Significant changes to the Privacy Act apply from 12 March 2014. Many businesses have not yet taken steps to comply. This report explains what businesses have to do.
Businesses not involved in credit
Although the biggest changes impact businesses involved in credit, there are still changes which affect most other businesses. Small businesses with an annual turnover of $3 million or less are exempt.
Businesses which supply goods or services with time to pay are treated as ‘credit providers’ under the Privacy Act and they will need to take some or all of the steps listed below for lenders.
The National Privacy Principles (NPPs) have been replaced with the Australian Privacy Principles (APPs), which are similar but not the same as the old NPPs. They deal with the use, collection, and disclosure of personal information about individuals (natural persons). In particular rules regarding disclosure of information overseas and how individual may seek correction of their personal information have changed.
There is a new regulator, and new substantial fines of up to $1.7million, and so there is incentive for companies to ensure compliance.
Gadens Privacy Team can provide cost effective solutions, including policy, compliance plans and training.
What do credit providers need to do?
As noted above, ‘credit providers’ include businesses that give customers time to pay.
- Update your Privacy Consent to include:
- disclosures required by LMI (if applicable);
- notifications under the Credit Reporting Code; and
- information about disclosure overseas (if applicable).
- Implement a written Compliance Plan which includes details of access and correction requests of credit information. In particular specify procedures for dealing with correction requests, credit refusals and default listings.
- Update precedent letters that are required under the Privacy Act and the Credit Reporting Code in relation to the refusal of consumer credit and listing of defaults (6Q and 21D letters).
- Provide notification to existing borrowers if credit information will be disclosed to a credit reporting body after 12 March 2014. If you have not done this or would like any assistance, please let us know.
What are the consequences of non-compliance?
The Office of the Australian Information Commissioner has a wide range of new enforcement powers, which include the following.
- Making determinations about privacy issues.
- Obtaining enforceable undertakings from organisations.
- Requiring organisations to offer compensation for breaches.
- Applying to court to obtain a civil penalty order of up to $1,700,000 for corporations and $340,000 for individuals.
- Seeking criminal penalties.
If you liked this article you may also like: