On 12 March 2014, significant changes to the Privacy Act 1988 took effect. The changes included the introduction of a set of Australian Privacy Principles (APPs), which set out the standards, rights and obligations in relation to the collecting, handling, holding, access and correction of personal information. The APPs apply to all Australian businesses with an annual turnover of more than $3million and all Australian Government agencies.

Along with the introduction of the APPs, the Privacy Commissioner now has strong enforcement powers and is able to seek penalties of up to $340,000 for individuals or $1.7 million for companies.

Given the Privacy Commissioner’s new powers, it is unsurprising that the Office of the Australian Information Commissioner (OAIC) has been busy, recently announcing its enforcement approach to the new privacy laws1 and releasing its draft March 2014 “Office of the Australian Information Commissioner’s privacy regulatory action policy” (Regulatory Policy).2

What will be the OAIC’s compliance focus?

In the coming months, the OAIC’s compliance focus will involve working with agencies and companies to ensure that they have put in place systems and procedures to comply with the APPs and that they are aware of and understand the new requirements. Should any complaint be made to the OAIC, in resolving the matter the OAIC will consider what steps the agency or business has taken to comply genuinely with the new requirements.

In enforcing the new laws, the OAIC will utilise an escalation model as follows:  

  • Individuals should first attempt to resolve privacy issues directly with the business;
  • If the business is a member of a recognised dispute resolution scheme, such as the Credit Ombudsman Service Ltd, the individual should access the scheme before contacting the OAIC; and
  • If the matter remains unresolved, the individual complains to the OAIC and the OAIC considers the dispute falls within its area of regulation, the OAIC will attempt to resolve the matter by conciliation.

However, if conciliation is not effective, the OAIC may use other methods at its disposal including determinations and enforceable undertakings. Where privacy breaches are serious or repeated, the OAIC may commence legal proceedings to seek penalties.

What action will be taken?

When deciding whether to exercise a regulatory power, the draft Regulatory Policy states that the OAIC is required to prioritise matters taking into account the following matters (among others):  

  • is the relevant conduct consistent with the Privacy Act’s objects? (These include the protection of the privacy of individuals; to promote transparent and responsible personal information handling processes;  achieving a balance between the protection of an individual’s privacy and a business’ interest in carrying out its activities; and providing a mechanism for individuals to complain.3)
  • How serious is the matter,  for example, how many people are affected, what adverse consequences occur, was the conduct reckless or intentional and, as a result, should the OAIC take urgent action, taking into account the level of seniority of the person(s) responsible?
  • Will action by the OAIC have a deterrent effect or be of educative value?
  • Has the organisation previously been the subject of prior OAIC compliance or enforcement action?
  • Is it likely that the organisation will breach the Act in the future?
  • Has the organisation recently changed its information handling practices?
  • Is the conduct unconscionable?
  • Is the matter of substantial public concern or interest?
  • Has the organisation co-operated with the OAIC?
  • What is the cost of enforcement action and how long will enforcement action take?
  • Will the legal proceedings provide greater clarity of the law?
  • Is there enough admissible evidence?
  • Is the conduct becoming more widespread?
  • Is intervention required for the conduct to cease?

The closing date for comments on the draft Regulatory Policy is Friday 28 March 2014. Comments may be submitted by email: consultation@oaic.gov.au or by post: GPO Box 5218 Sydney NSW 2001. If you would like further information, please contact us.

So what does this mean for your company?  

This OAIC announcement and the release of the draft Regulatory Policy serve as a warning to those companies that have not already taken genuine and reasonable steps, in the circumstances, to comply with the new obligations set out in the APPs.

We have previously written about the various steps companies are required to take to comply with the new requirements.4

When reflecting on whether you have taken genuine and reasonable steps, you should consider the following questions:

  • Have you conducted a thorough privacy audit so that you understand what processes and procedures must change and be updated?
  • Have you ensured all staff members handling personal information received adequate privacy training and are they aware of your privacy practices and internal policies?
  • Has an employee (or team) been designated as the “Privacy Officer” to deal with privacy-related queries, complaints and compliance issues?
  • Have you considered setting up an email address for privacy queries, for example,privacy@yourcompany.com.au to ensure that privacy related correspondence is not lost and will be dealt with promptly and appropriately?
  • Have agreements with third parties suppliers, contractors and agents been reviewed to ensure that you meet your privacy obligations, for example, by the inclusion of warranties, indemnities and appropriate resolution procedures and remedies?
  • Have your privacy policy and privacy collection notices been amended? In particular:
    • Are individuals provided with collection notices, at or about the time that they provide your business with personal information, which adequately address the matters required in the APPs?
    • If your business discloses personal information to overseas recipients, are the overseas recipients aware of specific APP obligations relevant to their handling of the information? Have you obtained legal advice about the potential liability for your business? The overseas disclosure will also likely need to be disclosed in your privacy policy.
  • if your business collects sensitive information (such as health information) is your business aware of the specific obligations which apply in respect of such information?
  • if your business provides credit for goods and/or services on deferred payment terms, does your business satisfy requirements in the Privacy Act and Credit Report Privacy Code concerning policies about credit information, statements of notifiable matters and collection notices?
  • Have you implemented a privacy complaints handling system to ensure that privacy queries and complaints are addressed in a timely fashion and escalated, if required?
  • Have you put in place processes and procedures to handle and manage personal information to ensure ongoing compliance with privacy obligations?

Message: Taking each of these steps sends a strong message that you take your privacy obligations seriously and reduces the risk of non-compliance.