Business and government organisations need to prepare for changes to the Privacy Act 1988 (Cth) (Privacy Act) that will take effect on 12 March 2014.
The reforms introduce thirteen (13) new Australian Privacy Principles (APPs) that replace the previous National Privacy Principles and Information Privacy Principles. Most importantly, Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012[1] establishes a civil penalty regime that allows the Federal Court or the Federal Circuit Court to order significant penalties for non-compliance.
The civil penalty regime includes penalties of:
- $340,000 for individuals; and
- $1.7 million for a company in breach of the APPs.
The Privacy Act also provides the Privacy Commissioner with new powers including the power to conduct compliance assessments, make compliant determinations, issue enforceable undertakings and institute its ‘own motion’ investigations.
The reforms require organisations to make changes to their:
- policy, procedures and organisational practices to comply with the APPs (APP 1.2);
- the content of privacy policies (APP 1.3-1.6);
- the collection of solicited and unsolicited personal information (APP 3);
- notification and disclosure procedures (APP 5-6);
- direct marketing communication (APP 7.6-7.8);
- information quality assurance and data security (APP 10-11); and
- sending of information off-shore (APP 8).
Complying with the reforms
There are several steps organisations should take to ensure their policies and procedures are up-to-date. This will necessarily depend of the circumstances of the organisation, the practices it adopts and the type of personal information it collects.
Privacy review
Organisations should consider conducting a “privacy review” in the context of their current business practices. This allows potential issues to be identified and new procedures instigated.
A privacy review requires understanding how the organisation collects, stores and discloses personal information. Under section 6 of the Privacy Act personal information is:
“information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”
Implementation
The APPs require that a business take reasonable steps to implement policies and procedures that comply with the APPs. This obligation may require a business to introduce a compliant resolution process; train staff concerning their obligations under the Privacy Act and appoint a ‘Privacy Contact Officer’ or ‘Chief Privacy Officer’.
Privacy policy
Under APP 1 organisations should amend their privacy policy to ensure it includes:
- a complaints procedure;
- sufficient detail of the kind of personal information the organisation collects and the purpose for which information is collected;
- whether the organisation is likely to disclose information to overseas recipients and what countries this may include;
- information relating to direct marketing; and
- ensure the privacy policy is available free of charge and presented in an appropriate form.
Compliance tips
The APPs require organisations take active steps to comply with the principles. Organisations should:
- provide individuals with opportunity for anonymity and pseudonymity (APP 2).
- notify individuals prior to collection of personal information that the privacy policy contains relevant information regarding overseas disclosure, complaint mechanisms and how to access and correct their information (APP 5);
- where possible provide users with an opt out option for all marketing correspondence (APP 7.6(c);
- ensure marketing information is only sent to individuals who would reasonable anticipate receiving it and note the source of the personal information (APP 7.6-7.8);
- ensure overseas recipients of personal information store and use information in accordance with APPs (as organisations can be held vicariously liable for not taking adequate precautions, organisations should seek an indemnity if compliance cannot be met) (APP 8);
- keep accurate and complete records of personal information (APP 10-11);
- provide individuals with the ability to access and correct their information (APP 12-13); and
Links and further references
Office of the Australian Information Commissioner, APP Guidelines
Office of the Australian Information Commissioner, Australian Privacy Principles
Office of the Australian Information Commissioner, Protecting Customers’ Personal Information
Further information
If you need further information about making your business compliant with the Australian Privacy Principles, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Privacy Amendment (Enhancing Privacy Protection) Act 2012 Sch 4 PartVIB section 80W.
Related insights about privacy compliance
-
Uber found in breach of Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
Overview of the Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-
International businesses subject to Australian privacy laws
Australian Intelligence Community (AIC) Commissioner Falk determined how the Office of the Australian Information Commissioner (OAIC) will assess if international entities have an Australian Link to Privacy Act 1988 (Cth).
-
7-Eleven customer survey: implied consent?
The Office of the Australian Information Commissioner found 7-Eleven Stores Pty Ltd are in breach of the Australian Privacy Principles (APP’s). Learn more about the findings, implications, and how businesses can comply with the APP’s.
-
Use of confidential information – the springboard injunction
This article examines the UK decision of Forse & ors v Secarma Ltd & ors [2019] EWCA Civ 215, which discussed the legal concept of a springboard injunction, and its implications in Australia. The Court must consider similar principles to determine if an injunction should be granted.
-
Swiss company hands over user data
A Court order in Switzerland raises questions about Australian law enforcement’s ability to access encrypted data. This article explores the legislative perspective on accessing private or business communications, and the steps taken to protect transmitted information.
-
Parliament passes Government surveillance bill
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 added three (3) warrants, allowing law enforcement to access data and take control of online accounts to obtain evidence of serious online crime.
-
Data breach compliance and response plans
Dundas Lawyers create tailored data breach response plans to ensure compliance with the Privacy Act 1988 (Cth). Plans include actions, registers, records, tests and tasks. Get an obligation-free and confidential discussion to learn more.
-
The Australian Cyber Law Map – overview
The Australian Cyber Law Map provides clarity on ever-changing legal landscape, covering commercial enterprises, cyber offences, infrastructure, international law, national security and personal rights. A source for understanding laws and providing safety/security in the digital age.
