From 12 March 2014, changes to the Privacy Act 1988 (Cth) have come into force. These changes have been described as some of the biggest in the history of privacy law in Australia, and will change the way in which organisations deal with ‘Personal Information’. A failure to comply with these laws can lead to hefty penalties.
If your company, school or organisation deals with personal information, you should review your privacy practices now so that you can ensure that you are compliant.
So, what do you need to know?
First, the Privacy Act only catches Federal government agencies and organisations with an annual turnover of $3m or more (unless you are an organisation that deals in Personal Information as part of its activities, in which case the Act will still apply). If you aren’t in these categories, you don’t need to worry about complying with the Act at the moment. Eventually, the Act will most likely be extended to capture all organisations in Australia. It is also possible that your organisation has contractually agreed to be bound by the Privacy Act. If you are in any doubt about whether the Act applies to your organisation, please contact us.
If you do have to comply, the first thing you need to know is whether or not you are currently handling Personal Information.
What is Personal Information (‘PI’)?
From March 2014, Personal Information is defined as ‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’
That is a very broad definition, and just about covers anything. If your business:
- collects information about your customers, or their employees or officers;
- has a finance system that captures contact details of individuals at your suppliers or customers;
- uses CCTV or surveillance cameras for security;
- holds a business card draw at a networking function; or
- collects or deals with any information from which the identity of a person can be ascertained
…then you are collecting PI, and you may be caught by the Act.
What are the reforms, and what are ‘APPs’?
At the heart of current privacy laws are the National Privacy Principles (applying to the private sector), and Information Privacy Principles (applying to the public sector). From March 2014, these have been folded into a single set of Australian Privacy Principles (APPs), applying to both Federal government agencies and private sector organisations.
What has changed?
From March 2014, organisations must comply with the APPs. This means that an organisation must ensure that it:
- has procedures and practices in place to deal with queries, complaints and requests for corrections to PI held by the organisation;
- can deal with individuals anonymously unless this is impracticable;
- is monitoring the collection of ‘sensitive’ information (health, religion, sexuality, political or other ‘sensitive information collected by the organisation) and unsolicited PI, and can notify those whose information is received of the purposes for which the information was collected;
- is aware that PI can only be used for the purpose for which the information was collected, or a secondary purpose that individuals would reasonably expect;
- is fully aware of the new restrictions on direct marketing;
- knows the location of all of its PI, and whether overseas entities that hold or process the information are compliant with the APPs;
- has programs in place to assure the quality, accuracy and security of PI held by the organisation; and
- destroys or de-identifies PI that is no longer used or required.
What has stayed the same?
Whilst much has changed, some things will stay the same:
- Organisations that collect PI must have detailed privacy policies;
- Organisations must allow people to access their own PI information, and cannot make unreasonable charges for such access;
- Australian organisations which disclose data to overseas entities will generally be held responsible for breaches of privacy by those entities;
- Direct marketing is still strictly controlled, and ‘opt-out’ options are essential; and
- PI collected for a particular purpose can only be used for that purpose, unless a secondary purpose is so clearly connected to it that an individual providing PI should have anticipated that use.
What if we don’t comply?
As part of the incoming reform, the Australian Information Commissioner is being given strong new powers to follow up on breaches of the Act. The Commissioner can now compel witnesses to give evidence, require businesses to change their practices, and in cases of serious breaches, can impose fines of up to $1.7m for organisations and $340,000 for individuals.
The Commissioner has indicated in public statements that he intends to use these powers and that organisations should be on notice of enforcement commencing once the reforms are in place.
What should I do?
If you have any queries regarding this alert, please contact: