The amendments to the Privacy Act 1988 (the Act) came into force in March 2014 and introduced major reforms to the way Commonwealth government agencies and private businesses collect, use and deal with personal information. The reform saw the  introduction of 13 harmonised Australian Privacy Principles (APPs) applying to both Commonwealth  Government and private sector agencies with an annual turnover of more than $3 million and some  small business, replacing the National Privacy Principles (NPPs) and the Information Privacy  Principles which applied to private and government agencies respectively.

Our strong recommendation, however, is that you apply the principle whether or not your turnover is  less than $3 million. This is to accord with community expectations and is generally a commercially  sound business approach. It also means that if a franchise’s turnover exceeds $3 million,  everything is in place.

While the APPs largely mirror the NPPs, they put a much greater onus on organisations to manage  their privacy policies, systems and practices to ensure compliance with the APPs, and introduce  more stringent controls on direct marketing and sending data offshore.

It is essential that all organisations review and update their privacy policies and undertake a  review of the internal practices and procedures to ensure compliance. Under the new provisions the  powers of the Privacy Commissioner have significantly increased. Organisations may face penalties  of  up  to  $1.7  million  and  individuals  of  up  to$340,000 for serious non-compliance and repeated breaches.

KEY CHANGES:

APP1 – open and transparent management of personal information

The object of the principle is to ensure that the personal information is managed in an open and  transparent way. An organisation must take such steps as are reasonable in the circumstances to  implement practices and systems relating to the organisation’s functions and activities that will  ensure compliance with the APPs and enable it to deal with inquiries from individuals relating to  the compliance of the organisation with the APPs.

Both franchisees and franchisors will collect personal information from individuals and must have readily available, free of charge to those individuals, a clearly expressed and up-to-date policy about the collection, use and management of their personal information. This privacy policy must relay to the individuals:

  • the kinds of personal information that is collected and held;
  • how the organisation collects and holds the information;
  • the purposes for which the personal information is collected, held, used and disclosed;
  • how an individual may access its personal information and seek the correction of same;
  • how an individual may complain about the organisation’s breach of the APPs; and
  • whether the personal information is likely to be disclosed to overseas recipients.

If you have not already reviewed and updated your privacy policy in line with the reforms you must immediately seek to do so. Organisations should also undertake a risk assessment of their practices and procedures to identify any compliance and risk issues. These should be updated and managed accordingly. Privacy training should be organised for the franchisees and your employees to ensure that they are up to date with the changes and are aware of their duties.

Your privacy policy should be available on your website and you may include it as an annexure to your manuals noting that it is subject to change.

APP5 – notification of the collection of personal information

If you are collecting personal information about an individual, wherever practicable, you must inform the individual at or before the time of the collection of the personal information of the following matters:

  • the identity and contact details of the organisation collecting the information;
  • if collecting personal information from sources other than the individual (such as credit reporting agencies when undertaking due diligence on prospective franchisees), the individual must be informed of this fact and told why the collection is necessary;
  • details of any law or court order which requires collection of the personal information;
  • the purposes for which the personal information is collected;
  • the consequences (if any) for the individual if some of the information is not collected (for example, not being able to provide a service to your customers if certain information is not collected);
  • details of other entities and persons to which you usually disclose the personal information to (for example, if you are collecting customer information for purposes of marketing is that information shared with other franchisees, a marketing company and so on);
  • that your privacy policy sets out how an individual can seek access or correction of its personal information and complain about a breach of the APPs; and
  • the likelihood of offshore disclosure.

Collecting personal information from potential franchisees would be covered by the APPs, as would customer data from loyalty programs or competitions. As mentioned above, your first step should be to review and update your privacy policy. Further, you need to undertake a review of your privacy collection statements to ensure that they address the mentioned mandatory matters. This may include a review of your franchise application form, prospective employees’ application form, loyalty program terms and conditions etc.

APP4 – unsolicited information

If your organisation receives personal information about an individual which is not solicited (meaning the entity has taken no active step to collect the information) you are required to assess whether your organisation could have lawfully collected the personal information. If not you must as soon as practicable destroy or de-identify that personal information.

Unsolicited information could be obtained through job enquiries or franchise enquiries.

Your franchise system needs to have standardised policies and procedures to deal with this APP (as well as the other APPs). The procedures you put in place must assist you to identify unsolicited information and set out a step by step plan on how to deal with it (including securely de-identifying or destroying unsolicited information).

APP7 – direct marketing

Franchisors must review their marketing strategies as this APP prohibits the use or disclosure of personal information for the purposes of direct marketing unless:

  • there is consent from the individual to use the personal information for direct marketing purposes or the information is collected from the individual and the individual would reasonably expect you to use or disclose the information for direct marketing; and
  • you provide a simple opt out mechanism for individuals to request not to receive the marketing information; and
  • the individual is informed that they may request that the organisation stop using their personal information for purposes of direct marketing (and the individual has not made such a request).

The best practice is to always get an individual’s consent if you intend to use their information for direct marketing purposes. Don’t forget that it is essential to advise individuals that they can opt out getting direct marketing material at any time. The opt out mechanism needs to be clearly visible and accessible on each piece of direct marketing material that is sent.

APP 8 - cross-border disclosure of personal information

It is important to remember that you may be directly liable for breaches of the APPs by an overseas entity to whom you disclosed personal information. If your franchise system is disclosing personal information that it collects to an overseas entity you must ensure that the overseas recipients do not breach the APPs and this must be done in a way that can be proved and is enforceable against the overseas party – usually in a contract or terms and considerations that bind the overseas entity to comply with our principles.

This could relate to material provided to the head franchisor who is resident outside Australia, and may also relate to cloud computer services who store data in overseas jurisdictions.

We suggest undertaking due diligence on the overseas entity prior to disclosing the information and imposing suitable contractual obligations on the entity requiring compliance with the APPs.

What does this mean for your franchise system?

As a franchisor you should:

  • review and update your privacy policy and take care to ensure that your privacy policy is placed on your website;
  • update your internal practices and proceduresensuring that each APP is addressed;
  • undertake a risk assessment to identify any compliance and risk issues;
  • regularly audit your systems to ensure their security and address any vulnerabilities;
  • ensure that you take reasonable steps to destroy and de-identify information that you no longer need or use (including unsolicited information);
  • appoint a privacy officer or key contact person who is well trained to deal with individual requests relating to their personal information and any complaints;
  • provide training to all staff and franchisees to ensure that they are up to date with the changes and are aware of their duties.

Your franchise system must have strategies and procedures in place which allow it to monitor compliance with the APPs. This should be a continuous process. Finally, organisations must remember that it is not enough to put policies and procedures in place – you must ensure that you adhere to them.