On 12 March 2014, major changes to Australia’s privacy regime came into effect by way of amendment to the Privacy Act 1988 (Cth) (the Act). The changes apply to both private sector and Commonwealth public sector organisations that collect and handle personal information. The Act regulates the collection, use, disclosure and handling of personal information.
- Organisations that have not taken sufficient steps to date to prepare for the changes will now likely not comply with the requirements of the Act.
- Organisations can only achieve compliance by first understanding how they collect, use, disclose and handle personal information.
A key change to the Act is the introduction of the APPs, which replace the National Privacy Principles (formerly applicable to the private sector) and the Information Privacy Principles (formerly applicable to the Commonwealth public sector). The APPs apply to both organisations and agencies, which are collectively referred to as ‘APP entities’.
Some of the more significant changes under the APPs are summarised below. Typically, the APPs impose more onerous privacy obligations on APP entities.
Dealing with unsolicited personal information (APP 4)
Where an APP entity receives personal information that it did not request, it must determine whether the personal information could have been collected under the APPs if it had solicited the personal information (i.e. is it reasonably necessary for its functions or activities). If the APP entity determines that it could not have collected the personal information under the APPs, it must, if lawful and reasonable to do so, destroy or de-identify the personal information.
Direct marketing (APP 7)
With some exceptions, an APP entity is now restricted from using and disclosing personal information it holds for direct marketing purposes. For an exception to this prohibition to apply in respect of use and disclosure of nonsensitive personal information a number of criteria must be met under APP7. For an exception to apply in respect of use and disclosure of sensitive personal information, the individual must consent to the use and disclosure for direct marketing purposes.
Cross border disclosure of personal information (APP 8)
Where an APP entity discloses personal information to an overseas recipient, the APPs impose an obligation on the APP entity to take reasonable steps to ensure the overseas recipient complies with the APPs. This obligation will not apply to the disclosure if a relevant exception applies under APP 8.
Most importantly, where an APP entity discloses personal information of an individual to an overseas recipient, whose conduct breaches an APP, the APP entity can be liable for the privacy breach of the overseas recipient.
Security of personal information (APP 11)
An APP entity is required to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure. This obligation now extends to an APP entity taking reasonable steps to protect against an attack on a computer system that leads to the exposure of the personal information.
Powers of the Australian Information Commissioner
The Australian Information Commissioner now has additional powers and functions, including the ability to:
- undertake an investigation and steps of enforcement upon his or her own motion, and
- apply to a court for a civil penalty if an APP entity commits a serious interference with an individual’s privacy or repeatedly engages in interferences with that privacy.
The civil penalty for an interference with an individual’s privacy is set at a maximum of $1.7 million for each APP entity. These penalties can also apply to APP entities that assist in or are knowingly concerned with serious or repeated breaches of privacy.