Privacy Policy Business Lawyers NSW

Is Your Business Ready?

If your business is engaged in direct marketing, is thinking about a move to cloud-based IT services, or collects, stores and discloses personal information to third parties, you need to be aware of the recent amendments to the Privacy Act 1988 (Cth) (Privacy Act).

Effective 12th March 2014, the changes came into force as a result of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

These changes apply to all Government agencies and most private organisations, including partnerships, trusts, individuals, body corporates and unincorporated associations. If your business has an annual turnover of more than $3 million or is a health service provider, the Privacy Act applies and many small businesses also have to comply, particularly those small businesses that collect personal information (other than their own employees’ information).

Applicable organisations and Government agencies will now need to ensure they have a compliant privacy policy that is in line with these new changes, including any related operational policies, procedures and collection statements.

What Are The Major Changes to the Privacy Act?

1. Privacy Commissioner Powers – The Privacy Commissioner now has increased powers that include the ability to seek a penalty of up to $1.7 million for a repeated or serious breach of privacy laws.

2. Data Management Obligations – New Australian Privacy Principles (APPs) are now in place that affect how and when personal information can be collected and how that information can be passed on to third parties. This includes:

  • when consent to collect personal data is required;
  • the rights of individuals to access, correct and delete their own personal information once it has been collected; and
  • how these individuals can lodge complaints about any interferences with their privacy and resolve these issues.

3. Stricter Penalty Scheme – The Privacy Act now has a much stricter compliance and penalty regime that specifically impacts how organisations collect and retain personal information, engage in direct marketing practices, utilise cloud-based services and disclose personal information to entities outside of Australia.

4. Complete Transparency – The new APPs have been put in place to ensure organisations and agencies are completely open and transparent about the way they collect, retain and use personal information.

5. Credit Reporting Obligations – The Office of the Australian Commissioner (OAIC – Privacy Commissioner) has introduced a new credit-reporting code with a move towards more comprehensive credit reporting accompanied by enhanced privacy protections relating to notification, data quality, access and correction, and complaints. To maintain compliance, your privacy policy should deal specifically with how personal information used in credit reporting is collected, stored, used and disclosed.

What Should Businesses do to Reduce Risk?

1. Clarification of Personal Information – Organisations and agencies will need to determine what information they collect and hold is actually “personal information”. Personal information is defined as being:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.

2. Update All Relevant Documentation – Businesses will need to update their policies, procedures and statements to reflect the changes. The privacy policy should be updated first as it is usually public and available online.

All documentation should now refer directly to the new APPs, not the old National Privacy Principles. It should also state the ways in which an individual can complain about privacy breaches and how those complaints will be dealt with and resolved. Finally, it should disclose, transparently, if and how the individual’s personal information is going to be disclosed to any third parties and/or overseas recipients (including any intended countries).

As most privacy policies are considered to be too long and difficult to read, we recommend that all external documentation be clear, concise, readable and presented in plain English. In fact, in the last review by the Privacy Commissioner, it was found that none of the privacy policies reviewed met the Commissioner’s preferred reading age level of 14. This is why we recommend avoiding using legal terms, jargon and in-house/industry terms.

3. Prepare an Internal Privacy Compliance Guide – This guide is an internal document that details:

  • An introduction and summary about privacy laws and why those laws are applicable and important to the business;
  • Rules for collecting, storing, using and disclosing personal information;
  • Procedures for handling complaints from individuals and resolving those complaints;
  • Steps to take when faced with a decision that relates to collection, storage, use and disclosure of personal information, for example, when faced with entering into an agreement with an overseas partner; and
  • Details about who is responsible for privacy compliance, including contact details for external providers or recipients.

4. Training Compliance Program – Preparing a compliance guide is the first step to initiating a compliance program. A privacy compliance program involves educating and training the staff responsible for collecting, storing, using and/or disclosing personal information. It also involves ensuring security systems are in place to protect the integrity of personal information.

5. Testing & Audits – Once the documentation is up-to-date and the compliance program has been established, organisations and agencies should test out their procedures by conducting an audit. The procedures used to collect, store, use, disclose and protect personal information all need to be tested properly to ensure they are fully compliant. The goal of such an audit is to identify problem areas that will need to be later rectified.

Online business transactions, internet banking and global data dissemination are all on the rise – make sure your business is ready to keep pace with the new privacy laws. You can visit the Office of the Australian Information Commissioner for more information (www.oaic.gov.au).


Related Services

Get Help

Please provide details regarding your matter so we can assist you.

We respond in 24 hours or less!*

*During regular business hours

Liability limited by a scheme approved under Professional Standards Legislation

Send us a Message

  • This field is for validation purposes and should be left unchanged.

Contact Us

Free Call 1800 994 279
  • Newcastle 02 4904 8000
    1st Floor, Charlestown Commercial Centre
    29 Smith Street
    ,
    Charlestown, NSW, 2290
  • Central Coast 02 4904 8000
    Zenith Business Centre
    Tuggerah Business Park
    Suite 7.2, Reliance Drive

    Tuggerah, NSW, 2259
  • Sydney CBD 02 8076 6002
    Level 8, 65 York Street
    Sydney, NSW, 2000