The new Australian Privacy Principles (APPs) and a number of important amendments to the Privacy Act 1988 (Cth) (Privacy Act) come into effect on 12 March 2014. These changes will introduce more rigorous requirements for management of personal information obtained about individuals, as well as hefty penalties for non-compliance. To quote Privacy Commissioner, Mr Timothy Pilgrim “The new laws require Australian Government agencies and private sector organisations to be more open and transparent about their management of personal information”.

Does the new Privacy regime affect my organisation?

From 12 March 2014, privacy law will be relevant to ‘APP entities’ (as defined in the Privacy Act), including:

  • individuals, companies, partnerships and unincorporated associations with an annual turnover of $3 million or more; and
  • agencies, for example, a Department of State or bodies established or appointed for a purpose under Commonwealth legislation.

Another regime to comply with… why bother?

Failure to comply with the APPs may result in a court order against an entity, including an individual, for a “serious and repeated interference with the privacy of an individual” and a fine of up to $1.7 million for an APP entity or up to $340,000 for individuals.

How do APP entities comply?

Compliance with the APPs requires more than just preparing and publishing a privacy policy. Your organisation must have documented policies and procedures in place to manage personal information about individuals. Privacy policies and procedures must be compliant with the APPs and must Contact be embedded within the organisation so that compliance happens on a day-to-day basis. A privacy policy is simply your organisation’s way of telling the world that it complies with the APPs and how it does so.

Some points to note on compliance:

  1. Requirements for disclosure of personal information to overseas recipients: Organisations should review their information management practices to ensure that these do not breach the APPs. This includes the requirement that before an APP entity discloses personal information about an individual to an overseas recipient, the APP entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information disclosed. This requirement is particularly relevant as more organisations move toward using overseas cloud service providers to store and manage information. There are however some circumstances set out in the APPs where this requirement will not apply.

In line with the draft guidance on the APPs provided by the Office of the Australian Information Commissioner (OAIC), if drafted correctly, contracts with overseas cloud service providers may result in your organisation’s provision of personal information to the service provider being a ‘use’ of personal information rather than a disclosure of personal information under the APPs, as the information is still in effect held by the APP entity. Contractual provisions which may indicate that the personal information is ‘used’ rather than disclosed in an arrangement with an overseas cloud service provider include:

  • provisions that ensure that control of the information stored with the overseas cloud service provider remains with the APP entity; and
  • provisions that prohibit the overseas cloud service provider (and any of its sub-contractors) from using or disclosing personal information obtained from the APP entity for purposes other than storing and managing that information.
  1. Collection of unsolicited information: To be APP compliant, your organisation should implement a policy for dealing with unsolicited personal information received, such as CVs. A procedure should be in place to ensure that unsolicited information collected that is not necessary for your organisation’s functions or activities is de-identified and destroyed if it is lawful to do so.
  2. “Keep it simple, stupid”: In a ‘privacy sweep’ conducted by the OAIC, the results of which were released on 14 August 2013, the privacy policies of approximately 50 of the most commonly used websites in Australia were assessed for readability. The average reading age of each privacy policy was also assessed. The OAIC reported that of the privacy policies assessed, “nearly 50% were difficult to read” due to complexity, length and difficulties with accessing privacy policies. The average reading age of the policies assessed was 16, instead of the OAIC’s preferred reading age of 14.
  3. Privacy policies should be free: A privacy policy must be freely available to those individuals from whom your organisation collects personal information. The OAIC recommends that privacy policies be accessible on an organisation’s website – accessible means that firstly, the privacy policy can be found on the organisation’s website and secondly, that the privacy policy is in a format that can be downloaded by those who wish to read it.