From 12 March 2014 changes to the Privacy Act 1988 (Commonwealth)came in to effect.
Who does this apply to?
The Privacy Act protects personal information handled by government agencies and departments, and private sector organisations (with an annual turnover of $3 million).
To check if the Privacy Act applies to your business you can use the Office of the Australian Information Commissioner (OAIC) 9 Step Privacy Checklist for Small Business or seek advice from your lawyer or business adviser.
What has changed?
A new set of harmonised principals were introduced – The Australian Privacy Principles (APPs) which replace the Information Privacy Principals (IPPs) for the Government sector and National Privacy Principals (NPPs) for private sector organisations. The 13 APPs are contained in schedule 1 of the Privacy Act and apply to both government departments and agencies as well private business.
The APPs are intended to regulate how personal information is handled and processed, used for direct marketing and is disclosed to people overseas.
The laws make it harder for businesses to collect information without the individual’s knowledge and seek to make it easier for consumers to opt out of direct marketing communication.
Individuals also have the option of not identifying themself or to use a pseudonym unless it is impractical or unlawful to do so.
Additionally the Privacy Act now includes new credit reporting provisions with comprehensive reporting requirements.
The OAIC is expected to take a much more proactive view on the management of privacy. In the first 12 months the focus is expected to be working with organisations to ensure they understand the new requirements and have systems in place to deal with them.
The changes also give more power to the Commissioner including the ability to investigate serious breaches and the right to impose penalties on businesses and to assess the privacy performance of businesses.
What if we fail to comply?
This will likely depend on the type and the severity of the breach. The OAIC advice they will always attempt to resolve issues through conciliation.
However if this is unsuccessful they may make determinations, enforceable undertakings and even court proceedings for civil penalties.
Larger or multiple breaches will likely attract larger penalties. For individuals or small business civil penalties can be up to $340,000 and for larger organisations fines range up to $1.7 million per breach
What do we need to do?
Entities covered by the Privacy Act must have a privacy policy in place that is clear and transparent in how they manage personal information.
You must take reasonable steps to protect personal information from interference, misuse, loss and unauthorised access, modification or disclosure.
Further details about these changes and how to ensure you are compliant are available on the OAIC website – privacy law reform.
