Australian Privacy Principles – privacy update
Commencing from 12 March 2014, the new Australian Privacy Principles (APP) will replace the National Privacy Principles and Information Privacy Principles. The 13 APPs apply to both private and public sector entities that are currently required to comply with the existing privacy principles. There are a number of important changes which have been made, including:
- changes to what you must disclose to individuals before collection of personal information;
- changes to requirements around privacy policies, as well as a new requirement to take reasonable steps to implement practices, procedures and systems;
- new obligations around unsolicited personal information;
- additional obligations relating to disclosure of personal information to overseas recipients. For examples, an organisation can now be held liable for an act done by an overseas recipient that would breach the APPs; and
- changes around using personal information for direct marketing.
The above list is not comprehensive; therefore we encourage you to review the APPs. The changes are complex and can significantly impact upon the way your organisation operates. As such, we strongly recommend that you take the steps outlined below to ensure that your organisation is ready for 12 March 2014:
1. Conduct a privacy audit – some of the things to consider include determining:
- what personal information is being collected and how it is being used;
- whether personal information is being disclosed overseas;
- how personal information is being stored and what security measures are currently in place;
- what changes are required to comply with the APPs;
- the kind of personal information you collect;
- how an individual may complain about a breach of the APPs;
- whether your organisation is likely to disclose to overseas recipients and if so, to what countries;
3. Update/implement a compliance program – APP 1 introduces an obligation to take reasonable steps to implement practices, procedures and ….systems to ensure compliance with the APPs. This should include:
- establishing a complaint resolution process;
- conducting training programs for staff to ensure they understand your organisation’s obligations under the APPs;
- establishing procedures to continuously identify and manage compliance issues;
4. Review existing practices – an action list would have been identified from the privacy audit, which should include reviewing and updating:
- any notifications to individuals before collecting personal information (which may be as part of any “terms and conditions”). This will need to be updated under the APPs to include:
……..– whether you are likely to disclose the personal information to overseas recipients and where they are likely to be located;
- arrangements with overseas recipients of personal information – this has significant impact under the APPs as organisations can be held vicariously liable for breaches by overseas recipients. In particular, be sure to look at any cloud computing arrangements (which we have written about previously here) and any data storage arrangements;
- marketing practices – the APPs apply in addition to requirements under the Spam Act 2003 (Cth). You will need to know when you are legally entitled to send marketing information to individuals who have provided you with personal or sensitive information. Additionally, all marketing information (including any hardcopies and not just electronic copies) must:
……..– have a functional, simple means of requesting not to receive further marketing messages;
……..– include a prominent statement that the recipient may make a request not to receive the information.
Also ensure that you keep a database of the source of any personal information, as APP 7.6(e) now allows the individual to request an organisation to provide this information.
If you have any queries or require advice in relation to the new privacy law changes, please do not hesitate to contact us.
Our global experience, together with our highly qualified te ..
The team at GRT Lawyers has successfully managed large and c ..
Click here to read our newsletter, 'The Specialist E-Ne ..