The impact of Australian privacy law reform on your business
The Privacy Amendment (Enhancing Privacy Protection) Act 2012, which made significant changes to the Privacy Act 1988 came into effect on 12 March 2014.
The Privacy Act 1988 regulates the way government agencies and some private sector entities collect, use, disclose, secure, provide access to, and correct personal information. The Act only applies to private sector organisations that have an annual turnover of more than $3,000,000.00 or a business with an annual turnover of $3,000,000.00 or less if it is:
· A health service provider.
· Trading in personal information.
· Related to a business that is not considered a small business.
· A contractor that provides services under a Commonwealth Contract.
· An operator of a residential tenancy database.
· A credit provider or credit reporting agency.
What is personal information and sensitive information?
The Privacy Act 1988 defines personal information as follows:
“Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”
Sensitive information is a subset of personal information to which special rules apply. This type of information includes information or opinion about a person that relates to:
· Racial or ethical origin.
· Political opinions.
· Membership of a political association.
· Religious beliefs or affiliations;
· Philosophical beliefs;
· Membership of a professional or trade association;
· Membership of a trade union;
· Sexual preferences or practices;
· Criminal record or health information about an individual;
· Genetic and biometric information that is not health information.
A business is considered to be trading in personal information if, it collects or discloses a person’s personal information for a benefit, service or advantage. An example of trading in personal information would be purchasing a mailing list of contact details without first getting the consent of all persons contained in that list.
A business is not considered to be trading in personal information if, it has the consent of the relevant persons or is authorised or required by law to disclose it.
Individual rights under the act
The Act provides rights to individuals to:
· Know why their personal information is being collected;
· Know how their information will be used;
· Know who their information will be disclosed to;
· Ask for access to their personal records;
· Stop receiving direct marketing material;
· Ensure incorrect information held about them is correct;
· Make a complaint about an institution in circumstances whereby they believe that their information has been mishandled.
New Privacy Principles
The recent changes in the privacy law see the replacement of the National Privacy Principles with the following 13 Australian Privacy Principles (APPs), which are contained in Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012:
1. Open and Transparent management of personal information.
2. Anonymity and pseudonymity.
3. Collection of solicited personal information.
4. Dealing with unsolicited personal information.
5. Notification of the collection of personal information.
6. Use or disclosure of personal information.
7. Direct marketing.
8. Cross-border disclosure of personal information.
9. Adoption, use or disclosure of government related identifiers.
10. Quality of personal information.
11. Security of personal information.
12. Access to personal information.
13. Correction of personal information.
What to do if your business falls within the scope of the Act?
Sync or Swim recommends that businesses, which fall within the scope should seek independent expert legal advice with regard to their privacy obligations. It is important to note that significant fines may apply to breaches of the act at both an individual ($340,000.00) and corporate level ($1,700,000.00).
Generally, relevant businesses should develop and implement a privacy plan and appoint a privacy officer to assist with the following: privacy compliance issues, conducting a privacy audit of how the business handles, collects and holds personal information, make provisions for the effective training of all employees, assessing your computer security systems, ensuring document destruction is completely secure, and assist staff to become familiar with the new Australian Privacy Principles, which can be viewed in detail by clicking on the link below.
What to do if you have a complaint?
If an individual has a compliant or thinks that a business, which is subject to the act has not complied with its obligations, they can refer their complaint to the Privacy Commissioner who can investigate, mediate and, if required make determinations about privacy complaints. Remedies may include an apology, change in practice to the way the business handles personal information or compensation.
What to do if your business doesn’t fall within the scope of the Act?
Irrespective of whether your business falls within the Act, Sync or Swim recommends that all personal information be dealt with the utmost care and sensitivity. Failing to do so looks bad for your brand, staff and business good will.
Whilst not required by law, developing a brief privacy statement to be included in your tender for contracts, website or placed in an obvious place at your reception, is a good way to reassure your clients, customers and suppliers that your organisation takes privacy seriously.
Article by: Paul Bright, Business Development and Compliance Specialist.