The much anticipated amendments to the Privacy Act 1988 (Cth) (“the Privacy Act”) are set to come into effect on 12 March 2014.
That’s less than a month away.
Are you ready for these changes? If not, there are some questions you may wish to ask of yourself, your business or your agency:-
Does, and will, the Privacy Act apply to me?
The Privacy Act applies to personal information. Personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Further, if you were subject to the requirements of the Privacy Act prior to 12 March 2014, then you will continue to be under the purview of the amended Privacy Act.
That is, the Privacy Act covers any private sector business that has a turnover of greater than $3 million or handles personal information for a benefit, service or advantage or handles health or sensitive information.
Most Commonwealth agencies will fall under the Privacy Act as well as all credit providers and credit reporting agencies.
What will be changing under the Privacy Act come 12 March 2014?
Most of the changes to the Privacy Act are in relation to streamlining the previous legislation as well as focusing on stricter liabilities for mishandling personal information.
The Australian Privacy Principles (or APPs) take over from the National Privacy Principles and Information Privacy Principles which previously applied to businesses and agencies respectively. The APPs have some stricter obligations which include:-
- Requiring a business or an agency to allow an individual to use a pseudonym when dealing with them;
- Requiring a business or an agency to de-identify unsolicited information under certain circumstances;
- Providing notification about particular off-shore disclosures of information and placing liability upon the business or agency regarding the accountability of the overseas recipient in any actions that the overseas recipient may do that would breach the APPs;
- Providing prescriptive obligations to take steps to protect information collected from misuse, interference and loss, modification and disclosure.
- Credit reporting has also been overhauled under the Privacy Act with some changes including:-
- Allowing for more comprehensive and positive credit reporting;
- A simplified and enhanced correction and complaint process;
- Civil penalties for breaches of certain credit reporting provisions;
- Providing greater protection for individuals to access and correct credit related personal information held by credit reporting businesses.
Also, the new obligations provided under the Privacy Act come with enhanced powers provided to the Information Commissioner. There may be fines of up to $1.7 million for businesses for repeated and aggravated breaches. Individuals who breach obligations repeatedly can be fined up to $340,000.00.
What should I do now?
The date for the Privacy Act and its new obligations to come into effect is fast approaching, being 12 March 2014.
You should immediately conduct an assessment of your current privacy and information protection regime in order to ascertain where your business or agency complies or lacks with respect to the new obligations.
Further, you should seek legal advice to consider the implications of these changes upon your business or agency. The monetary penalty, new investigative powers and potential damage to business reputation will no doubt prompt a thorough investigation and consideration on how the changes to the Privacy Act affect your business or agency and how best you can protect the personal information you collect and utilise.