On 12 March 2014, new Privacy Laws come into effect which could impact on the way that your business collects and handles personal information.
All the way back in November and December 2012 we provided some updates about the introduction of new Australian Privacy Principles (“APPs”) and gave some checklists to help your business to get ready for the changes. My, how time flies! As the 13 new APPs come into effect this week, we felt that now would be a good time to send out a last minute reminder, along with a quick refresher to help you to make sure that your organisation is prepared.
What are the changes all about?
The new laws that come into effect on 12 March 2014 are all about making sure that an organisation that collects and holds personal information acts responsibly and uses that information only for legitimate purposes.
What do you mean by ‘personal information’?
“Personal information” can include many different types of information. It can include items of information such as a person’s phone number, address, date of birth, medical records, bank account details, employment details and signature.
If your business or organisation collects this type of information as part of its activities, then you may have legal obligations that affect how that information is collected, stored and used.
In order for information to be ‘personal’ it must usually be kept in such a way that a person can be identified from that information. Most information will no longer be ‘personal’ if it ceases to provide a linkage to an identifiable person.
Do the changes affect my business or organisation?
The changes build on existing privacy laws by creating 13 new Principles that are mandatory for any business or organisation that is classified as an ‘APP Entity’. Subject to some exceptions, the term ‘APP Entity’ captures businesses that operate for profit, not for profit organisations and also government agencies. There are special rules for health service providers, credit reporting agencies and organisations that collect genetic information.
Importantly, there is a ‘small business’ exception which excludes most businesses and organisations with an annual turnover of less than $3 million. This exception can be a little tricky, and so if you are relying on this exception, your safest option is to get specific legal advice as to whether it applies to your business/ organisation.
Even if your business or organisation is exempt under the legislation, if you make representations (e.g. on your website) that you comply with the Privacy Act then you will need to ensure that you do in fact comply, otherwise you could be found to have engaged in misleading & deceptive conduct.
There is nothing stopping exempt businesses and organisations from voluntarily adopting the APPs as a matter of best practice. In fact, this may be the safest strategy and would no doubt be appreciated by those that provide their personal information to you, such as your customers and members.
What can I do to make sure I comply with the APPs?
While any changes to the law can present challenges to the businesses and organisations that are required to comply, there are 6 simple steps that you can take to get the process underway:
- Get yourself a copy of the “Australian Privacy Principles Guidelines” that have been prepared by the Office of the Australian Information Commissioner. This will be a useful reference guide for you. The Guidelines can be downloaded here (please note that the file size of the current Guidelines is 1.48MB). It is a very detailed document so make use of the ‘key point’ summaries at the beginning of each chapter.
- Make a list of all the categories of personal information that your business or organisation collects as part of its activities (e.g. names, phone numbers, email addresses etc). Then investigate how this information is stored and handled by your organisation. Take particular note of any circumstances where that information might be disclosed to third parties or used for marketing purposes.
- Compare your policies, procedures and everyday practices to the requirements of the new APPs (using the Guidelines). Do they seem to match up? If not, then it might be time to make some changes. If you are an APP entity, it is very important that you get this right and so it might be time to get some professional help.
- Identify those people either within or outside (e.g. IT service providers) your organisation that participate in the collection, storage or use of personal information. Educate those people about any changes that need to be made to current practices and make sure that they are properly equipped to implement those changes.
- Finally, make sure that any changes to your policies regarding personal information are clearly communicated to those that provide (or are the subject of) that information to your organisation. This may include updating your website and communicating directly with each of your customers, members, and service providers.
If you’d like any help to make sure that your business or organisation is complying with the new APPs, please contact our office.
Where can I learn more?
If you would like more information about the changes, the best place to start is the Office of the Australian Information Commissioner’s website.
For further information, please contact the author.
This article is posted in Adelaide, South Australia by Tri-meridian Corporate & Commercial Law and is intended to be used as a guide only. It is not, and is not intended to be, advice on any specific matter. We do not accept responsibility for any acts or omissions resulting from reliance upon the content of this article. Before acting on the basis of any material in this article, we recommend that you consult your professional adviser.