Significant changes to the Privacy Act 1988 (Cth) have taken effect from 12 March 2014. The Federal Government introduced the Privacy Amendment (Enhancing Privacy Protection) Act 2012 as part of a reform of Australian's privacy laws which began in 2004. The changes introduced under the Privacy Amendment Act affect how businesses handle and process personal information, use personal information in direct marketing and disclose personal information overseas. A new, broader definition of personal information has also been introduced.
The new amendments to the Privacy Act
The Privacy Amendment Act:
- creates a single set of privacy principles (called the "Australian Privacy Principles", or "APPs") which replace the Information Privacy Principles that applied to Australian Government Agencies and the National Privacy Principles that applied to businesses. The 13 APPs will regulate the handling of personal information by both Australian government agencies and businesses. The APPs include comprehensive provisions relating to the disclosure of personal information overseas.
- introduces a new and more comprehensive credit reporting regime primarily for regulating the handling of certain kinds of personal information concerning consumer credit. These provisions apply not only to typical credit reporting bodies such as financial institutions, but also to "credit providers", which include businesses providing goods and services that are to be used primarily for personal, family or household purposes on terms that allow payment to be deferred for more than seven days.
- creates new provisions which allow the Commissioner to develop and register binding credit reporting codes and privacy codes.
- gives enhanced powers to the Australian Information Commissioner. The functions and powers of the Commissioner have been strengthened to allow the Commissioner to be able to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance. The Commissioner will now also have the power to apply to a court for fines of up to $340,000 for an individual or $1.7 million for organisations to be imposed for breaches of privacy.
Guidelines to accompany the Australian Privacy Principles
On 21 February 2014, the Office of the Australian Information Commissioner (OAIC) released guidelines to accompany the APPs. These guidelines are designed to assist organisations to understand the new amendments and to implement changes to their personal information collection, storage, use and disclosure practices to ensure compliance with their obligations under the Privacy Act.
The Privacy Regulation 2013 also came into force on 12 March 2014. The Regulation provides, among other things, definitions for specific terms relevant to the credit reporting provisions in the Privacy Act; exceptions to the APPs and transitional provisions relating to the new changes.
Impact of changes to the Privacy Act for local and overseas businesses
- The OAIC will be able to investigate breaches of the new APP 1 (open and transparent management of personal information) on its own initiative. If the OAIC can substantiate a breach, it can make declarations that the organisation rectify its conduct or redress any loss or damage suffered by the individuals affected by that breach.
- Before an organisation discloses personal information about an individual to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. In some cases, Australian organisations may be liable for breach of the APPs for acts done by overseas recipients of personal information (which is particularly relevant if clients use cloud storage where servers are hosted by third parties overseas).
What you need to do to comply with the Privacy Amendment Act
The Privacy Act continues to apply to agencies, organisations and businesses with an annual turnover of over $3 million. Those agencies, organisations and businesses:
- should have in place practices and procedures to ensure that overseas entities to whom they make personal information available comply with the APPs. They should also revise third party contracts to update privacy clauses to ensure that third party recipients are aware of and contractually bound to comply with the APPs; and