Is Your Business Prepared for the New Privacy Reforms?
Privacy legislation in Australia is about to undergo major changes. The Attorney General has responded to the amendments to the Privacy Act 1988, recommended in the Australian Law Reform Commission’s report, and the first half of 295 proposed changes are now before parliament.
Currently, the Privacy Act has 10 National Privacy Principles:
- Collection – individuals have a right to know what information is being collected on them and what is being done with that information.
- Use and disclosure — information must only be collected for specific business reasons and not for any other purpose.
- Data quality — the information must be accurate, complete and up to date.
- Data security — it must be protected from loss, misuse and unauthorised access.
- Openness — you must have a company policy on your information collection procedures.
- Access and correction — you must allow individuals access to their information.
- Identifiers — personal information assigned by a government agency must not be disclosed.
- Anonymity — you must allow individuals to interact anonymously.
- Transborder data flows — information can only be transferred outside Australia to countries with appropriate privacy laws.
- Sensitive information — you must not collect information of a sensitive nature without the individual’s consent.
The bill before parliament addresses the first 197 of the ALRC’s recommendations and, when passed, will see a new set of Privacy Principles come into being that will replace those that currently apply to the private sector and government agencies.
The changes will include:
- Stricter requirements on organisations to keep their privacy policies updated and to include details of how they collect and store personal information.
- Privacy protections extended to include unsolicited information.
- Simplification of credit reporting provisions and increased consumer access to personal credit information.
- Tighter restrictions on direct marketers’ use of personal information.
- Increased accountability of organisations transferring data outside Australia.
The bill will also increase the powers of the Privacy Commissioner to assess, investigate and prosecute offenders, and there are significant penalties for those who misuse personal information. Contravention of the new APP (Australian Privacy Principles) could see offenders facing individual fines of up to $370,000 and up to $1.7 million for companies.
These changes will affect every organisation that collects and handles personal information, so, if you haven’t done so already, now’s the time to look at your organisation’s privacy compliance. You need to:
- Revisit your privacy policies and statements and ensure they comply with the updated Privacy Act.
- Review your management practices regarding unsolicited information.
- Review and amend your overseas information transfer procedures.
- Review and amend your credit procedures if you are a credit provider.
- Institute updated privacy training for all staff who are involved in collecting and managing personal information.
- Review and modify your practices if you are involved in direct marketing.
The second stage of the legislative reforms, which has yet to go before parliament, will include more changes, restrictions and penalties, so now’s the time to ensure your compliance training processes are in order. Make sure your managers are fully up to date and prepare your staff thoroughly through compliance training, because how you deal with private information will soon be a matter of public record.