The amendments to the Privacy Act 1988 (the Act) came into force in March 2014 and introduced major reforms to the way Commonwealth government agencies and private businesses collect, use and deal with personal information. The reform saw the introduction of 13 harmonised Australian Privacy Principles (APPs) applying to both Commonwealth Government and private sector agencies with an annual turnover of more than $3 million and some small business, replacing the National Privacy Principles (NPPs) and the Information Privacy Principles which applied to private and government agencies respectively.
Our strong recommendation, however, is that you apply the principle whether or not your turnover is less than $3 million. This is to accord with community expectations and is generally a commercially sound business approach. It also means that if a franchise’s turnover exceeds $3 million, everything is in place.
While the APPs largely mirror the NPPs, they put a much greater onus on organisations to manage their privacy policies, systems and practices to ensure compliance with the APPs, and introduce more stringent controls on direct marketing and sending data offshore.
It is essential that all organisations review and update their privacy policies and undertake a review of the internal practices and procedures to ensure compliance. Under the new provisions the powers of the Privacy Commissioner have significantly increased. Organisations may face penalties of up to $1.7 million and individuals of up to$340,000 for serious non-compliance and repeated breaches.
APP1 – open and transparent management of personal information
The object of the principle is to ensure that the personal information is managed in an open and transparent way. An organisation must take such steps as are reasonable in the circumstances to implement practices and systems relating to the organisation’s functions and activities that will ensure compliance with the APPs and enable it to deal with inquiries from individuals relating to the compliance of the organisation with the APPs.
- the kinds of personal information that is collected and held;
- how the organisation collects and holds the information;
- the purposes for which the personal information is collected, held, used and disclosed;
- how an individual may access its personal information and seek the correction of same;
- how an individual may complain about the organisation’s breach of the APPs; and
- whether the personal information is likely to be disclosed to overseas recipients.
APP5 – notification of the collection of personal information
If you are collecting personal information about an individual, wherever practicable, you must inform the individual at or before the time of the collection of the personal information of the following matters:
- the identity and contact details of the organisation collecting the information;
- if collecting personal information from sources other than the individual (such as credit reporting agencies when undertaking due diligence on prospective franchisees), the individual must be informed of this fact and told why the collection is necessary;
- details of any law or court order which requires collection of the personal information;
- the purposes for which the personal information is collected;
- the consequences (if any) for the individual if some of the information is not collected (for example, not being able to provide a service to your customers if certain information is not collected);
- details of other entities and persons to which you usually disclose the personal information to (for example, if you are collecting customer information for purposes of marketing is that information shared with other franchisees, a marketing company and so on);
- the likelihood of offshore disclosure.
APP4 – unsolicited information
If your organisation receives personal information about an individual which is not solicited (meaning the entity has taken no active step to collect the information) you are required to assess whether your organisation could have lawfully collected the personal information. If not you must as soon as practicable destroy or de-identify that personal information.
Unsolicited information could be obtained through job enquiries or franchise enquiries.
Your franchise system needs to have standardised policies and procedures to deal with this APP (as well as the other APPs). The procedures you put in place must assist you to identify unsolicited information and set out a step by step plan on how to deal with it (including securely de-identifying or destroying unsolicited information).
APP7 – direct marketing
Franchisors must review their marketing strategies as this APP prohibits the use or disclosure of personal information for the purposes of direct marketing unless:
- there is consent from the individual to use the personal information for direct marketing purposes or the information is collected from the individual and the individual would reasonably expect you to use or disclose the information for direct marketing; and
- you provide a simple opt out mechanism for individuals to request not to receive the marketing information; and
- the individual is informed that they may request that the organisation stop using their personal information for purposes of direct marketing (and the individual has not made such a request).
The best practice is to always get an individual’s consent if you intend to use their information for direct marketing purposes. Don’t forget that it is essential to advise individuals that they can opt out getting direct marketing material at any time. The opt out mechanism needs to be clearly visible and accessible on each piece of direct marketing material that is sent.
APP 8 - cross-border disclosure of personal information
It is important to remember that you may be directly liable for breaches of the APPs by an overseas entity to whom you disclosed personal information. If your franchise system is disclosing personal information that it collects to an overseas entity you must ensure that the overseas recipients do not breach the APPs and this must be done in a way that can be proved and is enforceable against the overseas party – usually in a contract or terms and considerations that bind the overseas entity to comply with our principles.
This could relate to material provided to the head franchisor who is resident outside Australia, and may also relate to cloud computer services who store data in overseas jurisdictions.
We suggest undertaking due diligence on the overseas entity prior to disclosing the information and imposing suitable contractual obligations on the entity requiring compliance with the APPs.
What does this mean for your franchise system?
As a franchisor you should:
- update your internal practices and proceduresensuring that each APP is addressed;
- undertake a risk assessment to identify any compliance and risk issues;
- regularly audit your systems to ensure their security and address any vulnerabilities;
- ensure that you take reasonable steps to destroy and de-identify information that you no longer need or use (including unsolicited information);
- appoint a privacy officer or key contact person who is well trained to deal with individual requests relating to their personal information and any complaints;
- provide training to all staff and franchisees to ensure that they are up to date with the changes and are aware of their duties.
Your franchise system must have strategies and procedures in place which allow it to monitor compliance with the APPs. This should be a continuous process. Finally, organisations must remember that it is not enough to put policies and procedures in place – you must ensure that you adhere to them.