Source of Commonwealth power to make privacy laws
Schedule 1 section 4 of the Privacy Act 1988 (Cth) (‘the Act’) says ‘This Schedule relies on the Commonwealth’s legislative powers under paragraph 51(xxix) of the Constitution to give effect to Australia’s obligations under the International Covenant on Civil and Political Rights.’ That Commonwealth legislative power was established in Commonwealth v Tasmania (1983) 158 CLR 1.
When is an unincorporated association an APP entity?
Section 6(1) of the (‘the Act’) defines an ‘APP entity’ to mean ‘an agency or organization.’ ‘Organisation’ is then defined by s 6C, which states: ‘In this Act: organisation means: (a) an individual; or (b) a body corporate; or (c) a partnership; or (d) any other unincorporated association; or (e) a trust; that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.
Section 6(1) of the Act also defines a ‘small business operator’ in s 6D. Section 6D says a ‘small business operator’ is ‘an individual, body corporate, partnership, unincorporated association or trust that: (a) carries on one or more small businesses; and (b) does not carry on a business that is not a small business.’
When is an unincorporated association not an APP entity?
Section 6D(1) says that ‘A business is a small business at a time (the test time) in a financial year (the current year) if its annual turnover for the previous financial year is $3,000,000 or less.’ Subsection (4) says: ‘However, an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if he, she or it:
- (a) carries on a business that has had an annual turnover of more than $3,000,000 for a financial year that has ended after the later of the following:
- (i) the time he, she or it started to carry on the business;
- (ii) the commencement of this section; or
- (b) provides a health service to another individual and holds any health information except in an employee record; or
- (c) discloses personal information about another individual to anyone else for a benefit, service or advantage; or
- (d) provides a benefit, service or advantage to collect personal information about another individual from anyone else; or
- (e) is a contracted service provider for a Commonwealth contract (whether or not a party to the contract); or
- (f) is a credit reporting body.
An unincorporated association with $3M or less in annual turnover in the previous financial year is therefore not an APP entity for the purpose of the Act, so long as it does not provide a health service and hold health information or trade in personal information, isn’t a Commonwealth contactor or credit reporting body. ‘Health information’ includes ‘information or an opinion about: (i) the health, including an illness, disability or injury, (at any time) of an individual.’
This means that an unincorporated sporting club, church congregation etc with previous financial year turnover of $3M or less will not be an APP entity if it does not provide a health service and hold health information and is not caught by another other definition in the Act that deems it to be an APP entity. An example of health information being held by a sporting club would be a children’s sporting team where the club’s coach emails a team member’s parent informing of a minor injury during a match or training session. If first aid was also provided for such an injury, the club is probably an APP entity regardinless of how low its last financial year turnover was.
Australian Privacy Principles apply to APP entities
An unincorporated association that is not an APP entity does not have to comply with the 13 Australian Privacy Principles. However, APP entities do have to comply with:
- Principle 1—open and transparent management of personal information
- Principle 2—anonymity and pseudonymity
- Principle 3—collection of solicited personal information
- Principle 4—dealing with unsolicited personal information
- Principle 5—notification of the collection of personal information
- Principle 6—use or disclosure of personal information
- Principle 7—direct marketing
- Principle 8—cross‑border disclosure of personal information
- Principle 9—adoption, use or disclosure of government related identifiers
- Principle 10—quality of personal information
- Principle 11—security of personal information
- Principle 12—access to personal information
- Principle 13—correction of personal information
Who is liable for actions and omissions of unincorporated associations?
An unincorporated association is not a legal entity. However, those of its members who are in charge of arranging its affairs will be APP entities (unless excluded by the Act from being an APP entity) and personally liable for any legal liability arising from those activities, including liabilty for breaches of the Australian Privacy Pinciples. Those persons, say the members of a committee that controls the club or church congregation, will be personally liable for the group’s activities. Some unincorporated associations may have a constitution that indemnifies the committee members for certain liability but if the liability is larger than the association’s assets then those committee members will still have personal liability beyond the association’s assets. Other ordinary members will generally not be liable for the group’s activities beyond their membership or subscription fees, unless they were personally involved in causing the legal liability.
Very serious obligations and penalties arise under the Australian Privacy Principles. You should seek tailored legal advice that factors in all of your circumstances when deciding whether or how you or your organisation may need to comply with the Australian Privacy Principles.