The federal government has recently passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which substantially amends the Privacy Act 1988 (Cth) (the Act). The changes to the Act are likely to have significant consequences for businesses.
The amendments will come into force on 12 March 2014.
It is essential that business owners are aware of the new laws and update their privacy policies and procedures to ensure compliance with the amended Act.
Overview
Currently, the Act contains 10 National Privacy Principles (NPPs). The focus of the NPPS is on regulating the manner in which certain businesses collect, store and use personal information. The NPPs do not apply to small business operators, that is, businesses with an annual turnover of less than $3 million, unless the business collects health information or credit reporting information.
The focus of the amended Act will remain on regulation of collection, storage and use of personal information. However a much stricter regime will apply and the NPPs will be replaced with 13 Australian Privacy Principles (APPs).
There are a number of the key differences between the NPPs and the APPs. These differences are discussed below. As with the NPPs, the APPs will not apply to small business operators. However this does not mean that small business operators are immune to some of the amended Act’s penalty provisions. This is also dealt with below.
Key changes
Penalties
Without a doubt the introduction of civil penalties for certain breaches of the amended Act is the most important change for business. In addition certain breaches of the amended Act will constitute criminal offences. If an individual or entity which is bound by the APPs commits a serious breach or repeated breaches of the APPs, then civil penalties can apply. No such penalties exist in the current Act.
A raft of civil and criminal penalty provisions apply to credit providers and credit reporting bodies for misuse and unauthorised disclosure of personal credit information. Whether a business is bound by the APPs or not, if it illegally obtains credit reporting information about an individual then that business is also liable for civil and criminal penalties.
Further, the Privacy Commissioner will have the power to investigate any person if a complainant alleges that the person has interfered with the complainant’s privacy (that is, breached an APP or one of the provisions which protects credit reporting information). Among other things the Privacy Commissioner can make a declaration that the person who is the subject of the complaint pay compensation to the complainant.
Cross border disclosure
Although the existing NPPs include obligations related to cross border disclosure of personal information, under the APPs a business which provides personal information to an overseas recipient can be liable for a breach of the APPs committed by the overseas recipient.
Notification of the collection of personal information
The amendments to the Act include new notification obligations. If you collect personal information about an individual from a third party and the individual may not be aware that you have collected this information, you need to take reasonable steps to ensure that the individual is aware that you have collected the information and the circumstances of that collection.
Access to personal information
Similar to the NPPs, the APPs require you to give individuals access to their personal information at their request. However, the APPs include a new requirement that businesses give access within a “reasonable period” and in the manner requested by the individual. However, there are some new exceptions to this requirement, which include:
(a) the ability to refuse a request on the basis that a there is a serious threat to public health or safety;
(b) such serious threats no longer need to be “imminent”
(c) you can deny access if required or authorised by a court or tribunal order;
(d) exceptions relating to unlawful activity or misconduct have been expanded.
If you do refuse access you generally will need to provide written reasons for the refusal and how an individual can complain about the refusal.
Correct personal information
The onus of showing that an individual’s personal information is inaccurate or out of date is no longer on the individual. Instead the amendments to the Act state that the recipient of the information has that obligation and must take reasonable steps to correct personal information. The APPs are more specific about the information you must provide to an individual. If you correct an individual’s personal information you may also need to inform other organisations to whom you have previously disclosed such information that it has been updated or corrected.
Unsolicited personal information
APP 4 introduces a new obligation on organisations that receive unsolicited personal information. It provides that this unsolicited information must be given the same protection you would have provided had you in fact solicited the personal information. For example you must determine whether you could have collected the information under the APPs. If you could have collected this information under the APPs then certain obligations to protect this information apply. If you could not have collected the information under the APPs you may need to destroy or “de-identify” the information.
Anonymity
Individuals providing personal information must have the option of being anonymous or providing a pseudonym unless you are obliged by law to deal with individuals who have identified themselves or it is impracticable for you to do so.
Direct marketing
The use and disclosure of direct marketing is now specifically addressed in the APPs. Generally you can only use or disclose personal information for direct marketing purposes if an individual has consented to their information being used for direct marketing or they have a reasonable expectation that their personal information will be used for direct marketing.
You also need to ensure that opt out mechanisms are clearly provided and followed.
Privacy policy and new procedures
In practical terms, if the APPs apply to your business, you will need to introduce a new privacy policy that is compliant with the amended Act. The policy must be up-to-date and clearly expressed. Your policy must cover at least the following points:
(a) the kind of personal information you collect and hold;
(b) how you collect and hold that information;
(c) the purposes for which you collect, hold and disclose that information;
(d) how an individual can access personal information about themselves and how they can correct it if it is incorrect;
(e) how a person can lodge a complaint with you for breaching an APP and what your procedures are for dealing with such a complaint; and
(f) whether you are likely to disclose a person’s personal information to overseas recipients and if so, identify the countries in which those recipients are located.
You will also need to take “reasonable steps” to make sure the policy is available and free of charge. This means if you have a website it must contain a link to the policy and if someone requests a copy you must provide it.
While your current privacy policy may cover some of the above, it is likely that you will need to amend it in light of the substantial changes under the amended Act. You will also need to ensure that your policy stays up to date with any changes in your business practices and complies with any further amendments to Act which may occur in the future.
Staff manual
Separate to your privacy policy, you should have a privacy manual for your staff which explains the importance of compliance with the amended Act and sets out procedures for dealing with requests and complaints from individuals regarding their personal information. The existence of such a procedure and adherence to it may be a mitigating factor if your business is found to have breached the amended Act.
What should you do?
To ensure compliance with the amended Act, your business will need to undertake a complete privacy audit of the way it handles personal information. You will need to:
(a) give more information to individuals about the personal information collected from them;
(b) create a privacy compliance program and ensure it is followed;
(c) review any direct marketing undertaken by your business;
(d) if any of your data storage is done overseas, ensure that the recipient of the data is fully compliant with the APPs or their foreign equivalent; and
(e) completely update your business’s privacy policy to reflect these changes.
This article is only an overview of some of the key changes to the Act which will commence on 14 March 2014, and is not an exhaustive statement of changes which may affect your business. If you are unsure about what is required to ensure compliance with the amended Act, you should seek legal advice.
For more information contact Leonie Kyriacou at l.kyriacou@pigott.com.au.