The Privacy (Enhancing Privacy Protections) Act 2012 (‘privacy amendments’) commences on 12 March 2014 and will bring about significant amendments to the current Privacy Act 1988.
The amendments will not just affect those that undertake credit reporting, they will affect all businesses that collect and use personal information.
Bury your head in the sand and the consequences could be expensive. The Australian Privacy Commissioner has enhanced powers to obtain enforceable undertakings and apply to the court for civil penalty orders up to a maximum of $1.7 million for corporations ($340,000 for individuals) who commit serious and repeated breaches of the Privacy Act 1988 (the Act).
The Act governs how entities collect, use and hold personal information. The definition of ‘personal information’ is broad and includes things such as customer records, website cookies and marketing databases.
What has changed?
Australian Privacy Principles
The Australian Privacy Principles (APPs) replace the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs).
Amongst other things the APPs set out principles on:
- how entities must collect and hold personal information;
- the purpose for which entities may collect personal information;
- how individuals may access and seek correction of their personal information;
- how individuals may complain about interferences with their privacy; and
- what to do if an entity is likely to disclose personal information to overseas recipient.
Every entity will require:
- a compliance plan that demonstrates procedures to ensure compliance with the APPs;
- updated privacy consents.
Notification and consent to collecting personal information
At the time of collecting personal information, an entity must take reasonable steps to notify the individual that it is collecting the individual’s personal information. In addition, the entity needs to provide its contact details and, if the information has been collected from a third person, notification of that fact.
There are some circumstances that require the individual to consent to the collection of personal information, such as in relation to credit reporting and the collection of sensitive information (which is personal information that relates to race, political opinions, religious beliefs or affiliations, sexual preferences, criminal record or health information).
If the entity obtains unsolicited information, it must determine whether it could have obtained this information from the individual. If not, it must destroy or de-identify the information.
An entity must not use or disclose personal information about an individual for the purposes of direct marketing unless:
- the entity collects the personal information directly from the individual;
- the individual would reasonably expect the entity to use or disclose their personal information for the purpose of direct marketing;
- the entity provides a simple means to ‘opt-out’; and
- the individual has not yet opted out.
If the personal information has been collected from a third party:
- the individual needs to have consented to receiving the direct marketing (unless obtaining consent is impracticable);
- the entity needs to have a prominent statement indicating the individual may ‘opt-out’; and
- the individual must not have ‘opted-out’.
Specific consent is also required if an entity wishes to use sensitive information about an individual for direct marketing purposes.
This means that there is an obligation imposed on entities to keep records of how personal information came into their possession.
These obligations are in addition to obligations under the Do Not Call Register2006 and the Spam Act 2003.
Cross-border disclosure of personal information
If an entity discloses personal information to an overseas recipient the entity must take steps to ensure the overseas entity does not breach the APPs.
If the entity reasonably believes:
- the recipient of the information is subject to a privacy regime that is overall substantially similar to the APPs; and
- there are mechanisms for an individual to access that regime to protect their privacy rights,
then the entity can disclose the personal information to the overseas recipient.
Prior to disclosing the personal information to the overseas recipient, the individual needs to be made aware that the APPs will not apply.
Companies need to consider the use of call centres, cloud storage, and disclosure to ‘head offices’ in overseas jurisdictions.
Access and complaints
An entity has an obligation to ensure the information that it collects, uses, and discloses is up to date.
The entity must protect the personal information it holds from misuse, interference, and loss as well as from unauthorised access, modification, and disclosure.
In addition to the APPs, and in the event of a breach, entities may need to comply with the Privacy Amendment (Privacy Alerts) Bill 2013 which provides for mandatory data breach reporting.
Entities must notify the Privacy Commissioner (and in some cases the public) of serious data breaches that significantly affect an individual.
A serious data breach includes unauthorised access to, or disclosure of, personal information that will result in a real risk of serious harm to the individual to whom the personal information relates.
Serious harm may include physical and psychological harm to an individual as well as injury to feelings, humiliation, harm to reputation, and financial or economic harm.
Entities are required to give individuals access to their personal information. If the individual requests that their personal information is corrected then the entity must take steps to do so. If that personal information has previously been disclosed to a third party then the entity needs to contact that third party to notify it of that correction.
If the entity refuses to correct the personal information it holds, then reasons need to be given and the individual must be provided with details of how that individual can make a complaint.
The new privacy amendments have completely repealed and replaced Part IIIA of the Act. Upon commencement of the amendments, the Act will contain a new definition of ‘credit provider’, which will include any entity that allows repayment of an obligation to be deferred for at least seven days.
Other changes include:
- A move to comprehensive credit reporting, where information shared between credit providers and credit reporting agencies will include such things as whether an individual meets their payment obligations on time, what their current credit commitments are, details of their credit requests, and their personal solvency information.
- A requirement for credit providers to be members of an external dispute resolution scheme if they intend to report credit information to a credit reporting agency.
- The introduction of rules to allow licensed credit providers to conduct ‘pre-screening assessments’ using credit information for the purpose of direct marketing.
- The introduction of ‘ban periods’ which suspend the reporting of credit information when an individual suspects fraud or identity theft.
What to do now
This exercise cannot be conducted in isolation by your compliance team; everyone in your organisation who touches personal information will need to be considered - such as your IT, marketing and sales teams.