Australian Privacy Principles – Are you ready?

By Louise Wolf, Senior Associate, MST Lawyers

From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles (NPPs) and Information Privacy Principles and will apply to organisations in Australia who turnover more than $3,000,000 per annum.

Preparing for the new APPs will involve a review and possible amendment to your privacy policies and procedures.  Failure to comply with the new APPs after 12 March 2014 could expose you or your organisation to substantial penalties.

The APPs deal with the collection, use and disclosure, quality, security, access to and correction of personal and sensitive information.

 “Personal information” now means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true and whether or not it is recorded in a material form.

“Sensitive information” includes an information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association or professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information, and now also includes: biometric information used for automated biometric verification or biometric identification and biometric templates.

Your privacy policy should be updated as soon as possible and we recommend that you send us your Privacy Policy for review.   Here is a head start on what your privacy policy should contain. 

Privacy Policy

Your privacy policy must, as a minimum, include the following:

1. The kinds of personal information that you collect and hold and how you collect and hold such personal information;
2. The purposes for which you collect, hold, use and disclose personal information and the consequences of not providing such information;
3. How an individual may gain access to and seek correction of such information;
4. How an individual may complain to you about a breach of the APPs and how such a complaint will be dealt with by you;
5. Other entities that you usually disclose information to;
6. Whether you are likely to disclose personal information to an overseas recipient and if so, the countries in which such recipients are likely to be located if practicable to specify such countries;
7. Your privacy policy must be available free of charge and in an appropriate form, and in a form that an individual requests, for example on your website.

The following is a summary of the new requirements under the APPs which will apply in addition to the requirements that use to apply under the NPPs. 

Collection

APP 2 requires an individual to be given the option of not identifying themselves, or of using a pseudonym.  Exceptions apply. 

APP 3 states that an organisation must not collect personal information unless it is reasonably necessary for one of its functions or activities. 

APP 4 applies to the receipt of personal information which is not solicited by you.  If you receive unsolicited personal information, you must determine whether you could have lawfully collected the information under APP 3, and if not, you must destroy or de-identify the information as soon as practicable, but only if it is lawful and reasonable to do so.

APP 5 requires you to notify an individual or ensure that the individual is aware that your privacy policy contains information about how to obtain access to and correct personal information you hold about them, about your complaints processes, whether you are likely to disclose an individual’s personal information overseas and if so to which countries.  This includes where the information is collected from someone other than the individual.

Use and Disclosure

APP 7 provides that you may only use or disclose personal information for direct marketing in certain circumstances, including that the individual would reasonably expect it to be used for that purpose, there is a simple means to opt out and the individual has not so opted out.  Where an individual would not reasonably expect personal information to be used for direct marketing, in addition to a simple opt out procedure, consent must have been given unless it would have been impracticable to obtain such consent. 

APP 7 also requires you to provide the source of the individual’s personal information, if asked by the individual.

Cross Border Disclosures

APP 8 now requires that before you disclose personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information.  In certain circumstances, an act done, or a practice engaged in by the overseas recipient is taken to have been done or engaged in by you and to be a breach of the APPs by you, potentially exposing you to penalties under the legislation.

There are a number of exceptions, including where you reasonably believe the recipient is subject to a law that has the effect of protecting the information in a way that is substantially similar to the APPs; and there are mechanisms available to the individual to enforce that protection or scheme.

Data quality and security

In addition to a requirement for you to take reasonable steps to ensure that the personal information you collect is accurate, up-to-date and complete, APP 10 provides that the information must also be relevant, having regard to the purpose of the use or disclosure.

In addition to the requirement to take reasonable steps to ensure that the personal information you hold is protected from misuse, loss, unauthorised access, modification or disclosure, APP 11 provides that personal information must now also be protected from interference.  The requirement to take reasonable steps to destroy or de-identify personal information which is no longer needed for the purposes for which it may be used or disclosed has been retained but there are some new exceptions.    

New Powers of Privacy Commissioner and Heavy Penalties

New powers of the Privacy Commissioner include additional investigation and audit powers and the power to accept enforceable undertakings, develop and register binding privacy codes and commence proceedings in the Federal Court or the Federal Magistrates Court.

Penalties of up to $1.1 million can be ordered for serious or repeated breaches of the APPs by corporations and up to $200,000 for individuals. 

It is important that you have a good understanding of the APPs in order to avoid harsh penalties that can soon be applied to individuals and companies for breaches of the APPs.  

For a more detailed explanation of the APPs, please see our further detailed article on “Australian Privacy Principles – Still confused about whether the new Privacy legislation applies to you?“.  

Next steps

In the meantime, it is imperative that you conduct a detailed review of your policies and procedures relating to privacy as soon as possible, commencing with a review of your privacy notifications which are required wherever and whenever you collect personal information, and a review of your privacy policy. 

For more information or assistance in this regard, please contact our Corporate Advisory team on (03) 8540 0200 or email the author of this article, Louise Wolf.