Businesses that deal with an individual’s personal information in any way must take steps to deal with the new privacy amendments or risk penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.
‘Personal information’ is defined broadly and includes information such as names, addresses, financial information, sensitive information (e.g. health, religion, etc.), email addresses or any other ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. The amendments primarily apply to businesses that have an annual turnover of more than $3 million.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) essentially rewrites the existing privacy laws. The Act:
- introduces 13 ‘Australian Privacy Principles’ to deal with the handling of personal information;
- comprehensively amends the credit reporting provisions;
- strengthens the Australian Information Commissioner’s powers and clarifies non-compliance consequences; and
- allows for new privacy and credit reporting codes that will bind specified agencies and organisations.
Australian Privacy Principles (APPs)
The APPs replace the previous National Privacy Principles (for private entities) and Information Privacy Principles (for public entities). Some key ramifications for affected entities are:
- You must only collect personal information for permitted reasons and once collected, you must deal with the personal information in accordance with the APPs.
- You must notify individuals of certain privacy matters before collecting their personal information.
- You must follow strict procedures for dealing with unsolicited information.
- You cannot use personal information for direct marketing purposes unless you satisfy an exception.
- You must take steps before you disclose information to overseas recipients to ensure they do not breach the APPs (e.g. outsourcing or cloud computing). You must adhere to any codes (APP codes) established for your particular industry or market.
Information Commissioner and Penalties
Under the new amendments, the Australian Information Commissioner has enhanced powers to resolve privacy issues, such as investigating privacy breaches on its own motion, accepting enforceable undertakings, seeking civil penalty orders, declaring compensation orders and conducting privacy performance assessments. Individuals or corporations that seriously interfere with a person’s privacy or repeatedly interfere with a person’s privacy are liable for fines of up to $340,000 (for individuals) or $1.7 million (for corporations).
The credit reporting provisions have also been comprehensively revised to expand the number of entities subject to the credit reporting provisions and include similar requirements to those in the APPs. Credit providers will also be able to access further information when assessing an individual’s credit worthiness. Most businesses that render invoices with deferred payment terms (more than seven days) will be subject to the new credit reporting provisions.
Commencement date and what you should do now
The amendments will commence on 12 March 2014.
To ensure a seamless transition under the new law and ensure they fully comply with their privacy obligations businesses should:
- seek advice now as to how the privacy amendments affect them;
- revise their privacy policies; review their collection processes;
- review existing contracts (particularly any outsourcing arrangements or cloud computing);
- put in place procedures and processes for complying with the new notification requirements; and
- educate their staff on the new amendments.