From 12 March 2014, both public and private sector entities will be subject to a unified set of privacy principles known as the Australian Privacy Principles (APPs). The much anticipated reforms, passed by the Federal Parliament late last year, will result in considerable change to the Australian privacy landscape.
While March 2014 may seem like a long time away, public and private sector entities need to start thinking now about how the changes will affect their collection, storage, use and disclosure of personal information.
Who is affected?
The new APPs will apply to Commonwealth government agencies, as well as those private sector business organisations which are already bound by the Privacy Act 1988 – ie. any business with an annual turnover of more than $3 million, or which is a health service provider, or which trades in personal information
The types of private sector business organisations that will be most affected are:
- retailers, distributors and other service providers who conduct direct marketing activities;
- organisations which have related entities in foreign jurisdictions;
- organisations which outsource their business process services, or their data storage, hosting or network requirements, to entities in foreign jurisdictions; and
- organisations which collect credit information.
Some of the key changes introduced by the reforms and the new APPs are:
- Privacy Policies
- how an individual may complain about a breach of the APPs, and how the entity will respond to such complaints; and
- whether that information is likely to be disclosed to recipients overseas and, if practicable, where those recipients are located.
- Unsolicited Information
APP 4 is a completely new principle. Where an entity comes into possession of unsolicited personal information, it must now consider whether the information is of a kind that it could have collected itself under the APPs. If not, and the information is not contained in a Commonwealth Record, the information must be destroyed or de-identified.
- Direct Marketing
Under APP 7, business organisations are prohibited from using personal information for the purposes of direct marketing unless one of several exemptions apply – for example, where consent has been obtained or where the individual would reasonably expect that their information will be used for direct marketing. This new direct marketing principle does not apply to government agencies.
Individuals will be entitled to ask the businesses who send them direct marketing materials where the business obtained their personal information. As a result, businesses which engage in direct marketing will have to keep details of the source of the personal information used for direct marketing. This is a significant change.
The Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) will still apply to direct marketing via email, SMS and phone.
- Overseas transfer of personal information
While many business organisations are familiar with the cross-border disclosure regime that already exists under the old National Privacy Principle 9, the transfer of personal information into foreign jurisdictions will now be more restricted under APP 8.
In general, an entity may only transfer an individual’s personal information into a foreign jurisdiction if the entity takes ‘such steps as are reasonable in the circumstances’ to ensure that the overseas recipient does not breach the APPs. In most cases, this would require the recipient to be obliged to not breach the APPs under a written contract.
There are some exceptions to this general rule, including:
- where the overseas recipient is subject to privacy laws which are substantially similar to the APPs, and there are mechanisms that the individual can access to take action to enforce those laws; or
- where the individual consents to the transfer, but only after being expressly informed that if the individual consents then the organisation is not required to ensure the overseas recipient does not breach the APPs.
The Australian Information Commissioner’s powers have been expanded. The Commissioner will have the power:
- to initiate investigations of its own accord – without a complaint having been received;
- to conduct compliance assessments of an entity’s information maintenance practices;
- to accept written undertakings that may be enforced in court; and
- to seek civil penalties of up to $1.1 million for serious or repeated breaches.
What you should do
Organisations should use the period to March 2014 to get themselves ready for the new APPs.
The first step would be to conduct a privacy audit of the organisation - to identify what personal information is collected and how it is collected, stored, used and disclosed. The organisation should then revise and update its privacy policies and practices, and conduct staff training.
Organisations should also consider their outsourcing practices and other instances where personal information may be transferred to foreign jurisdictions. New contractual arrangements may be required with any overseas recipients of personal information.