Nathan Rieck (19 Feb 2014)
On 29 November 2012, federal Parliament passed the Privacy Amendments (Enhancing Privacy Protection) Bill 2012 (Cth). These amendments will come into effect shortly on 12 March 2014.
The effects of the amendments will be seen across a wide range of industries, such as retail; technology; security; health; hospitality; communications; marketing; insurance; financial services; insurance; human transport and energy. The charitable and not-for-profit sector is not immune from the effects of these amendments.
If your organisation is required to comply with the Privacy Act, it will need to adhere to the new Australian Privacy Principles (APPs) which will replace the National Privacy Principles and Information Privacy Principles, covering both private and public sectors. ‘Organisation’ under the Act is broadly defined to include trusts, partnerships, unincorporated associations and individuals.
Now that the commencement date for the amendments is fast approaching, it is important to make sure you are prepared. There are several key amendments that may mean you need to update your privacy policies and procedures to ensure that they comply with the new requirements. You need to be aware of the change in what constitutes ‘personal information’, how that personal information may be used and disclosed, and the new requirements for direct marketing.
Personal and sensitive information
The definition of ‘personal information’ has changed. It will now include opinions, whether or not they are true; and whether or not the organisation records them. Pursuant to the amendments, collecting ‘personal’ or ‘sensitive’ information without consent is strictly prohibited unless otherwise sanctioned by law. Not-for-profits are, however, able to collect this information if the information relates to members, or to individuals who have regular contact with the organisation in connection with its activities, and the organisation undertakes not to disclose the member’s or individual’s information without consent.
Privacy policies
The amendments will require organisations to have an up-to-date privacy policy. The policy should show how your organisation will manage personal information, and address the following issues:
- what kinds of personal information is collected and stored;
- how the information is collected and stored;
- why the information is collected and stored;
- how a person can access the information that the organisation holds about them;
- whether the information is likely to be disclosed to third parties;
- whether that disclosure is in Australia or overseas; and
- if the organisation breaches the APPs, how a complaint can be made and how it will be resolved.
The policy must be easily accessible free of charge.
If your organisation stores or discloses Australians’ information overseas, it must take steps to ensure that it and overseas agents or third parties are not breaching the APPs. Australian organisations can be penalised for overseas privacy breaches by agents and third parties.
Procedures
Your organisation needs to be aware of the ‘personal’ or ‘sensitive’ information that it collects, where the information is stored, and how the information is being used. Furthermore, it is vital that individuals providing the information are notified of the purpose for which their information is being collected, stored and used. It is essential that your organisation’s policy and procedures make it clear where the information can be found.
Your organisation’s procedures for dealing with ‘personal’ and ‘sensitive’ information must ensure that it is complies with the APPs and is able to handle complaints and inquiries regarding the APPs. These procedures should implement methods to identify, manage and eliminate privacy risks. A privacy audit should be undertaken to assess your organisation’s level of compliance and how it could be improved.
Direct marketing
If you or your organisation uses direct marketing, your practices may need to adapt to comply with the new amendments; personal information can no longer be disclosed for marketing purposes. The amendments provide an exception where an individual could reasonably expect to receive direct marketing or has consented to receive it. An option to ‘opt out’ of direct marketing must be made available.
Are you exempt?
As mentioned above, the definition of ‘organisation’ is quite broad for the purposes of the Privacy Act. Small businesses with a turnover of less than $3 million in any given financial year are excluded; however, this does not apply in certain circumstances, including where that small business is a contract service provider for a Commonwealth government contract. This may affect organisations which are reliant upon government funding. We strongly recommend that you obtain specific legal advice before 12 March if the changes may apply to your organisation.
If you are required to comply with the APPs, your policies and procedures should be reviewed to ensure their suitability. Companies that do not comply with the new amendments may face a fine of up to $1.7 million; individuals, up to $340,000.
We can help
Neumann & Turnour can assist by auditing your organisation and advising as to whether you are required to comply with the APPs, and further assist and advise in relation to your policies and procedures to ensure compliance.]
Call us on (07) 3837 3600 to talk about your needs.
DISCLAIMER: This update provides general information only and is not all inclusive. It should not be considered legal advice. You should obtain legal advice for your specific circumstances before relying on general information.