The new Australian Privacy Principles (APPs) and a number of important amendments to the Privacy Act 1988 (Cth) (Privacy Act) come into effect on 12 March 2014. These changes will introduce more rigorous requirements for management of personal information obtained about individuals, as well as hefty penalties for non-compliance. To quote Privacy Commissioner, Mr Timothy Pilgrim “The new laws require Australian Government agencies and private sector organisations to be more open and transparent about their management of personal information”.
Does the new Privacy regime affect my organisation?
From 12 March 2014, privacy law will be relevant to ‘APP entities’ (as defined in the Privacy Act), including:
- individuals, companies, partnerships and unincorporated associations with an annual turnover of $3 million or more; and
- agencies, for example, a Department of State or bodies established or appointed for a purpose under Commonwealth legislation.
Another regime to comply with… why bother?
Failure to comply with the APPs may result in a court order against an entity, including an individual, for a “serious and repeated interference with the privacy of an individual” and a fine of up to $1.7 million for an APP entity or up to $340,000 for individuals.
How do APP entities comply?
Some points to note on compliance:
- Requirements for disclosure of personal information to overseas recipients: Organisations should review their information management practices to ensure that these do not breach the APPs. This includes the requirement that before an APP entity discloses personal information about an individual to an overseas recipient, the APP entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information disclosed. This requirement is particularly relevant as more organisations move toward using overseas cloud service providers to store and manage information. There are however some circumstances set out in the APPs where this requirement will not apply.
In line with the draft guidance on the APPs provided by the Office of the Australian Information Commissioner (OAIC), if drafted correctly, contracts with overseas cloud service providers may result in your organisation’s provision of personal information to the service provider being a ‘use’ of personal information rather than a disclosure of personal information under the APPs, as the information is still in effect held by the APP entity. Contractual provisions which may indicate that the personal information is ‘used’ rather than disclosed in an arrangement with an overseas cloud service provider include:
- provisions that ensure that control of the information stored with the overseas cloud service provider remains with the APP entity; and
- provisions that prohibit the overseas cloud service provider (and any of its sub-contractors) from using or disclosing personal information obtained from the APP entity for purposes other than storing and managing that information.
- Collection of unsolicited information: To be APP compliant, your organisation should implement a policy for dealing with unsolicited personal information received, such as CVs. A procedure should be in place to ensure that unsolicited information collected that is not necessary for your organisation’s functions or activities is de-identified and destroyed if it is lawful to do so.