From 12 March 2014, a new set of Australian Privacy Principles (APPs) will commence operation. In general terms, the APPs will apply to all Commonwealth Government agencies and to all businesses with annual turnovers exceeding $3 million (this is not an exhaustive list).
Although most of the APPs are replications of, or enhancements of, the existing National Privacy Principles (NPPs), it is important that businesses prepare now for the March 2014 transition, not least because of the new penalties which can be levelled against persons and organisations found in breach of the APPs.
As part of the overhaul of Australia’s privacy laws, the Australian Information Commissioner will be able to seek civil penalties of up to $340,000 against individuals and up to $1.7 million against corporations.
At a minimum, businesses should take the following steps to ensure compliance with the APPs:
Businesses must ensure that they have a clearly expressed, readily available, and up-to-date policy about the management of personal information. The policy must contain the following information:
- The kinds of information that the business collects and holds.
- How the business collects and holds personal information.
- The purposes for which the business collects, holds, uses and discloses personal information.
- How an individual may access their personal information.
- How an individual may seek the correction of their personal information.
- How an individual may complain about a breach of the APPs or an applicable APP Code, and how the business will deal with such a complaint.
- Whether the business is likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are located.
Step 2: Consider whether it is feasible for individuals to remain anonymous or use pseudonyms
Whenever possible, individuals should be given the option of not identifying themselves, or of using a pseudonym.
Step 3: Consider whether the personal information collected by your business is really necessary
Businesses must refrain from soliciting personal information unless the information is reasonably necessary. The means by which an entity can solicit personal information must be lawful and fair; and wherever possible, the personal information should only be solicited directly from the individual concerned.
Step 4: Consider how to deal with unsolicited personal information
If a business receives personal information about an individual which was not solicited, the business must, within a reasonable period, determine whether the business could have lawfully solicited the information. If not, the business must as soon as practicable, destroy or de-identify the information.
Step 5: Ensure systems are in place to notify individuals about the collection of personal information
Wherever practicable, businesses must inform individuals of the following matters at or before the time of collecting personal information:
- The identity and contact details of the business collecting the information.
- If the business collects personal information from sources other than the individual (e.g. a credit reporting agency), the business must disclose the fact that the business collects information from that other source, and the circumstances of the collection.
- The purposes for which the business collects the information.
- The consequences (if any) for the individual if all or some of the information is not collected.
- Details of any other entities, bodies or persons to which the business usually discloses personal information.
- Whether the business is likely to disclose personal information to overseas recipients and, if so, the countries in which such recipients are located.
Step 6: Consider how personal information is dealt with
Businesses should ensure that personal information collected for a particular purpose (the primary purpose) is not used or disclosed for another purpose (the secondary purpose) unless:
- The individual has consented to the use or disclosure of the information for the secondary purpose; or
- The individual would reasonably expect the business to use or disclose the information for the secondary purpose, and the secondary purpose is related to the primary purpose; or
- The secondary purpose is direct marketing and where certain conditions are satisfied.
Step 7: Review your marketing strategies
A business must not use or disclose personal information for the purpose of direct marketing unless:
- The business collected the information from the individual. (Note: There are certain circumstances in which it is permissible to use personal information for direct marketing even though the information was not obtained from the individual); and
- The individual would reasonably expect the business to use or disclose the information for direct marketing; and
- The business provides a simple means by which an individual may request not to receive direct marketing communications (e.g. an ‘opt-out’ link); and
- The individual has not requested that the business stop using their personal information for the purpose of direct marketing.
Step 8: Review your policies for sending personal information offshore
Before disclosing personal information about an individual to an overseas recipient, a business must take reasonable steps to ensure that the overseas recipient does not breach the APPs.
Exceptions apply if:
- The business reasonably believes that the overseas recipient is bound by a law or scheme which is substantially similar to the APPs; or
- The business has expressly informed the individual that the personal information will be sent to an overseas recipient, and the individual has consented to the disclosure.
Step 9: Review your policies regarding government related identifiers
Businesses must not adopt, use or disclose government related identifiers (e.g. tax file numbers, Centrelink reference numbers, Medicare numbers, etc.) unless:
- The adoption by the business of a government related identifier of an individual is authorised by an Australian law or by a court or tribunal order;
- The use or disclosure of a government related identifier is reasonably necessary in order to verify the identity of the individual, is reasonably necessary to fulfil the business’s obligations to a Commonwealth, State or Territory agency, or is authorised by law or a court or tribunal order.
Step 10: Review your policies regarding the integrity of and correction of personal information
A business must take reasonable steps to ensure that personal information collected, used or disclosed by the business is accurate, up-to-date, complete, relevant and not misleading.
If a business corrects information that the business had previously disclosed to another entity, and the individual requests the business to notify the other entity of the correction, the business must take reasonable steps to notify the other entity of the correction unless it is impracticable or unlawful to do so.
If a business refuses to correct personal information on the request of an individual, the individual may further request that the business associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. Upon receipt of such a request, the business must take reasonable steps to associate the statement in such a way that will make the statement apparent to users of the information.
Upon receipt of a request, the entity must respond within a reasonable period, and must not charge the individual for any work associated with the request.
Step 11: Ensure that personal information is stored securely and destroyed or de- identified once it is no longer required
Businesses must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification or disclosure.
If the business no longer needs the personal information, and is not legally obliged to retain the information (e.g. for tax purposes), the business must take reasonable steps to ensure that the information is destroyed or de-identified.
Step 12: Review your policies regarding individual access to personal information
If a business holds personal information about an individual, the business must, upon request by the individual, give the individual access to the information.
Exceptions apply if granting the request would pose a threat to health and safety, if the request is frivolous or vexatious, if the information is subject to legal privilege, if the information is commercially sensitive, if it would be unlawful to disclose the information, and a number of other exceptions.
A business may charge an individual for access to the information, provided that the charges are not excessive and do not relate to the making of the request.
If the business refuses to grant access, the business must give the individual a written notice setting out the reasons for the refusal (provided it is reasonable to do so), and the mechanisms available to complain about the refusal.
Any business which collects or stores personal information regarding its employees, suppliers, clients and potential clients will be affected by the introduction of the APPs.
Businesses which are already complying with the requirements of the NPPs should have policies and systems in place, however these should be reviewed to determine the amendments or supplements required in order to accommodate the changes introduced by the APPs.
In due course, it is anticipated that a number of registered APP Codes will be introduced in order to further regulate the collection and use of personal information in certain industries (e.g. the credit reporting industry).