.
- Individuals must have the right and opportunity to change their requirements over non-disclosure of personal data by the FHS but this cannot be retrospective.
DEFINITION OF PERSONAL INFORMATIONAustralia's definition of personal information varies slightly from the NZ one and the NZ Act does not define sensitive information.
Personal information on a living individual (member or otherwise) covered by these criteria include using the person's name in conjunction with a:
- private address, and/or,
- telephone number, and/or,
- credit, financial and/or banking record or details, and/or,
- parent or child's name, and/or,
- record of birth, marriage or death, and/or,
- motor vehicle registration record, and/or,
- health or medical record, and/or,
- employment record, and/or,
- any material about the individual which may lead to disclosure of any of the above or any material deemed sensitive as defined in Section 6 of the Privacy Act or any material which an individual deems to be private and have advised accordingly.
SENSITIVE INFORMATIONSensitive information is a subset of personal information. It means information or opinion about an individualís racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information about an individual.
The criteria only apply to living people except where as indicated in 4 above the identification of a deceased person may reveal personal data of a living person.
For the purposes of FHS research programs, the requirements of the Act are not retrospective and FHS need only address issues from 21 Dec 2001. There are examples where retrospectivity does apply to present and past living membersí records as outlined above.
Many FHS are involved in indexing projects which is an issue that is somewhat unique to these organisations and therefore is specifically expanded upon here. The Privacy Act applies to personal information collected from public sources. Some people might think that because personal information is publicly available and anyone can see it, there should be no controls on the way an organisation handles it. However this is not the approach the Privacy Act takes. The Privacy Act will apply at the point where the organisation moves the information out of the generally available publication into a record of its own creation. So for example, if the organisation then takes information out of the newspaper and enters it onto its database of information, the Privacy Act would apply to the collection of the information at that point.
Many of the problems encountered by FHS relate to the over generous use of the word index. If the index created was indeed just an index, ie a finding aid to locate a record, the problem would not exist as no personal information would have been extracted. However, many indexes created by FHS are much more than mere indexes in that they contain additional information from the original entry so that they are in effect a precis of the entry rather than an index.
FHS should look at the scope of the material they intend to collate in terms of privacy before embarking on any project to index material from other sources. If clarification is required about an issue it is suggested that the FHS contact an officer in the Office of the Privacy Commissioner.
Thanks to Colleen Clarke, Compliance Officer of the Office of the Federal
Privacy Commissioner for advice and checking this statement for
correctness. For more details visit the Privacy
Commissioner's page on this subject.
Last modified: 12 October 2015