Corporate & Commercial Law Department
If the Protection of Personal Information Bill ("the Bill"), currently being debated by Parliament, is passed as law, businesses and government departments will have to come up with completely new methods of collecting, recording, storing, updating and using the names, identity numbers, physical and email addresses, phone numbers, medical or financial histories and any other personal information belonging to individuals.
Although the Bill also applies (to a limited extent) to information relating to companies and other juristic bodies, its main purpose is to protect an individual's constitutional right to privacy, and to strike a balance between this right and the rights of others to collect and use personal information for commercial and other purposes.
If you collect, store and use personal information, the Bill requires you to appoint an Information Protection Officer to monitor your compliance with the Bill. An existing employee can perform this role, although the size of your business and the extent to which you collect and store personal information will determine whether it is necessary to appoint a dedicated person for this purpose. Regardless of how the responsibility is allocated, the employee must be registered as an Information Protection Officer with the Information Protection Regulator, being the body responsible for enforcing the Bill.
In addition, you must secure all personal information (in paper or electronic form), under your control, to protect it against the risk of unauthorised access, modification or loss. Because of the ease with which personal information is exchanged, you will have to constantly monitor the information moving in and out of your organisation and conduct regular risk assessments to identify and manage all foreseeable security risks.
To collect, store and use an individual's personal information, amongst other things, the Bill requires you to collect the information directly from the individual concerned, to inform him or her of the purpose for which you are collecting the information, to get his or her consent to such use, and not to use the information for any other purpose.
If you think this is too onerous, you can apply to the Information Protection Regulator for an exemption from compliance, but it will not be given lightly. You will have to prove that by using an individual's personal information, you are providing a clear benefit to the individual which outweighs his or her right to privacy. This is unlikely to be easy to prove.
It appears that a quicker and easier method of side-stepping compliance with the Bill is to request the individual concerned to give a blanket consent to the collection of his or her personal information from other sources, to the use of that information for all reasonable purposes and to the storage of that information for a fixed or indefinite period of time. In any event, remember that you do not have to comply with the Bill if you do not collect, store or use an individual's personal information, or you only do so for personal or household activities or journalistic purposes.
If the Bill is passed as law in its current form, businesses have one year following the date on which the Bill comes into effect, to take the necessary steps to make sure that all collection, storage and use of personal information complies with the law. Although you cannot fully determine your compliance requirements until the Bill is settled in its final form, considering the extent to which personal information is dispersed through electronic and paper records of an organisation, it may be a good idea to start sifting through your archives to assess the extent to which you are holding personal information without the required consents.