New Privacy Laws are now in effect. Lawyer MATTHEW WICKS looks at consequences for failure to comply, and five key aspects of the law that businesses need to know.
Last year, changes were made to existing privacy laws to introduce a new set of harmonised privacy principles that regulate the handling of personal information by both Australian government agencies and Australian businesses. There are 13 principles known as the Australian Privacy Principles.
The changes commenced last month (12 March 2014) and apply to organisations with an annual turnover of $3 million or more, with some exceptions.
What are the Changes?
The new Privacy Principles require much more active management of businesses’ privacy policies. These are legally binding principles which set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They provide rules for:
- Open and transparent management of personal information;
- Anonymity and pseudonymity;
- Collection of solicited personal information;
- Dealing with unsolicited personal information;
- Notification of the collection of personal information;
- Use or disclosure of personal information;
- Direct marketing;
- Cross-border disclosure of personal information;
- Adoption, use or disclosure of government related identifiers;
- Ensuring quality of personal information;
- Security of personal information;
- Access to personal information; and
- Correction of personal information.
Five key things businesses need to know
Two: All businesses should know what personal information is collected as well as: the purpose for the collection, and the responsibilities associated with its use, storage and disclosure.
Three: Businesses should not use or disclose any information held for direct marketing, although there are some exceptions. An exception is:
- if the business itself collected the information, and the individual would reasonably expect the business to use or disclose that information;
- the business provides a simple means by which the individual may opt out of receiving marketing material; and
- the individual has not made such a request to the business.
Four: If a business has any dealings with organisations located overseas (including a related company), before providing that overseas organisation with information, the business needs to take reasonable steps to ensure the overseas recipient complies with Australian Privacy Principles. Under the reforms, a business may be held liable for any privacy breaches committed by overseas suppliers. Existing contracts need to be reviewed; it may be necessary to amend an existing agreement to ensure compliance.
Five: Businesses need to have adequate processes in place for handling customer complaints and enquiries in relation to personal information. All staff should be trained in the new privacy requirements. Not being aware of or ready for the changes is no excuse – under the new laws, if a staff member breaches the Privacy Principles, the business is deemed to have breached privacy, and may be liable for civil penalties.
Are there consequences for not complying with the new laws?
In the last 25 years, there have been 322 privacy cases and enquiries by the Office of the Australian Information Commissioner, with only eight (8) determinations and $6,000 in fines.
Under the new laws, the Information Commissioner is afforded greater ability to promote compliance with privacy obligations. Civil penalties of up to $340,000 for individuals and $1.7 million for companies are possible where there is a serious or repeated breach of privacy.
The Commissioner will be able to audit compliance, initiate investigations and make enforceable determinations, as well as accept written undertakings from organisations that they will take (or refrain from taking) certain action to ensure compliance with the new requirements.
Non-Compliance – Is there a Grace Period?
There is no grace period allowing businesses time to get their house in order – any business to which the laws apply may be in breach of the laws and will be subject to civil penalties if a complaint is made to the Commissioner.
It is also important to keep in mind that compliance with privacy laws is not a one-off, but rather an ongoing obligation that requires consistent monitoring to ensure compliance is maintained.