FROM 12 March 2014, the Australian privacy laws have changed to include a new set of harmonised privacy principles, which will regulate the handling of personal information by both Australian government agencies and businesses.
These new principles are called the Australian Privacy Principles (APPs) and replace the existing Information Privacy Principles (IPPs) that currently apply to Australian government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.
The APPs therefore apply to all Commonwealth government agencies and private businesses with annual turnovers exceeding $3 million. However, a business with an annual turnover of less than $3 million will still need to comply with the privacy legislation if the business:
- is a health service provider;
- trades in personal information (e.g. buying or selling mailing lists);
- is a related body corporate of a business that turns over $3 million or more per annum;
- is a contractor that provides services under a Commonwealth contract;
- is a reporting entity for the purposes of the Anti-Money Laundering and Counter Terrorism Financing Act 2006; or
- is an operator of a residential tenancy database.
Although most of the APPs are similar to the existing NPPs, there are some significant changes. It is important that businesses implement these changes, particularly in light of the new penalties that can be imposed for breaches of the APPs, which include civil penalties of up to $340,000.00 against individuals and up to $1.7 million against corporations.
- Access – The policy now needs to specify how an individual can access their personal information.
- Correction – The policy must set out how an individual can request a correction of personal information.
- Complaints – A procedure needs to be set out how an individual can complain about the breach of the APPs.
- Disclosure to overseas recipient – An entity must state whether or not it is likely to disclose personal information to an overseas recipient.
- Unsolicited information – There is an obligation on an entity to determine whether or not it has received unsolicited information and if it was not entitled to collect it, it must destroy or deidentify the information as soon as possible.
- The kind of personal information collected and held and how it is collected and held.
- The purposes for which the personal information is collected, held, used and disclosed.
- Details of other entities that the information is usually disclosed to.
- The policy must be available free of charge and in an appropriate form, for example on the business website.
Another area that must be carefully managed is direct marketing. The APPs indicate that direct marketing
using personal information, other than so called “sensitive information”, is permitted in two circumstances:
- Without consent – No consent is required if the personal information was collected directly from the individual and the individual would reasonably expect the use or disclosure of personal information for direct marketing.
- With consent – Express or implied consent is required, if the individual would not reasonably expect its use or disclosure for direct marketing, or the information is collected from someone other than the individual.
Note that the APPs do not apply to the Electronic Marketing (Spam) Act 2003 or the Telemarketing (Do Not Call Register) Act 2006. It does however apply to other forms of direct marketing.
The above is a brief snapshot of the requirements of the new privacy legislation and the changes that will require entities to look very carefully at how personal information is collected, used, stored and disclosed, particularly in light of the significant new powers of the Commissioner and the potential fines for breaches of the legislation.
For further advice and assistance with redrafting privacy policies, please contact Harvey Bowlt on 9550 4600.