The Privacy Act 2014 – More Stringent Requirements

From the start of the new year  there are to be more changes to the Privacy Act 1988 which could be relevant to you and your business. You will need to consider your own privacy compliance arrangements to make sure they don’t leave you at risk.

The changes are:

Australian Privacy Principles

From 12 March 2014, the amendments replace the Information Privacy Principles (IPPs - which applied to the Commonwealth and Territory public sectors), and the National Privacy Principles (NPPs - which applied to the private sector), with 13 Australian Privacy Principles (APPs) which will apply to both Commonwealth and Territory agencies and to the Australian private sector.

In summary the new APPs cover:
•    APP 1 – open and transparent management of personal information
•    APP 2 – anonymity and pseudonymity
•    APP 3 – collection of solicited personal information
•    APP 4 – dealing with unsolicited personal information
•    APP 5 – notification of the collection of personal information
•    APP 6 – use or disclosure of personal information
•    APP 7 – direct marketing
•    APP 8 – cross-border disclosure of personal information
•    APP 9 – adoption, use or disclosure of government related identifiers
•    APP 10 – quality of personal information
•    APP 11 – security of personal information
•    APP 12 – access to personal information
•    APP 13 – correction of personal information.

The APPs largely mirror the current NPPs. However, they require a much more active management of your privacy policy as it will introduce tighter controls on direct marketing and create liability for offshore breaches of privacy when data is sent overseas (cloud storage included).

Under the APPs, organisations are required to manage personal information collection, use and disclosure in an open and transparent way. Privacy policies must be reviewed regularly and kept up to date as “living” documents.

Direct marketing

Under APP7 and the other APPs, a collecting party will be prohibited from using personal information for direct marketing (or disclosing the personal information to another organisation for use in direct marketing) unless the person
a)    would reasonably have expected the collecting party to do so and
b)    a simple “opt out” mechanism is provided to enable the individual to stop receiving direct marketing material.

APP7 does not apply to the extent that the Do Not Call Register Act 2006 and the Spam Act 2003 applies, which also regulate electronic direct marketing.

As with all privacy issues, it is always best to seek and obtain express consent from the individual. Assuming it will be okay to direct market will is no longer be acceptable.

Increase in the powers and functions of the Australian Information Commissioner

The amendments clarify the powers and functions of the Australian Information Commissioner in the development and registration of APP Codes of Practice, it will also  improve the Commissioner’s ability to promote compliance with privacy obligations. Civil penalties of up to $340,000 for individuals and $1.7 million for companies are possible where there is a serious or repeated breach of privacy.

The Commissioner will be able to audit compliance, initiate investigations and make enforceable determinations. The Commissioner will also be able to accept written undertakings from organisations that they will take, or refrain from taking, action to ensure compliance with the Privacy Act.

Cross border disclosure of personal information

The amendments impose greater obligations on entities who disclose personal information about an individual to an “overseas recipient”. Disclosure could means storing data “on the Cloud” where the cloud service is located outside Australia. Entities must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information (subject to specified exceptions). The party that discloses the personal information to the overseas entity will be liable under Australian privacy law for breaches of the APPs committed by the overseas entity.

Where a business sends personal information (including health information) to organisations overseas (for example for reporting of tests, records management or marketing), you will need to ensure that the persons from whom that information is collected are expressly aware of this. More detailed information will also need to be included in your privacy policy.

Bearing in mind these changes it is likely that additional provisions will need to be inserted in your privacy policy, and your data collection processes reviewed. Greater attention will also need to be paid to ensure you have the real consent of people on your database to use their data in the way you propose.

Recent Posts