The new privacy laws come into effect on 12 March 2014 so there isn’t much time left to review your privacy policies and procedures in order to comply with the new legislation. If you are found in repeated breach of these new laws, penalties can be up to $340 000 for an individual and $1.7 million for a company.
What is Personal Information?
The new privacy laws are concerned with personal information. Personal information is defined to include any information which can be used to reasonably identify a person and includes:
- Records of visitors, potential customers and current customers.
- Video or image records created via the use of surveillance and safety cameras.
- Credit information generated and collected by the business.
Am I Affected?
Generally, the new laws will only apply to businesses and non-governmental organisations that handle personal information and have an annual turnover of more than $3 million. However, there are a few exceptions to this rule and smaller businesses may wish to show they are complying with Australian standards and that they respect their client’s privacy.
What are the Changes?
The Privacy Amendment Act introduces the Australian Privacy Principles (APP) which outline an organisation’s privacy obligations with regards to the collection, storage, security, use, disclosure, access and correction of personal information.
Briefly the new Australian Privacy Principles are as follows.
1 – Open and transparent management of personal information
This principle requires an organisation to have policies and procedures in place to ensure the personal information they collect and hold is managed in an open and transparent way. Privacy policies in particular are required to:
- Be clear, accessible by customers, and up-to-date.
- Contain information about the kinds of personal information collected and how an individual can complain about a breach of the privacy principles.
2 – Anonymity
People must have the option of not identifying themselves or be able to use a pseudonym. The exception being for organisations who must deal with individuals who have identified themselves (e.g. the police force).
3 – Collection of solicited personal information
Sensitive personal information can only be collected with an individual’s consent, and only where the information is reasonably necessary for the organisation’s functions or activities. The organisation must outline when and how it will collect this personal information.
4 – Dealing with unsolicited personal information
If unsolicited personal information is received by an organisation it must determine within a reasonable time whether it would have been permitted to collect that information under Principle 3 above. If the organisation determines that it would not have been permitted it must destroy the information or de-identity it as soon as practicable.
5 – Notification of the collection of personal information
An organisation must notify the person as soon as practicable (preferably at the time the information is being collected) of the following:
- From where the information is collected.
- The purpose for collecting the information.
- The consequences (if any) if all or some of the information is not collected.
- The access, correction and privacy complaints handling process of the organisation collecting the information.
6 – Use and disclosure of personal information
An organisation can only use or disclose the private information it has gathered for the purpose for which it was collected. There are some exceptions – for example the information may be disclosed without the consent of the individual if it is required under Australian law or by a court order.
7 – Direct marketing principles
Personal information held by an organisation may only be used or disclosed for direct marketing where either consent was given, or a person would have a reasonable expectation that their personal information would be used for such a purpose, AND there was opt-out option which was not requested by the person.
Organisations must notify the individual of the source of the personal information held by them when requested. The person cannon be charged for the request and must be carried out within a reasonable timeframe.
8 – Cross-border disclosures
Before personal information is disclosed to a person not located in Australia, the organisation must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to the information.
9 – Adoption, use or disclosure of government related identifiers
An organisation must not adopt a government related identifier of an individual as its own identifier of the individual (e.g. a driver’s license number) unless it is required or authorised under Australian law.
10 – Quality of personal information
Reasonable steps must be taken to ensure that the information collected is accurate, up-to-date and complete.
11 – Security of personal information
Where a company holds personal information, reasonable steps must be taken to protect the information from misuse, loss, unauthorised access, modification or disclosure. When the information is no longer needed and does not need to be retained by law, the organisation must destroy or de-identify the information.
12 – Access to personal information
Individuals have the right to access the personal information held about them. The organisation must respond to the request within a reasonable period, and in the manner requested by the individual, provided it is reasonable and practicable to do so. Where the organisation refuses to provide access, a written response, which sets out the reasons for the refusal and the details of a complaint mechanism, is required. An organisation may charge a fee for access to the information provided it is not excessive.
13 – Correction of personal information
An organisation must take reasonable steps to correct personal information to ensure that it is accurate, up to date, complete, relevant and not misleading. All correction requests must be dealt with within a reasonable period, and free of charge. Written responses, which include details of a complaints handling process, are required for a refusal to correct personal information.
In summary, the different privacy principles that currently apply to government and to the private sector will be combined into the one set of Australian Privacy Principles with the effect that:
- The Australian Information Commissioner will have additional powers to ensure compliance
- Obligations in relation personal information stored or sent overseas will be strengthened; and
- Greater requirements will be imposed with respect to privacy policies and compliance procedures.
Given that the implementation of these changes is now only a month away, it’s a good time to review your privacy policies and procedures to ensure they comply with the new legislation.
If you’d like some guidance or need a sounding board please email me at firstname.lastname@example.org