Thursday, 27 February 2014

The new Australian Privacy Principles – Is your organisation compliant?

On 12 March 2014, fundamental changes to Australian privacy laws will take effect. The changes introduce new rules about how organisations collect and store personal information.  With penalties up to $1.7 million enforceable for serious breaches, organisations must act now to ensure compliance. 

As part of the privacy law reform process, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) was introduced to Parliament in May 2012  marking significant changes to the Privacy Act 1988 (Cth) (Privacy Act).

The changes to the Privacy Act include a new set of harmonised privacy principles that regulate the collection and handling of personal information called the Australian Privacy Principles (APPs) applying to most organisations who turn over $3 million or more annually, and to Commonwealth Government agencies.  The APPs will replace the National Privacy Principles that apply to businesses and the Information Privacy Principles that apply to Government agencies.

To some extent, the APPs are based on the existing privacy principles but now impose additional obligations on organisations when dealing with personal information.  In particular, the APPs require organisations to provide additional discloses in their privacy documentation and internal procedures and policies ensuring the protection and ongoing quality of personal information that they use and store. 

APPs are legally binding principles and aim to be the cornerstone of the privacy protection framework in the Privacy Act, by setting out uniform standards for dealing with personal information.  The APPs are structured to reflect the personal information life cycle and are grouped into five parts, including:
  • the consideration of personal information
  • collection of personal information
  • dealing with personal information
  • integrity of personal information, and
  • access to, and correction of personal information. 

Under the Privacy Amendment Act, the Information Commissioner receives new powers to seek civil penalties of up to $1.7 million from organisations who commit serious or repeated breaches of privacy. The Information Commissioner may also conduct ‘own motion’ privacy investigations on organisations without first receiving a privacy complaint from a member of the public.  

The Privacy Amendment Act also implements changes to credit reporting laws, including the introduction of more comprehensive reporting about an individual’s current credit commitments and repayment history information.  The credit reporting changes are also supplemented by a new credit reporting code. 

While the Office of the Australian Information Commissioner has released APP guidelines to assist organisations with the transition to the APPs (which must occur on or before 12 March 2014), it will be interesting to see how and when the Information Commissioner exercises its new powers in relation to privacy compliance.  Under the APPs, it will therefore be important for relevant organisations to consider their existing information policies, review and update their privacy documents and develop internal procedures to ensure compliance by 12 March 2014.

No comments:

Post a Comment