If your business is engaged in direct marketing, is thinking about a move to cloud-based IT services, or collects, stores and discloses personal information to third parties, you need to be aware of the recent amendments to the Privacy Act 1988 (Cth) (Privacy Act).
These changes apply to all Government agencies and most private organisations, including partnerships, trusts, individuals, body corporates and unincorporated associations. If your business has an annual turnover of more than $3 million or is a health service provider, the Privacy Act applies and many small businesses also have to comply, particularly those small businesses that collect personal information (other than their own employees’ information).
What Are The Major Changes to the Privacy Act?
1. Privacy Commissioner Powers – The Privacy Commissioner now has increased powers that include the ability to seek a penalty of up to $1.7 million for a repeated or serious breach of privacy laws.
2. Data Management Obligations – New Australian Privacy Principles (APPs) are now in place that affect how and when personal information can be collected and how that information can be passed on to third parties. This includes:
when consent to collect personal data is required;
the rights of individuals to access, correct and delete their own personal information once it has been collected; and
how these individuals can lodge complaints about any interferences with their privacy and resolve these issues.
3. Stricter Penalty Scheme – The Privacy Act now has a much stricter compliance and penalty regime that specifically impacts how organisations collect and retain personal information, engage in direct marketing practices, utilise cloud-based services and disclose personal information to entities outside of Australia.
4. Complete Transparency – The new APPs have been put in place to ensure organisations and agencies are completely open and transparent about the way they collect, retain and use personal information.
What Should Businesses do to Reduce Risk?
1. Clarification of Personal Information – Organisations and agencies will need to determine what information they collect and hold is actually “personal information”. Personal information is defined as being:
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.
All documentation should now refer directly to the new APPs, not the old National Privacy Principles. It should also state the ways in which an individual can complain about privacy breaches and how those complaints will be dealt with and resolved. Finally, it should disclose, transparently, if and how the individual’s personal information is going to be disclosed to any third parties and/or overseas recipients (including any intended countries).
As most privacy policies are considered to be too long and difficult to read, we recommend that all external documentation be clear, concise, readable and presented in plain English. In fact, in the last review by the Privacy Commissioner, it was found that none of the privacy policies reviewed met the Commissioner’s preferred reading age level of 14. This is why we recommend avoiding using legal terms, jargon and in-house/industry terms.
3. Prepare an Internal Privacy Compliance Guide – This guide is an internal document that details:
An introduction and summary about privacy laws and why those laws are applicable and important to the business;
Rules for collecting, storing, using and disclosing personal information;
Procedures for handling complaints from individuals and resolving those complaints;
Steps to take when faced with a decision that relates to collection, storage, use and disclosure of personal information, for example, when faced with entering into an agreement with an overseas partner; and
Details about who is responsible for privacy compliance, including contact details for external providers or recipients.
4. Training Compliance Program – Preparing a compliance guide is the first step to initiating a compliance program. A privacy compliance program involves educating and training the staff responsible for collecting, storing, using and/or disclosing personal information. It also involves ensuring security systems are in place to protect the integrity of personal information.
5. Testing & Audits – Once the documentation is up-to-date and the compliance program has been established, organisations and agencies should test out their procedures by conducting an audit. The procedures used to collect, store, use, disclose and protect personal information all need to be tested properly to ensure they are fully compliant. The goal of such an audit is to identify problem areas that will need to be later rectified.
Online business transactions, internet banking and global data dissemination are all on the rise – make sure your business is ready to keep pace with the new privacy laws. You can visit the Office of the Australian Information Commissioner for more information (www.oaic.gov.au).