Substantial amendments to the Privacy Act 1988 (Cth) will come into effect on 12 March 2014. Changes include the replacement of the existing National Privacy Principles with new Australian Privacy Principles. The Information Commissioner will also be given much greater powers, including the imposition of civil penalty orders of up to $1.7 million for serious or repeated breaches.
What does the Privacy Act govern?
The Privacy Act covers the collection, use and disclosure of personal information, tax file numbers, credit information and credit eligibility information. It also imposes obligations with respect to data security and trans-border data flows – particularly relevant in the offshore hosting of data and cloud computing arrangements.
Personal information covered by the Privacy Act includes any information or opinions about either an identified individual or an individual who is easily identifiable by the information. It can include an individual’s name, date of birth, residential address or occupation. It can also include photographs if they identify the individual.
Particular care is required with respect to sensitive information. Sensitive information includes race, ethnic origin, political opinions, membership of political associations and trade associations, religious or philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information, biometric information and biometric templates.
Who must comply?
If your company has a turnover of over $3 million per year, or is a health service provider, compliance is mandatory.
Implications for company directors
Boards should designate an individual to be responsible for undertaking a privacy assessment and establishing a privacy compliance program, well before 12 March next year.
Existing privacy policies, collection statements and consents will need to be revised or re-written. Potential overseas disclosures will need to be notified, and direct marketing practices and contracting arrangements will need to be reviewed. There will also be new requirements for dealing with unsolicited personal information.