The laws of privacy are being re-written – quite literally.
The Federal Government is in the midst of overhauling the Privacy Act 1988. As part of this process they propose to introduce the Australian Privacy Principles (“APPs”) which may affect your organisation and the way you distribute or retain information about individuals.
What’s the effect of the APPs?
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, if passed through the Senate, will see to the introduction of the APPs– a set of principles that bind both Commonwealth bodies and agencies and private sector organisations. This means that both the existing Information Privacy Principles (for the public sector) and the National Privacy Principles (for the private sector) will be replaced by the APPs. If your organisation is a government agency or a sole proprietorship, corporation, partnership, unincorporated association or trust that had an annual turnover of more than $3 million in the previous year, then it is very likely that you will soon be regarded as an ‘APP entity’ to which the APPs apply.
What does this mean for your organisation?
The APPs consolidate and add more detail to what is or isn’t allowed under the privacy laws when collecting or sourcing personal information. ‘Personal information’ includes. any information that could reasonably identify a person, such as residential addresses, email addresses and phone numbers. Many of the APPs simply reflect and build on the existing Information Privacy Principles and the National Privacy Principles, but there are a few significant inclusions or differences, namely:
Unsolicited Personal Information:
APP 4 deals with the receiving of unsolicited personal information. If your organisation receives information that was not solicited (i.e. requested), there are certain obligations that must be complied with after determining whether it can be used.
Notification of the collection of personal information:
APP 5 invokes stringent rules in relation to notifying individuals of the information that is collected about them and how it may be used. This includes advising the individual how they can access their personal information.
Use or disclosure of personal information & direct marketing:
APP 6 sets out a general rule that solicited information can only be used for the purpose for which it was collected. Another general rule, set out by APP 7, is that direct marketing is prohibited. There are exceptions to both of these Principles.
Under APP 8, if your organisation discloses personal information to an overseas recipient, it may be liable for any privacy breaches committed by them.
Accuracy and security of personal information:
Consistent with the current laws, it is the organisation’s responsibility to take reasonable steps to ensure that the information they have collected remains accurate and secure.
Action Plan: What should I do next?
It seems that the new laws will come into effect within the next 15 months or so, but the Bill has not yet passed through both houses of Parliament just yet. In anticipation of the introduction of the APPs, it might be time to look at your organisation’s systems and procedures and determine the answers to the following questions:
– Is my business/ organisation an APP entity?
– What information does my organisation collect that could be regarded as ‘personal information’?
– For what purpose did we collect this information? Is it still being used for just that purpose?
– How do we ensure that the information remains accurate and secure?
– Do we use the information for direct marketing? If so, do we comply with the requirements to enable us to use the information for this purpose?
– Do we disclose the information to another Australian entity? What about an overseas recipient?
It is important that you take these principles seriously. The amendments to the current law also include amendments to the consequences of a breach of privacy. Maximum penalties are $220,000 for individuals and $1.1 million for corporations.
If you are not sure about any of the answers to these questions or how the legislation might apply to your organisation, you should seek specific legal advice before the new laws come into effect.
Creative Commons image provided by opensourceway on Flickr.com
For further information, please contact the author.
This article is posted in Adelaide, South Australia by Tri-meridian Corporate & Commercial Law and is intended to be used as a guide only. It is not, and is not intended to be, advice on any specific matter. We do not accept responsibility for any acts or omissions resulting from reliance upon the content of this article. Before acting on the basis of any material in this article, we recommend that you consult your professional adviser.