Australian Privacy Principles – Privacy Readiness Checklist
By Louise Wolf, Senior Associate, MST Lawyers
The amendments to the Privacy Act 1988 (Cth) (‘Act’) come into effect on 12 March 2014. The following can be used as a simple Privacy Readiness Checklist.
A. The Act applies to you if you answer ‘Yes” to any one or more of the following:
- Do you have annual turnover of $3 million or more?
- Do you have a related entity that has annual turnover of $3 million or more?
- Are you:
(a) a health service provider;
(b) trading in personal information (e.g. buying or selling mailing lists);
(c) a contractor that provides services under a Commonwealth contract;
(d) a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; or
(e) an operator of a residential tenancy database?
B. If the Act applies to you, do you collect, use or disclose personal or sensitive information?
“Personal information” means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
“Sensitive information” includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association or professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information, biometric information used for automated biometric verification or biometric identification and biometric templates.
- The kinds of personal information and sensitive information that you collect and hold and how you collect and hold such information;
- The purposes for which you collect, hold, use and disclose such information and the consequences of not providing such information;
- How an individual may gain access to and seek correction of such information;
- How an individual may complain to you about a breach of the APPs and how such a complaint will be dealt with by you;
- Other entities that you usually disclose information to; and
- Whether you are likely to disclose personal information to an overseas recipient and if so, the countries in which such recipients are likely to be located, if practicable to specify such countries.
E. Do you have a compliant privacy collection notice attached to each document or web page and in each physical location that you obtain or collect personal or sensitive information?
F. If you obtain or collect personal or sensitive information from third parties, do you routinely send the individual a privacy collection notice?
G. Do your privacy collection notices include the following:
- Purposes for which the information has been collected, including pursuant to a law or court order (if relevant);
- Consequences of failure to provide the information;
- Parties to whom the information will be disclosed, and if overseas to which countries; and
H. Do you have a privacy officer?
I. Do you have policies regarding the following:
- Treatment of unsolicited personal and sensitive information;
- Regularly checking and updating all personal and sensitive information you hold to ensure it is up-to-date, correct and relevant for purposes for which it was obtained;
- Destroying or de-identifying information that is no longer relevant or cannot be used for an allowable purpose;
- Protection and security of all information;
- Requests for amendment;
- Requests to attach statements to information;
- Unsubscribing or opting out of direct marketing; and
- Overseas disclosure.
J. Have you taken reasonable steps to ensure that any overseas entities to which you disclose information will not breach the Australian Privacy Principles?
K. If you are a franchisor, have you considered the following:
- The benefits of having your whole network compliant with the Act, even if not legally required to do so; for example, public perception, consistent approach, branding and marketing opportunities;
- Amendment of your operations manuals and employee manuals to ensure compliance with your privacy procedures and policies; and
- Amendment of your website and all standard documents used by you or your franchisees, wherever collection of personal information or sensitive information occurs.
L. Have you commenced training your staff? Have you commenced training your franchisees?
If you answered “YES” to questions A and B, then the Act applies to you and you need to take privacy very seriously to avoid potential penalties that can now apply.
If you answered “NO” to any other question, you are not yet ready for the new Privacy Act and need to act fast. MST Lawyers can assist.
Please note, this article does not take into account of the new Part IIIA of the Privacy Act 1988 (Cth) which will be the subject of a separate article.
For further information on the amendments to Privacy Act, please view MST Lawyers previous articles (links to each article are set out below) or alternatively you may contact our Corporate Advisory Team on +61 3 8540 0200 or email the author of this article, Louise Wolf.
Links to our previous articles:
- Australian Privacy Principles – Are you ready?
- Australian Privacy Principles – Still confused about whether the new Privacy legislation applies to you?