Significant changes to the Privacy Act came into force on 12 March 2014, and involve a major overhaul of the Privacy Act that will affect organisations and its customers and the way they manage and handle personal information collected during the course of business.
In particular, where an organisation that collects “personal information” as defined under the Privacy Act, shares or discloses that information to another party, both the disclosing party and organisations, may have obligations under the new Australian Privacy Principles (“APPs”).
Australian Privacy Principles
The APPs will regulate the handling of personal information by organisations, so as to protect individuals against the mishandling of personal information about them by organisations that collect or share that information. While most of the APPs are based on the previous National Privacy Principals (NPPs), some of the new APPs expand on the previous NPPs. Some of the significant changes are outlined below:
APP 3 – collection of personal information: APP3 provides than an organisation must not collect personal information unless such information is reasonably necessary for one or more of the organisation’s functions or activities. Additionally, under APP3, an organisation may only collect sensitive information where an individual consents to the collection of such information, and the information is reasonably necessary for one or more of the organisation’s functions or activities.
APP 7 – direct marketing: APP7 provides that an organisation may only use or disclose personal information for direct marketing purposes, where the individual has consented for their information to be used for direct marketing, or where the individual would reasonably expect the organisation to use or disclose their information for direct marketing purposes and there is a simple way for the individual to opt-out of such direct marketing.
APP 8 – cross border disclosure of personal information: APP 8.1 imposes a new obligation on organisations to take steps that are reasonable in the circumstances when disclosing personal information about an individual to an overseas recipient so as to ensure that the overseas recipient does not breach the APPs in relation to the information.
This requirement however may not apply in circumstances where an expectation under APP8 applies.
Practical Steps for Organisations to Comply with new Privacy Principles
- review and update their privacy policies;
- review and update practise, procedures and systems relating to the way an organisation collects, manages and uses personal information collected during the course of business;
- review procedures for the disclosure of personal information to third parties engaged by organisations, including third parties located overseas;
- ensuring that privacy polices and procedures are practicable, understood by employees, and are implemented.