Updates to the Privacy Act

February 1 2014

BOARDWORX BRIEFING | Updates to the Privacy Act 1988

What’s changed?

From the 12th of March 2014, The National Privacy Principles and Information Privacy Principles have been replaced by The Australian Privacy Principles (APPs). The 13 APPs apply to business (except for small business with an annual turnover of $3m or less and subject to specific exemptions) and Australian Government agencies.

Central Feature of the amendments – Procedures, Practices and Systems

A central feature of the amendments is that businesses must take proactive steps to establish and maintain internal procedures, practices and systems to ensure they comply with each of the 13 APPs.

There are a number of examples of practices, procedures and systems provided in the APP guidelines and businesses should become familiar with them.

Practical steps for entities now

  • Review and amend your existing privacy policy to ensure it complies with the new APPs.
  • Audit your current privacy processes and systems to identify compliance gaps.
  • Develop and introduce new processes and systems to address these compliance gaps.
  • Carry out staff compliance training to ensure staff know about and understand their obligations under these new processes and systems.
  • Carry out due diligence on third party providers that you disclose personal information to, to ensure that they handle that personal information in accordance with the APPs, or have a substantially similar privacy regime if they are based overseas.
  • Review your third party contract to ensure they have adequate privacy provisions.
  • Ensure that you have adequate ‘opt-out’ mechanism in your direct marketing materials and adequate consent from people to receive marketing materials.
  • Ensure you have introduced a process of continual review of you privacy policy.

Key changes – some detail…

There are a number of key areas in which the Privacy Act has been amended that will impact businesses:

  • Greater transparency about handling personal information

An entity is obliged to be transparent about the manner in which it holds personal information and whether this information is being disclosed to other parties.

Entities are now required to:

–       implement a compliance plan establishing processes that conform to the APPs,

–       publish an updated privacy policy that is readily accessible and without charge to interested parties; and

–       Individuals must consent to their information being held by the entity.

  • Further accountability for personal information disclosed to an overseas recipient

If an entity discloses personal information to an overseas recipient the entity must implement processes to ensure the overseas entity does not breach the APPs or reasonable believe that the information will be handled in a similar way to the APPs.  An individual whose information is disclosed to the overseas recipient must be able to access their personal information.

  • Collecting personal information; consenting to personal information being collected by an entity

When an entity collects personal information, they must take reasonable steps to:

–       Advise the individual that their personal information is being collected;

–       Provide details so the individual is able to contact them; and

–       Whether the entity has collected this information from someone other than the individual.

Businesses must also have processes in place to deal with unsolicited personal information.

  • Personal information used for direct marketing

An entity must only use personal information about an individual for direct marketing if information is collected directly from the individual. There needs to be a rational purpose for the entity to use or disclose the information for direct marketing and an ability to ‘opt-out’ for an individual from the database.

For information gathered from a third party the individual must have agreed to receive the direct marketing unless it is not feasible to obtain the consent and there needs to be a noticeable message that individuals can opt out of the direct marketing.  Entities must therefore be able to show how they received personal information about an individual.

  • Reporting any compromised information

An entity must protect the personal information it stores from being mishandled and lost, and must report to the privacy regulator if there are compromises to the data that could potentially expose information about an individual.