Organisations in Australia that are regulated by the Privacy Act will need to review and update their privacy compliance soon with the passage of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 today.
A key change to the Bill as it passed through Parliament is the extension of the deferred commencement period for most of the new provisions, which has gone from nine to 15 months after Royal Assent. This is a recognition by the Government of businesses' concerns about the complexity of the changes and their need for more time to prepare.
What sort of activities will be of particular concern?
While the old Information Privacy Principles and National Privacy Principles have been consolidated in 13 new Australian Privacy Principles, we are not looking simply at a rebranding of the current law. There have been some important changes affecting all information collection, handling and disclosure, but particularly:
- dealing with unsolicited information;
- the introduction of a new "accountability" approach to cross-border data flows; and
- new requirements for direct marketing.
What should you do now?
Royal Assent is expected very soon, so the clock has started running on reviewing and changing your privacy compliance systems. While it might seem a long time in which to prepare, the extension to 15 months does not mean you can relax and only start getting serious about this at a later time. The more onerous obligations for the cross-border flow of data in particular will require a proper round of due diligence into your offshore data storage and processing.