On 12 March 2014 extensive amendments to the Privacy Act 1988 (Cth) (the Act) came into effect. The Act introduced 13 Australian Privacy Principles (APP's), which replace and in some instances significantly modify the former National Privacy Principles and Information Privacy Principles.
Do the new privacy laws and APP's apply to you?
Both Australian government agencies and private sector companies must comply with the Act and the APP's. There are some exemptions to the requirement that an organisation comply with the Privacy Act. These include the following:
Employee Records: records of personal information that relate to the employment of an individual are exempt if the records are obtained only for the purpose of acts or practices that directly relate to a current or former employment relationship. Hence, the collection and storage of personal information of a potential employee (i.e. job candidates) or the cross-border disclosure of information may not be included in the exception, and will be covered by the Act.
Small Businesses: if your business has an annual turnover of $3 million or less you may be a small business operator and may not be obliged to comply with the Act (however, some businesses with an annual turnover of less than $3 million may not be able to rely on this exemption).
Significant changes and features of the new privacy laws
APP 1 - Privacy Policy and Compliance Plans: organisations must have clearly expressed and up-to date Privacy Policy that complies with the Act. APP 1 outlines what must be included. Organisations must also take steps to implement practices, procedures and systems that show how they will comply with the Act in a practical manner. This can be achieved through the introduction of a written Compliance Plan.
APP 7 - Direct Marketing: organisations may only use or disclose an individual's personal information for direct marketing purposes if the individual would reasonably expect the entity to use or disclose the information, the individual has consented to the use or disclosure, or where the entity provides a simple way of opting out of the direct marketing.
APP 8 - Cross-border Disclosure: before disclosing personal information to an overseas recipient, an organisation must take reasonable steps to ensure that the recipient complies with the Act. Overseas recipients may include, but are not limited to overseas third party processors such as off-shore internet servers, or overseas branches of the organisation.
Increased Powers: the Privacy Commissioner has significantly increased powers and may now seek civil penalties of up to $340, 000 (for individuals) and $1.7 million (for companies).
Does your organisation comply?
Organisations must take active and practical steps to ensure compliance with the Act and the APP's. For this reason we recommend you:
- Review and update your Privacy Policy. You should consider what personal and sensitive information you collect, the purpose(s) of this collection, and how it is collected;
- Introduce a written Compliance Plan, which outlines how compliance will be achieved in a practical manner, and take active steps to implement this plan;
- Review your direct marketing processes and update accordingly;
- Consider whether you send personal information to overseas recipients and take steps to ensure these recipients comply with the Act. Also ensure that your policies, plans and consent arrangements are updated accordingly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
