Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?

Business and government organisations need to prepare for changes to the Privacy Act 1988 (Cth) (Privacy Act) that will take effect on 12 March 2014.

The reforms introduce thirteen (13) new Australian Privacy Principles (APPs) that replace the previous National Privacy Principles and Information Privacy Principles.  Most importantly, Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012^[1] establishes a civil penalty regime that allows the Federal Court or the Federal Circuit Court to order significant penalties for non-compliance.

The civil penalty regime includes penalties of:

• $340,000 for individuals; and
• $1.7 million for a company in breach of the APPs.

The Privacy Act also provides the Privacy Commissioner with new powers including the power to conduct compliance assessments, make compliant determinations, issue enforceable undertakings and institute its ‘own motion’ investigations.^[2]

The reforms require organisations to make changes to their:

• policy, procedures and organisational practices to comply with the APPs (APP 1.2);
• the content of privacy policies (APP 1.3-1.6);
• the collection of solicited and unsolicited personal information (APP 3);
• notification and disclosure procedures (APP 5-6);
• direct marketing communication (APP 7.6-7.8);
• information quality assurance and data security (APP 10-11); and
• sending of information off-shore (APP 8).

Complying with the reforms

There are several steps organisations should take to ensure their policies and procedures are up-to-date.  This will necessarily depend of the circumstances of the organisation, the practices it adopts and the type of personal information it collects.

Privacy review

Organisations should consider conducting a “privacy review” in the context of their current business practices.  This allows potential issues to be identified and new procedures instigated.

A privacy review requires understanding how the organisation collects, stores and discloses personal information.  Under section 6 of the Privacy Act personal information is:

“information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

Implementation

The APPs require that a business take reasonable steps to implement policies and procedures that comply with the APPs.  This obligation may require a business to introduce a compliant resolution process; train staff concerning their obligations under the Privacy Act and appoint a ‘Privacy Contact Officer’ or ‘Chief Privacy Officer’.

Privacy policy

Under APP 1 organisations should amend their privacy policy to ensure it includes:

• a complaints procedure;
• sufficient detail of the kind of personal information the organisation collects and the purpose for which information is collected;
• whether the organisation is likely to disclose information to overseas recipients and what countries this may include;
• information relating to direct marketing; and
• ensure the privacy policy is available free of charge and presented in an appropriate form.

Compliance tips

The APPs require organisations take active steps to comply with the principles.  Organisations should:

•  provide individuals with opportunity for anonymity and pseudonymity (APP 2).
• notify individuals prior to collection of personal information that the privacy policy contains relevant information regarding overseas disclosure, complaint mechanisms and how to access and correct their information (APP 5);
• where possible provide users with an opt out option for all marketing correspondence (APP 7.6(c);
• ensure marketing information is only sent to individuals who would reasonable anticipate receiving it and note the source of the personal information (APP 7.6-7.8);
• ensure overseas recipients of personal information store and use information in accordance with APPs (as organisations can be held vicariously liable for not taking adequate precautions, organisations should seek an indemnity if compliance cannot be met) (APP 8);
•  keep accurate and complete records of personal information (APP 10-11);
• provide individuals with the ability to access and correct their information (APP 12-13); and

Links and further references

Office of the Australian Information Commissioner, APP Guidelines

Office of the Australian Information Commissioner, Australian Privacy Principles

Office of the Australian Information Commissioner, Privacy Information Fact Sheet 17: Australian Privacy Principles

Office of the Australian Information Commissioner, Protecting Customers’ Personal Information

Further information

If you need further information about making your business compliant with the Australian Privacy Principles, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Privacy Amendment (Enhancing Privacy Protection) Act 2012 Sch 4 PartVIB section 80W.

---

Related insights about privacy compliance