On 12 March 2014 there was a significant update made to Australian Privacy and Information Laws, marking a significant change in the way Australian businesses deal with customer data. Please see below a brief guide of major changes.  These include: the Australian Privacy Principles, credit reporting rules, new investigation and increased enforcement powers of the Commissioner, and penalties up to $1.7 M for non-compliance.

Businesses that are bound by the changes  are now required to have open and transparent privacy policies that comply with all the new rules. The Commissioner may also request affected businesses to enter into a binding Registered Code. Businesses can also voluntarily enter into Codes. The purpose of a Code is to provide individuals with transparency about how their information will be handled. Codes do not replace the relevant provisions of the Act, nor can they lessen the privacy rights of an individual provided for in the Act but operate in addition to the requirements of the Act.

To complement the new rules and powers, the Commissioner has greater enforcement and regulatory powers which include the ability to commence its own investigations, pursue onerous civil penalty orders, seek consent orders and penalties up to five times greater from the Courts. Expanded powers for the Commissioner also means that businesses can be investigated as the Commissioner sees fit, where previously a complaint must have been made first.

All businesses with obligations under the Act need to be compliant and we recommend undertaking the following steps:

    1. Assess customer dataThe first step is to identify what customer data your business collects, assess for what purposes, where it is stored and how you communicate with customers which could range from online forms to calls to a help desk. Defining the scope of your customer data can save time and resources for your business going forward. Once the audit is complete we would recommend seeking legal advice to evaluate how your business complies with the new Privacy Principles.
    2.  

    3. Get your Privacy Policy ready
      A major change under the Act is the compulsory requirement for a Privacy Policy about the management of personal information by your business. The policy must be personalised to reflect your business, updated at regular intervals, easy to understand and will usually be available on the business’ website.
    4.  

    5. Manage customer data
      Businesses will need to investigate how technology can help keep track of customer data as having a structured system in place will make compliance easier especially if your business is audited.
    6.  

    7. Train your Staff
      The Privacy Policy guidelines recommend regular staff training on the Privacy Principles and their effects on the business. Depending on the size of your business it may be prudent to appoint a Privacy Officer dedicated to supervising the business’ use of customer data, even if it is not a full time role.

 
Pointon Partners has significant experience in dealing with the above issues.

We are working with our clients to prepare the necessary policies, and assisting with implementation.

Even if you have an existing policy in place, it will need review.

New Privacy and Information Laws 

Reforms to Australia’s privacy legislation in force from 12 March 2014 now include the following:

  • Changing the National Privacy Principles to 13 new Australian Privacy Principles (‘APPs’).
  • Introducing organisational Privacy Codes and Credit Reporting Codes.
  • New credit reporting rules.
  • Commissioner’s new powers.

 
Who is affected by the new rules?

Industry Sector Type of Business
All Industry Sectors Turnover greater than $3 Million.
Not for Profit Turnover greater than $3 Million.
Government All Government Agencies.
Small Businesses
(less than $3 Million turnover)
  • All health service providers;
  • All child care centres;
  • Private Schools;
  • Private Tertiary Education Institutions.
Data All Businesses that sell or purchase personal information.
Financial Services Credit reporting bodies.
Private Sector Contracted service providers for a Commonwealth contract.
Employee Associations Registered Employee Organisation who have opted-in to the Privacy Act.
Real Estate Any business that operates a residential tenancy database.
Prescribed Entities Entities prescribed under the Privacy Regulations.

 
The new Australian Privacy Principles

APP 1 Open and transparent management of personal information
Companies must manage personal information in an open and transparent way which includes having a clear and up to date privacy policy. Companies must take reasonable steps to comply with the APPs, by implementing policies and procedures, including putting in place appropriate systems to deal with inquiries and complaints.
APP 2 Anonymity and pseudonymity
Companies must (with limited exceptions) give individuals the option of remaining anonymous, or using a pseudonym, when they interact with the company.
APP 3 Collection of solicited information
Personal information should only be collected when it is reasonably necessary for the company to perform its functions.Sensitive information should only be collected:

  • lawfully;
  • when it is reasonably necessary;
  • from the individual concerned; and
  • with the individual’s consent.
APP 4 Dealing with unsolicited personal information
>If a company receives unsolicited personal information, the company must determine whether it could have collected that information by requesting it directly. If so, then APP 3 applies. If not, then the company must destroy or de-identify the information if it can.
APP 5 Notification of the collection of personal information
Companies must take reasonable steps to notify people they are collecting information from, including:

  • the way that an individual can access and ask for changes to their personal information;
  • that the privacy policy outlines the company’s complaint procedure;
  • whether the company is likely to share personal information overseas, and if so with which countries; and
  • if the company has collected personal information from a source other than the individual, how that has happened.
APP 6 Use or disclosure of personal information
Companies cannot use or share personal information other than for the reason it was collected. Limited exceptions apply:

  • the individual has given their consent;
  • for a closely related purpose that is legally authorised; or
  • it is in the interest of public safety.
APP 7 Direct marketing
A company cannot use or share personal information for direct marketing or sales, unless:

  • the information was collected from the individual;
  • they would have expected the information would to be used that way;
  • there is a way to opt out; and
  • no opt out request has been made.

Some exceptions apply in particular circumstances. The APP or the exceptions do not override the Spam and Do Not Call Acts.

APP 8 Cross-border disclosure of personal information
Entities must take reasonable steps to prevent overseas recipients of personal information from breaching the APPs, unless an exception applies, including:

  • That the Australian company reasonably believes that the overseas recipient is subject to rules that provides essentially the same protection as the APPs; and
  • That the individual consents to limiting the company’s liability when information has been shared across borders.
APP 9 Adoption, use or disclosure of government related identifiers
Companies are forbidden to:

  • use a government related identifier as its own identifier (like a passport or a driver’s licence number); and
  • disclose an individual’s government related identifier, if they know it.
APP 10 Quality of personal information
Companies must take reasonable steps to ensure that the personal information they collect, use or share is accurate, current and complete.
APP 11 Security of personal information
A company must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Information that is no longer needed for the collected purpose or for legal requirements must be destroyed or de-identified.
APP 12 Access to personal information
When an individual requests access to their personal information, a company must comply with the request unless an exception applies. If the company charges the individual for giving access to the information, the charge must not be excessive and must not apply to the making of the request.
APP 13 Correction of personal information
If the company suspects that personal information is inaccurate, incomplete or out-of-date, the company must take reasonable steps to correct the information. The company must respond to an individual’s request to correct information within a reasonable time. If personal information which has been disclosed to a third party is corrected, the company is required to notify the third party of the correction if requested to by the individual, unless this would be impractical or unlawful.

 
The new Code regime

The new code regime starts to bring privacy regulation in line with heavier levels of regulation enforced by bodies like the Australian Securities and Investment Commission (ASIC), the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACCC).

Companies covered by the rules may be forced to submit a binding Privacy Code, to be approved by the Commissioner, which is an enforceable instrument between the Commissioner and the company.

If the company does not provide a Privacy Code, or if the Commissioner is not satisfied with the proposed Code, he may develop his own Code, and register it, if it has been made available for public comment. The Commissioner has no obligation to implement public comment about the Code, only to consider the public comments.

Once a Code is registered, by any means, it can only be varied or removed with the Commissioner’s approval.

The new Credit Reporting provisions

The Privacy Act now includes new credit reporting provisions including:

  • the introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process;
  • the introduction of civil penalties for breaches of certain credit reporting provisions; and
  • a requirement for credit providers to be a member of an external dispute resolution scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system

One of the objects of the Privacy Act is to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected. In recognition of that objective, the laws about credit reporting are intended to balance individuals’ interest in protecting their personal information with the need to ensure that credit providers have sufficient information available to assist them to decide whether to provide an individual with credit.

Distribution of Commissioner’s Powers

The Act has incorporated some changes to the referral of investigations between the Privacy Commissioner and the Information Commissioner. Each Commissioner has their own set of powers, but they communicate between each other. Our references to a Commissioner’s powers below, refer generally to either of the Commissioners with administrative power under the Act.

The new Commissioner’s Powers

The Commissioner’s powers of investigation have been significantly expanded, and incorporate the ability to:

  • launch investigations into breaches of the rules;
  • commence legal proceedings;
  • seek consent orders from the Federal Court;
  • seek heavy civil penalties for breaches of the new rules;
  • ask the Court to order pecuniary penalties, up to five times more than what the civil penalty provision would have been;
  • refer matters for criminal prosecution, but any criminal proceedings prevent the application for civil penalties.

For further advice or assistance in drafting or amending a Privacy Policy please contact David Mazzeo or Amelita Hensman of our office on 03 9614 7707.

[email_link]