Australian Privacy Principles – Are you ready?
By Louise Wolf, Senior Associate, MST Lawyers
From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles (NPPs) and Information Privacy Principles and will apply to organisations in Australia who turnover more than $3,000,000 per annum.
Preparing for the new APPs will involve a review and possible amendment to your privacy policies and procedures. Failure to comply with the new APPs after 12 March 2014 could expose you or your organisation to substantial penalties.
The APPs deal with the collection, use and disclosure, quality, security, access to and correction of personal and sensitive information.
“Personal information” now means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true and whether or not it is recorded in a material form.
“Sensitive information” includes an information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association or professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information, and now also includes: biometric information used for automated biometric verification or biometric identification and biometric templates.
- The kinds of personal information that you collect and hold and how you collect and hold such personal information;
- The purposes for which you collect, hold, use and disclose personal information and the consequences of not providing such information;
- How an individual may gain access to and seek correction of such information;
- How an individual may complain to you about a breach of the APPs and how such a complaint will be dealt with by you;
- Other entities that you usually disclose information to;
- Whether you are likely to disclose personal information to an overseas recipient and if so, the countries in which such recipients are likely to be located if practicable to specify such countries;
The following is a summary of the new requirements under the APPs which will apply in addition to the requirements that use to apply under the NPPs.
APP 2 requires an individual to be given the option of not identifying themselves, or of using a pseudonym. Exceptions apply.
APP 3 states that an organisation must not collect personal information unless it is reasonably necessary for one of its functions or activities.
APP 4 applies to the receipt of personal information which is not solicited by you. If you receive unsolicited personal information, you must determine whether you could have lawfully collected the information under APP 3, and if not, you must destroy or de-identify the information as soon as practicable, but only if it is lawful and reasonable to do so.
Use and Disclosure
APP 7 provides that you may only use or disclose personal information for direct marketing in certain circumstances, including that the individual would reasonably expect it to be used for that purpose, there is a simple means to opt out and the individual has not so opted out. Where an individual would not reasonably expect personal information to be used for direct marketing, in addition to a simple opt out procedure, consent must have been given unless it would have been impracticable to obtain such consent.
APP 7 also requires you to provide the source of the individual’s personal information, if asked by the individual.
Cross Border Disclosures
APP 8 now requires that before you disclose personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information. In certain circumstances, an act done, or a practice engaged in by the overseas recipient is taken to have been done or engaged in by you and to be a breach of the APPs by you, potentially exposing you to penalties under the legislation.
There are a number of exceptions, including where you reasonably believe the recipient is subject to a law that has the effect of protecting the information in a way that is substantially similar to the APPs; and there are mechanisms available to the individual to enforce that protection or scheme.
Data quality and security
In addition to a requirement for you to take reasonable steps to ensure that the personal information you collect is accurate, up-to-date and complete, APP 10 provides that the information must also be relevant, having regard to the purpose of the use or disclosure.
In addition to the requirement to take reasonable steps to ensure that the personal information you hold is protected from misuse, loss, unauthorised access, modification or disclosure, APP 11 provides that personal information must now also be protected from interference. The requirement to take reasonable steps to destroy or de-identify personal information which is no longer needed for the purposes for which it may be used or disclosed has been retained but there are some new exceptions.
New Powers of Privacy Commissioner and Heavy Penalties
New powers of the Privacy Commissioner include additional investigation and audit powers and the power to accept enforceable undertakings, develop and register binding privacy codes and commence proceedings in the Federal Court or the Federal Magistrates Court.
Penalties of up to $1.1 million can be ordered for serious or repeated breaches of the APPs by corporations and up to $200,000 for individuals.
It is important that you have a good understanding of the APPs in order to avoid harsh penalties that can soon be applied to individuals and companies for breaches of the APPs.
For a more detailed explanation of the APPs, please see our further detailed article on “Australian Privacy Principles – Still confused about whether the new Privacy legislation applies to you?“.