With the surge of internet banking, online business transactions and the worldwide dissemination of data, March 2014’s Australian Privacy Principles (APP) amendments have been enforced to unify and keep pace with technological shifts in the marketplace and the increasing redundancy of geographical borders.
From 12 March 2014, a new, harmonised set of Australian Privacy Principles (APPs) amendments to the Privacy Act 1988 (Cth) come into force. They will cover the collection and handling of personal information by Australian government agencies and many businesses in a range of sectors, as well as new credit reporting obligations and enhanced Commissioner powers. To make the transition easier leading up to 12 March, here is a general overview of some of the key reforms.
Does the Act apply to your firm or business?
The new APPs will replace the National Privacy Principles and Information Privacy Principles and will apply to ACT, Australian and Norfolk Island government agencies as well as many private sector organisations, including large businesses and health service providers.
The Office of the Australian Commissioner (OAIC) offers a convenient nine-step checklist for small businesses to help you figure out if the Act applies to your business (those organisations that must comply are referred to as ‘APP entities’ under the amended Act). If the Act applies, and you are considering a move to cloud-based IT services, you’re engaged in direct marketing or transferring personal data across jurisdictions, you should examine the Act carefully to be aware of your obligations.
The changes will affect how businesses can collect, use, handle, store and disclose personal information, and disclose that information to third parties in Australia and overseas.
The 13 new APPs focus on a few key areas:
- Direct marketing: Using personal information for the purposes of direct marketing is prohibited unless one of several exemptions apply, including where an APP entity has obtained an individual’s consent or where the individual would reasonably expect their information to be used for direct marketing purposes. Individuals will be entitled to ask direct marketers where they obtained their personal information and businesses need to provide easy ‘opt out’ processes for customers.
- Unsolicited information: If an APP entity receives unsolicited information, it must decide whether it could have collected the information under APP 3 (which governs the use of solicited information). If it could not have collected the information in the first place (and it is not contained in a Commonwealth record), the APP entity must destroy or de-identify the information as soon as practically possible (if it is lawful and reasonable to do so).
- Transborder data flows: Organisations are now more accountable when it comes to cross-border data transfer (see APP 8). APP entities must be satisfied that the third-party overseas recipient is subject to laws providing substantially similar protection as the APPs unless certain exceptions apply, including obtaining the individual’s consent to the transfer of information or if there is a serious threat to life, health or safety or to public health or safety. Before you disclose personal information to a foreign recipient, take reasonable steps to ensure that the overseas recipient does not breach the APPs.
- Enforceability: The Commissioner’s powers have been expanded, including greater flexibility in investigative functions and the available remedies for noncompliance with privacy laws. The Commissioner now has the power to initiate investigations of his own accord (without receiving a complaint), to accept court-enforceable written undertakings, to conduct compliance assessments and to seek civil penalties from up to $340,000 for an individual or up to $1.7 million for companies or agencies as a result of serious or repeated breaches.
The list of changes above is not exhaustive. To ensure that your policies are up to date and compliant with the raft of changes, here are a few steps to take:
- Perform an audit: Identify what information your firm collects and how it is stored, used and/or disclosed.
- Review the Commissioner’s draft guidelines: www.oaic.gov.au
- Review practices and policies: Revise and update your practice’s privacy policies and procedures to align with the new legislation. Check your terms of engagement to ensure they fit with the credit information and reporting requirements. Where personal information is transferred to foreign jurisdictions, be sure to check your offshore processing practices. Review procedures and systems for correcting personal information and/or responding to requests from individuals for access to and correction of personal information.
To make things a little less daunting, the OAIC has released draft guidelines to assist businesses in transition mode.
Visit the Office of the Australian Information Commissioner for more information.
- Office of the Australian Information Commissioner, http://www.oaic.gov.au/privacy/privacy-act/privacy-law-reform
- ‘Are you prepared for the March 2014 Privacy Act changes’?’, 5 December 2013, http://www.business.gov.au/Newsandfeatures/2013/Dec/Pages/Privacy-Act-changes-from-March-2014.aspx