Major change to existing privacy laws
January 2015 | News | Prolegis Lawyers Review
The amendments tighten up the rules around how agencies can collect, use and disclose personal information. For the first time, new Australian Privacy Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to "sensitive information". The Privacy Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies.
What are the Australian Privacy Principles?
The Australian government has introduced new, harmonised privacy principles called the Australian Privacy Principles (APPs), which commenced on 12 March 2014. The APPs constitute a major change to the existing privacy law. They will cover both the public and private sector, replacing the existing National Privacy Principles (which currently apply to the private sector) and Information Privacy Principles (which currently apply to the Commonwealth public sector).
The new APPs were passed by the Australian Parliament on 29 November 2012 by the enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), which amended the Privacy Act 1988 (Cth).
Who is affected?
The APPs apply to all businesses (including not-for-profits) with an annual turnover of more than $3 million, all health service providers, Australian, ACT and Norfolk Island Government agencies and a limited range of small businesses. However, as a matter of best practice, we recommend that all charities and not-for-profits seek to comply with the APPs, even if they have an annual turnover below $3 million and so are not legally obliged to do so.
What are the key areas of reform?
The APPs comprise 13 principles, which are set out in the Privacy fact sheet 17 published by the Office of the Australian Information Commissioner (OAIC). Notably, the APPs are more extensive than the current privacy principles and organisations should ensure they are familiar with their obligations. We highlight the following key areas of change:
- Privacy policies and privacy collection statements: the APPs require organisations to provide additional detail in privacy policies and collection notices, such as how a person can complain if they believe a APP has been breached and how the organisation will respond.
- Direct marketing: a new APP specifically regulates direct marketing, including tighter controls on the use of personal information for this purpose and the use of unsolicited information. This principle operates in addition to legal obligations relating to spam and the Do Not Call Register.
- Compliance obligations: the APPS require that organisations put in place reasonable security safeguards and take reasonable steps to protect personal information they hold from loss, unauthorised access, use, modification or disclosure. This may include training staff or establishing procedures to identify and manage privacy risks.
- Enforcement powers: the Australian Information Commissioner will have greater powers of investigation and enforcement, and significant civil penalties apply for breaches of privacy obligations.
What do organisations need to do?
Organisations should be reviewing and up-dating their privacy policies and reviewing their systems to make sure they are able to comply with the APPs. Please do not hesitate to contact us if you would like assistance or more information in regards to your organisation's privacy obligations.