Changes to Privacy Obligations Effective Today

Who needs to worry about the changes?

The changes will apply if you are:

• an individual, body corporate, partnership, unincorporated organisation, or a trust that;
• has an annual turnover of $3 million or more in a financial year;
• a business that provides health services;
• a business that operates residential tenancy databases;
• a business that is related to a larger company that is not a small business;
• a business that discloses personal information about another individual for a benefit, or
• service or advantage.

These entities are known as ‘APP entities’ under the Act.

If your business does not fall into any of the above categories, then you are considered to be a small business operator and the changes will not apply to you.

What are the changes?

The amendments introduce the Australian Privacy Principles (APPs), which replace the existing National Privacy Principles and the Information Privacy Principles. The APPs are 13 principles that govern and indicate how matters affecting privacy are to be dealt with.

Your privacy policy

The amendments impose more onerous obligations than currently exist.

You will be required to have practices and procedures in place to deal with personal or sensitive information about your clients, customers and employees. You will be required to demonstrate this by having an up to date privacy policy in place which deals with a number of specific requirements.

You must have this privacy policy if it is likely that you will deal with personal or sensitive information, such as names, addresses, date of birth, health records or any information that could reasonably identify who the individual is.

Your privacy policy must be readily available to provide to anyone who requests it.

Every business’ privacy policy will be different depending on their internal procedures and the types of information they are likely to handle.

Collecting information

The APPs now provide that personal information cannot be collected unless it is reasonably necessary for the functions or activities of your business.

In addition they now draw a distinction between solicited and unsolicited information. Solicited information is information that your business has obtained themselves, either from the individual or another party. In other words, you asked for this information. Unsolicited information is information that your business did not ask for or request.

If your business receives unsolicited information, there is the next step to ask yourself: could I have obtained this information within the APPs or through Commonwealth records if I had wanted to? If the answer is no, you must destroy or de-identify the information as soon as possible.

Use and disclosure

It is crucial that when collecting any personal or sensitive information about an individual that you ensure that the individual is aware of:

• what information is being collected;
• how the information will be stored;
• how the information will be used;
• who the information will be shared with; and
• how they can contact you and gain access to their information.

If any of these disclosures to the individual change, you must obtain consent for that different use or disclosure. This is especially important when sensitive information is obtained.

Other changes to be aware of

You must give individuals dealing with your business the option of providing a pseudonym or remaining anonymous. There are exceptions to this, including where it would be impracticable for your business to deal with an individual who does not identify themselves.

If your business sends information overseas, the APPs now impose an obligation on your business to ensure that the overseas recipient of the information complies with the APPs. This is most easily achieved by written contract between yourself and the overseas recipient acknowledging the APPs.

Compliance with the APPs is overseen by the Information Commissioner, who has a wide range of investigative and remedial powers. The Commissioner investigates alleged breaches of privacy and can issue declarations that an individual’s privacy has been breached and award damages. There are also now civil penalty provisions, which were once aimed at credit reporting companies but are now wide enough to capture any organisation that repeatedly infringes another’s privacy rights. The maximum penalty for an individual offender is $340,000 or $1.7 million if the offender is a body corporate.

What should you be doing now?

Now is the perfect time for a spring clean and review of your privacy policy and the way your business handles information. The lawyers at Kells are able to work with you to review your business practices and provide feedback on your compliance with the Act and the APPs. With our attention to detail and expertise, we will get to know you and your business before preparing a tailored privacy policy to suit your needs.