- Substantial changes to the Privacy Act 1988 (Cth) (Privacy Act) come into effect today.
- The changes include the introduction of the Australian Privacy Principles (APPs) and stronger enforcement mechanisms for breaches of the Privacy Act.
- The Office of the Australian Information Commissioner has indicated that in the months following the introduction of the new laws, it will assist organisations with compliance. However, in general, it will adopt an escalation model to deal with complaints regarding breaches of the new laws.
- Organisations should now implement their new privacy policies and internal procedures that comply with the amended Privacy Act.
Australian Privacy Principles
As of today, all “APP entities” must be compliant with the APPs, which deal with all aspects of the handling of personal information.
- The kinds of personal information collected and held by the entity
- How personal information is collected and held
- The purposes for which personal information is collected, held, used and disclosed
- How an individual may access their personal information and seek its correction
- How an individual may complain if the entity breaches the APPs and how the complaint will be handled
- Whether the entity is likely to disclose personal information to overseas recipients and if so, the countries in which such recipients are likely to be located.
In addition, APP entities must be taking reasonable steps to implement internal practices and procedures to comply with the new APPs.
The Office of the Australian Information Commissioner (OAIC) has issued a statement outlining its approach to enforcement of the new laws in light of its new and stronger powers of enforcement.
Under the previous version of the Privacy Act, any privacy determination made by the OAIC was not legally binding, and could only be enforced via proceedings in the Federal Court or the Federal Circuit Court.
From today, the OAIC will be granted new and stronger enforcement methods to address breaches of the Privacy Act. The OAIC will have access to the following new remedies:
- Accepting written undertakings from organisations, which will be enforceable through the courts
- Recognising external dispute resolution schemes in order to resolve complaints about interferences with privacy, and making privacy determinations
- Seeking civil penalty orders in the case of serious or repeated breaches of privacy of up to $340,000 for individuals, and up to $1.7 million for companies.
The OAIC has released a statement outlining its approach to enforcement following the amended Privacy Act coming into effect.
For an initial period, the OAIC will focus on working with organisations to ensure they understand the new requirements and have systems in place to comply. The OAIC will take into account the steps taken by the organisation to genuinely prepare for the changes to law and to comply with the new legal requirements.
The OAIC will adopt an escalation model, under which:
- Individuals will be encouraged to seek to address their concerns directly with the relevant APP entity
- If complaints are brought to the OAIC, it will first attempt to resolve the issue through conciliation between the individual and the organisation in question
- If conciliation is ineffective, the OAIC will then use its new tools of determinations, enforceable undertakings and civil penalties to remedy the complaint.
Organisations should now roll out their updated privacy policies and internal procedures which comply with the amended Privacy Act. Staff training should also be conducted to ensure internal compliance with these updated policies and procedures. There is now a very limited window in order for organisations to do so before the OAIC will commence using its new enforcement powers.