News -

A refresher on the 2014 privacy updates.

Important changes to the Privacy Act 1988 came into effect 12 March 2014. Although this was last year, these changes impact your marketing activities today so here’s a refresher on the changes.

These amendments form the Privacy Amendment (Enhancing Privacy Protection) Act 2012. They regulate the handling of personal information if you are a Government agency, a business with a turnover of more than $3 million, a business that trades personal information as well as all private health service providers.

Even if you don’t fall into one of the categories above, it’s good business practice to ensure that your privacy policy is up to date with the recent changes. Be open and transparent with the information you are collecting. Treat people’s personal information with respect and remember that just because you receive their details for one purpose does not mean they have, or will, consent to their details being used for another purpose.

As a starting point, here is a checklist of steps you may wish to consider to ensure your business is compliant with the new privacy amendments:

  • Update your privacy policy and make sure it includes clear notification of what you intend to do with an individual’s personal information.
  • State your privacy practices in clear, plain English.
  • Make sure that you get consent for the use and disclosure of data that suits your purpose – make sure it’s the right consent.
  • Ensure that you can prove that consent was given to use or disclose the data.
  • Ensure that you have systems and processes in place to manage compliance issues and complaints.
  • Check in with your IT team to ensure that data security is up to date in your business and if not, execute what needs to be done to make it compliant.
  • Always make sure you have current and working systems for managing opt-outs and requests for information about the sources of personal information.

It’s also worth noting that there are new regulatory powers for the Office of the Australian Information Commissioner (OAIC) that includes the power to conduct a privacy performance assessment (checking whether a business is compliant with privacy legislation) as well as the power to seek an enforceable undertaking from organisations that may be in breach of the new laws.

If an organisation is found in breach of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 harsh penalties could apply. Fines can now reach up to $1.7 million per infringement.

Be responsive and update your privacy policy.

Below we have compiled a short summary on the Privacy Amendment (Enhancing Privacy Protection) Act 2012 Schedule 1 – Australian Privacy Principles (APP). We strongly encourage you to take the time to read the free resources available at the end of this article on the privacy updates. Be informed and be responsible.

  • Definition of personal information has changed: This has become more onerous on information that can identify an individual by name (this can include information stored in cookies), this also includes information collected that is anonymous but may be considered personal information if the intention is to combine the anonymous information with other information that will identify the individual.
  • Definition of sensitive information also has more onerous terms: Reasonably identifiable information about a person’s membership of a political party, membership of a professional or trade association, health and genetic information that is about an individual and philosophical beliefs are all included as well as racial/ethnic origin, political opinion, religious beliefs, sexual preferences/practices and criminal record.

Australian privacy principles (APP)

  • APP 1 – Transparency: Privacy policies need to be in plain English and understood by all staff. There are a range of mandatory inclusions that should be read. The guidelines also state that the policy must be available free of charge.
  • APP 2 – Anonymity and pseudonymity: This section provides a range of questions that businesses must consider when they are deciding if they require the name of an individual, including ‘what are the consequences of not capturing the information? Will this impact your ability to do business with the individual?’
  • APP 3 – Collecting personal information: Four rules apply when collecting personal information
  1. You must only collect personal information that is reasonably necessary and related to one of your functions or activities
  2. Only collect sensitive information with consent
  3. Only use lawful and fair means for collection
  4. Where possible, only collect personal information from the individual (with some exceptions)
  • APP 4 – Unsolicited personal information: If you receive personal information you did not request, you must destroy or delete the information.
  • APP 5 – Notification: This principle sets out 10 requirements that must be met when notifying a person as to how and why you are collecting their personal information. These should be read in detail.
  • APP 6 – Use and disclosure: You can use the personal information for the purpose it was collected, but you must not use or disclose it for any other purpose unless you have the individual’s consent, the individual would reasonably expect the information to be used for another purpose or the purpose is a related purpose. NB: That this principle does not apply to direct marketing – APP 7 covers direct marketing.
  • APP 7 – Direct Marketing: This principle applies strict guidelines around using personal information for direct marketing purposes – these guidelines should be read in detail and in their entirety. It is worth highlighting that direct marketing is not defined in the Act – and therefore may be likely to mean any type of marketing that is directed to an individual using personal information.
  • APP 8 – Cross-border disclosure: For businesses trading overseas or needing to share an individual’s personal information overseas, this principle states that individuals must be notified if their personal information will be shared in a foreign country and must be granted the same privacy rights as they would if the information were only being shared in Australia – essentially, if you’re sharing personal information overseas the same rules apply.
  • APP 10 – 13 – Integrity of personal information: The key point in these principles is that you must keep the personal information secure, you must give access to the personal information of the individual upon request and you must correct personal information upon request.

 

To access more information on the privacy changes and fully understand your obligations, visit the Australian Government’s Office of the Australian Information Commissioner.

This information should not replace legal advice and is only provided as a guide to inform August clients and interested parties about the changes to Australian privacy law.

Back to news