Changes to the Privacy Act 1988 (Cth) (“Privacy Act”) implemented on 12 March 2014 could mean new or increased obligations for your business with respect to privacy.
1. Do the changes to the Privacy Act affect my business?
Any organisation that collects, stores, uses or discloses personal information about individuals and has an annual turnover of more than $3 million must comply with the APPs in the Privacy Act.
Small businesses with an annual turnover of $3 million or less and meet one of the following criteria must also comply:
- a Health Service provider;
- a contractor that provides services under a Commonwealth contract;
- trading in personal information;
- an operator of a residential tenancy database;
- related to a larger business (a related body corporate).
Personal information about an individual can include information such as their name, date of birth and contact details.
2. What does my business need to do?
In order to comply with the changes to the Privacy Act, the following should occur:
- review your complaints processes and ensure that it enables you to deal with inquiries and complaints about your compliance with the APPs;
- review your marketing consents and “opt out” statements and ensure that they comply with the requirements of the new direct marketing privacy principle;
- check your overseas disclosure practices, decide on your approach to managing risk, whether it be through indemnities or informed consents, ensure that you have procedures for tracking personal information once disclosed overseas and review any outsourcing agreements;
- check your procedures for collecting personal information and make sure that these procedures cover the new notification requirements and provide systems for dealing with unsolicited information;
- review your practices and procedures for correcting personal information and or responding to requests for access and correction, including timeframes for responding, the manner in which access is provided and the provision of written reasons and charges;
- consider creating a document that outlines your privacy procedures and clearly demonstrates your compliance with the reforms; and
- educate all levels of staff and notify clients of any changes to your privacy procedures.
3. Are there penalties for not complying with the Privacy Act?
The Commissioner now has the ability to:
- conduct assessments of privacy compliance for agencies and some organisations;
- make determinations that include declarations that an act or practice not be repeated or continued, that a respondent should redress any loss or damage suffered by a complainant or that a respondent pay compensation to the complainant;
- accept enforceable undertakings; and
- seek civil penalties in cases of serious or repeated privacy breaches.
Under the changes to the Privacy Act, a civil penalty order may require an individual to pay a maximum of $340,000 and a body corporate a maximum of $1,700,000 for a breach of the Act.
4. What are the key concepts?
4.1 Personal information
The Privacy Act regulates “personal information,” which is now defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
- the kinds of personal information that the entity collects and holds;
- how it collects and holds personal information;
- the purposes of collecting, holding, using and disclosing personal information;
- how an individual can access information about themselves, and seek corrections to this information;
- how an individual can complain about a breach of the APPs, and how the entity deals with such complaints;
- whether the entity is likely to disclose personal information to overseas recipients; and
- if so, the countries in which those recipients are likely to be located.
4.3 Credit reporting
The reforms also introduce new credit reporting provisions including a simplified and strengthened correction and complaints process.
A more detailed discussion on these changes will be provided in the second factsheet in this series on the changes to the Privacy Act.
If you would like more information, please contact Victoria Mezhvinsky on (08) 8360 8344 or via email firstname.lastname@example.org.
This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions. For more information please contact us.