Australian Privacy laws have changed, effective 12 March 2014

The current 10 “National Privacy Principles” (“NPPs”) will be replaced with 13 Australian Privacy Principles (“APPs”). There are expanded obligations and liability where an entity discloses personal information cross-border to overseas recipients and broader powers for the Privacy Commissioner and increased penalties for breaches (up to $340,000 for individuals and $1.7 million for companies).

13 new Australian Privacy Principles

There are 13 new Australian Privacy Principles (APPs) which regulate the handling of personal information by Australian businesses with an annual turnover of $3 million or more, and some other organisations, such as health service providers and government agencies, or any small businesses that:

  • trade in personal information;
  • provide services under a Commonwealth contract;
  • run a residential tenancy database;
  • is related to a larger business;
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
What is ‘personal information’?

The definition of ‘personal information’ extends to information or an opinion about an individual who is reasonably identifiable, whether or not the information or opinion is recorded in a material form (this includes information communicated verbally) and regardless of whether that identification or re-identification is practicable from the information itself or in combination with or reference to other information.

Personal information will therefore include information about an individual collected in a business context, regardless of whether that information is in the public domain. Information as simple as a name and email address can be personal information for the purpose of the Privacy Act.

How will this directly affect your business?

You will be affected if your business:

  • collects personal information for use in connection with the business;
  • handles and processes personal information;
  • uses personal information for direct marketing;
  • discloses personal information to people overseas.

The Privacy Act changes will also give the Privacy Commissioner the ability to:

  • investigate serious breaches (including the right to impose penalties on businesses)
  • assess the privacy performance of businesses.

Significantly, the amendments to the Privacy Act introduce substantial financial penalties for non-compliance with the Act.

Under the new laws, it is no longer sufficient for businesses to simply have a Privacy Policy in place. The new laws require businesses to implement practices, procedures, documentation and systems to ensure and validate compliance. As with any internal compliance program, your privacy regime needs to be visible, actually used and its use recorded.

How can your business respond?

You must ensure that the personal information you collect is accurate, up-to-date and complete. It is also your responsibility to protect personal information from being misused, interfered with and/or lost. You must also protect it from unauthorised access, modification or disclosure and it is mandatory to destroy or de-identify personal information in certain circumstances.

All businesses subject to the Privacy Act need to have a compliant privacy policy and provide training to employees on Privacy Act issues.