As a business owner, you need to be ready for the significant amendments to the Privacy Act 1988 (Cth) (“the Act”) that come into effect on 12 March 2014 and that could impact your business.

These changes may mean that your privacy policies and procedures need a radical overhaul, or you may face very substantial fines.

Personal information

The new Australian Privacy Principles (“APPs”) must be complied with if your business collects, uses, stores or receives personal information about individuals. Personal information has a broad meaning and includes information or opinions about an individual whose identity is apparent from the information or opinion supplied.

It includes information such as customer records, names, email addresses, dates of birth, as well as more “sensitive” information.

Previously it may have been enough to make sure that no breaches of privacy were committed by your business. The new regime now, in most cases, requires your business to have and implement a robust and accessible written privacy policy which addresses the following points:

  • the reasons your business collects the information;
  • how the information will be collected and used by your business;
  • the length of time the information will be held by your business;
  • how an individual can access and correct the information;
  • how the individual can complain about breaches of privacy; and
  • whether the information will be shared with other businesses (located in or outside Australia)

If your business receives information about individuals from another source, you may be responsible for making sure that the individual concerned is aware of that fact.

There are also new provisions about:

  • how you can collect, use and disclose personal information;
  • your obligations regarding keeping your records accurate and up to date;
  • data information security; and
  • your ability to disclose personal information overseas.

Providing credit

A wide range of businesses will now be caught by the credit provider requirements which apply more broadly than to traditional credit providers (such as banks and financiers).

You will be considered a credit provider and have to comply with the onerous credit provider obligations, (including providing detailed information about the kinds of credit checks you may perform and how you may access and disclose the personal information of those seeking credit) if your business provides customers with more than 7 days credit.

Credit providers will therefore need to update the following:

  • standard terms and conditions if goods or services are purchased on delayed payment terms;
  • credit application documentation;
  • privacy statements; and
  • any arrangements with credit reporting agencies.

Direct marketing

The new regime also covers the use of personal information for direct marketing.

The use of an individual’s personal information (including, for example, their home address to send advertising) may now require the consent of the individual.

These obligations are additional to the requirements under Spam and the Do Not Call Register legislation.

Penalties

What happens if you do not comply with these new requirements?

Fines of up to $1.7 million may be imposed for breaches by companies. Individuals may be fined up to $340,000 for a breach.

What you should do now

You should seek legal advice to develop a privacy policy that complies with the amended laws, if your business does not have a privacy policy. If you already have a policy, you should seek legal advice to find out if your privacy policies and procedures are adequate to comply with the new regime.