Time is running out to prepare for the upcoming changes to the Privacy Act 1988 (Cth). On 12 March 2014, major privacy reforms come into effect, including:
- the replacement of the existing National Privacy Principles (NPPs) for the private sector, and Information Privacy Principles (IPPs) for the public sector with a harmonised set of Australian Privacy Principles (APPs);
- new enforcement and investigative powers for the Information Commissioner;
- the implementation of a new civil penalties regime; and
- fundamental reform to the credit reporting regime.
The new APPs do much more than introduce a name change, they require organisations to ‘design for privacy’ when setting up their business processes and they introduce significant new obligations.
For example, there are new mandatory matters that must be dealt with in Privacy Policies and Privacy Collection Statements and new obligations about how to deal with unsolicited personal information. There are new rules regarding direct marketing – including a mandatory opt out notice in some cases and new rules about overseas disclosures of personal information (not to mention increased liability for disclosures by your third party service providers) as well as increased rights of individuals to access and correct their personal information.
The Information Commissioner has a more defined role in the promotion of privacy, education and most significantly, enforcement. The Commissioner can commence own-motion investigations, make declarations and orders and apply to the Court to enforce those orders.
CIVIL PENALTIES REGIME
There will also be a new civil penalties regime to complement the Commissioner’s new powers. Penalties of up to $340,000 for individuals and $1.7m for corporations can be imposed for breaches of the credit reporting regime and for anyone who commits a ‘serious or repeated interference with privacy’.
CREDIT REPORTING REGIME
The credit reporting scheme has long been criticised for capturing only negative information. This will change with the capture of positive credit information (like regular payment histories) to be included. To address the increased volume of credit information held by credit reporting agencies, strict new rules will be introduced regarding the handling of credit information and the civil penalties regime will apply to any breaches.
Relying on existing policies, processes and contracts will not be enough to comply with the revised Privacy Act. The new provisions will require a review of your policy documents and privacy statements and the implementation of internal policies to deal with direct marketing opt outs and information requests. Contracts with customers and suppliers will need to be updated to ensure your liability for the actions of third parties is appropriately addressed and you have the ability to enforce your privacy policies and procedures.
There are many issues to deal with and they will be different for each business. Your business needs to consider these issues now and allow time to implement all the necessary changes. We can help you navigate the process.