On 12 March 2014, the Privacy (Enhancing Privacy Protections) Act 2012 (Cth) (the Amendments) came into effect and brought about significant change to the Privacy Act 1988 (Cth) (the Act).

The Act regulates the collection, storage, use, and disclosure of personal information. The Act will apply to independent schools with an annual turnover of more than $3 million.
Schools need to be aware of the changes to the Act and ensure they comply with the new requirements. Specifically, schools need to be proactive in ensuring that they have and implement practices, policies and procedures that comply with the Australian Privacy Principles (APPs).

The key change brought about by the Amendments is that the National Privacy Principles (NPPs) are replaced by the APPs.

Other changes included:

  • the Australian Information Commission (AIC) was given greater power to enforce privacy laws (including penalty orders of up to $1.7 million for corporations);
  • amendments to credit reporting provisions;
  • amendments to definitions; and
  • allowing for new privacy and credit reporting codes to bind organisations.

A summary of the APPs is below.

APP 1: Open and Transparent Management of Personal Information
  • A school must take reasonable steps to implement practices, procedures and systems relating to the school's functions that ensure the school complies with the APPs and will enable the school to deal with inquiries or complaints.
  • A school must have a privacy policy which meets the requirements as set out in APP 1.
APP 2: Anonymity and Pseudonymity
  • A school must provide individuals with the option of being dealt with anonymously; this will not apply if it is impractical.
APP 3: Collection of Solicited Personal Information
  • Schools can only collect information where it is "reasonably necessary".
  • Sensitive information can only be collected with consent, unless an exception applies or it is reasonably necessary for one of the school's functions or activities.
APP 4: Dealing with Unsolicited Personal Information
  • If a school receives unsolicited personal information they must consider whether they were allowed to collect it under APP 3; if not, the information will generally need to be destroyed or de-identified.
APP 5: Notification of the Collection of Personal Information
  • Most schools use a standard collection notice to notify an individual of the collection of personal information. A school must notify an individual about how they can access, correct, make a complaint, and if the school disclose information overseas, to which countries.
APP 6: Use or Disclosure of Personal Information
  • Additional exceptions apply for where a school can use or disclose personal information, i.e. to assist in finding a missing person.
APP 7: Direct Marketing
  • A school can only use personal information if an individual has consented to it, or reasonably expects that their information will be used for direct marketing.
  • Schools must provide an "opt-out' option.
APP 8: Cross-Border Disclosure of Personal Information
  • A school must take all steps reasonable to ensure an overseas recipient does not breach the APPs.
APP 9: Adoption, Use or Disclosure of Government Related Identifiers
  • A school must not disclose a government related identifier of an individual unless an exception applies.
APP 10: Quality of Personal Information
  • A school must ensure that the personal information they use or disclose is accurate, up to date and complete.
APP 11: Security of Personal Information
  • A school must take steps to protect information from misuse, interference, loss, unauthorised access, modification and disclosure.
  • If the school no longer uses information, they must destroy and de-identify information in accordance with the APPs.
APP 12: Access to Personal Information
  • A school must deal with access to personal information, requests for access, charges for access and refusal for access in accordance with APP 12.
APP 13: Correction of Personal Information
  • A school must take reasonable steps to ensure that the information they hold is correct.

Given these changes schools should, at an absolute minimum, ensure that:

  • its policies comply with APP 1; and
  • its practices and procedures that govern collection, storage, use and disclosure of personal information comply with the Amendments.

Privacy is a difficult area of law to navigate. It is important that your school take steps to ensure compliance as failure to do so can have expensive consequences.

This publication is issued by Moore Stephens Australia Pty Limited ACN 062 181 846 (Moore Stephens Australia) exclusively for the general information of clients and staff of Moore Stephens Australia and the clients and staff of all affiliated independent accounting firms (and their related service entities) licensed to operate under the name Moore Stephens within Australia (Australian Member). The material contained in this publication is in the nature of general comment and information only and is not advice. The material should not be relied upon. Moore Stephens Australia, any Australian Member, any related entity of those persons, or any of their officers employees or representatives, will not be liable for any loss or damage arising out of or in connection with the material contained in this publication. Copyright © 2014 Moore Stephens Australia Pty Limited. All rights reserved.