Many companies are not aware of the imminent changes that are due to occur to the Privacy Act 1988 (Cth) (herein “the Privacy Act”) which are coming into effect on 12 March 2014, and how those significant amendments will affect almost every industry. These amendments to the Privacy Act are the first wave of changes to privacy protection legislation and include:-
- Significant changes to the National Privacy Principles and Information Privacy Principles and their application to businesses;
- New strict enforcement and investigative powers for the Office of the Australian Information Commissioner;
- Implementation of harsh civil penalty regimes (which include fines of up to $1.7 Million); and
- Far-reaching changes to the credit reporting regime.
The Privacy Act must be complied with if a business uses, stores or receives personal information about an individual. Personal information has a broad meaning within the amended legislation which carries on from the previous iterations of the Privacy Act. Specifically the new definition of personal information under the Amended Privacy Act includes:-
“Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:-
(a) Whether the information or opinion is true or not; and
(b) Whether the information or opinion is recorded in a material form or not.”
As you can see from the breadth of the definition, personal information may include:-
- Customer records;
- Claim forms;
- Email addresses;
- Dates of birth;
- Government identifiers such as tax file numbers and Centrelink reference numbers;
- As well as more “sensitive” information which may include information that is medical in nature or information that may fall under the anti-discrimination legislation.
Application of the Privacy Act
If your business or agency was covered by the Privacy Act before 12 March 2014, it will continue to be covered and the forthcoming amendments to the Privacy Act should be prepared for.
The Privacy Act covers any private sector business that has an annual turnover of $3 million or more, or collects or discloses personal information for a benefit, service or advantage or handles health information.
Further, all credit providers and credit reporting agencies are under purview of the Privacy Act and most Commonwealth Departments and Agencies and Service Providers under Commonwealth Contracts are covered.
Changes - APPs
First and foremost, the National Privacy Principles and Information Privacy Principles have been merged and amended into Australian Privacy Principles (APPs).
Some of the changes reflected in the APPs are for congruence and ease of application to both Commonwealth Agencies and organizations, however, there are some significant changes to the APP regime including:-
APP1 – Open and transparent management of personal information
- The client’s personal information that the entity collects and holds;
- How the entity collects and holds personal information;
- The purposes for which the entity collects, holds, uses and discloses personal information;
- How an individual may access personal information about the individual that is held by the entity and seek correction;
- How an individual may complain about a breach of the APPs;
- Whether the entity is likely to disclose personal information to overseas recipients;
- If the above is true, the countries in which those recipients are likely to be located if it is practicable to specify.
APP2 – Anonymity and pseudonymity
APP2 provides that an individual must have the option of not identifying themselves or utilizing a pseudonym, which is subject to practical limitations.
APP4 – Dealing with unsolicited personal information
APP4 provides an obligation to de-identify or destroy unsolicited personal information that is received by an organization or agency. This provides a new obligation upon organizations to determine whether or not unsolicited information would have been collected under the APPs and must, if that information would have been collected, notify the individual that the information has been collected and how the individual may access the personal information held by the organization.
APP8 – Cross-border disclosure of personal information
A somewhat controversial obligation which the amended Privacy Act seeks to bestow upon organizations is the situation where an organization discloses information about an individual to an overseas recipient are now obliged to take such steps that are reasonable to ensure that the overseas recipient does not breach the APPs. This does not apply to the disclosure of personal information if the organization reasonably believes that the recipient of the information is subject to a law or binding scheme which is comparable to the APPs in their protection of the personal information.
This may be a difficult endeavour to adhere to given the explosion of cloud computing and offshore data storage in recent years.
Further, s 16(c) of the forthcoming Privacy Act provides that a business or agency that discloses personal information to an overseas recipient, including on-line, could be accountable for actions taken by that overseas recipient that would breach the APPs, subject to some exceptions.
APP11 – Security of personal information
This APP provides a new obligation upon businesses and agencies to ensure that the personal information which they hold is protected from misuse, interference and loss and from unauthorized access, modification and disclosure.
Enforcement, investigative powers and penalty regime
The Privacy Act will also provide for new powers and harsher civil penalties to be given to the Office of the Australian Information Commissioner.
The Information Commissioner will now have the ability to:-
- Accept enforceable undertakings;
- To seek civil penalties where there is serious or repeated infringements of an individual’s privacy that are serious in nature. These penalties may attract maximum monetary fines of up to $340,000.00 for an individual or $1.7 million for a corporation at the time of enactment;
- The ability to conduct self-managed audits and assessments of the performance of agencies and businesses and their adherence to the Privacy Act.
Credit reporting changes
Historically, credit reporting has been criticized as storing only negative information for individuals and their credit information.
The amended Privacy Act will seek to balance the collection of the information to include new types of credit related personal information that can be collected and held including repayment history.
Further, there will be greater protection for individuals to access and correct their credit related personal information and provide an obligation upon credit providers to have a clearly expressed and up to date policy with prescribed information under the Privacy Act as to how they manage credited related information.
What to do in preparation for the amendments
The amendments to the Privacy Act commence on 12 March 2014.
In preparation, businesses and organizations ought to conduct immediate reviews and checks upon how they collect, handle, process and utilize personal information.
Businesses and agencies are required to be aware of their changed obligations under the Privacy Act prior to its commencement, noting the new enhanced powers of the Office of the Australian Information Commissioner post 12 March 2014.
There is a lot to do, and not a lot of time left to do it.