Privacy Laws in Australia are governed by the Privacy Act 1988.
The Privacy Act sets out how a business or organisation is permitted to deal with the personal information belonging to people who deal with that business or organisation. We did an article a few days ago with an overview of the changes - "Australian Privacy Laws tightening up".
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 ("the Privacy Amendment Act") which changes the operation of the Privacy Act, started on 12 March 2014.
It contains a collection of Australian Privacy Principles (AAPs) that further protect the use of personal information by businesses and the government and replaces the National Privacy Principles.
There are thirteen APPs as well as changes to the laws of credit reporting. The credit reporting laws have been amended in order to make it easier to correct inaccurate entries, and to introduce a more detailed credit reporting system including in respect of a person's current credit exposure and information about their repayment of that credit over the past two years.
The APPs do not apply to every Australian business, and in particular not to those with an annual turnover of less than $3,000,000. However, some exemptions may apply and compliance with the APPs by small businesses should be considered in any event, regardless of turnover.
The 13 APPs, broadly summarised, are:
- Anonymity and pseudonymity -APP 2 requires a business to give its customers or clients the option of dealing with it using a pseudonym (giving a second or alternative name) or anonymously (not giving a name at all). There are obviously some exceptions to that rule, but it remains a relevant requirement for many businesses that collect private information.
- Collection of "solicited" personal information -APP 3 sets out that a business or organisation is not permitted to collect personal information unless the information is reasonably necessary for that business's activities.
- Dealing with "unsolicited" personal information -APP 4 requires that where a business receives unsolicited personal information, it must decide whether it would be permitted to obtain that information by actively collecting it under APP3, and if so, APPs 5-13 will apply. If not, the information must be destroyed.
- Notification of the collection of personal information -APP 5 sets out that businesses must advise their customers or clients about access, correction and complaints procedures in their privacy policies.
- Use and disclosure of personal information - APP 6 regulates the use and disclosure of personal information by Australian businesses or organisations. Subject to exceptions which are too lengthy to discuss in this blog, APP6 essentially states that a businesses or organisation must not use or disclose personal information about a person for any purpose other than the primary purpose of collection, except:
(a) with the consent of that person; or
(b) if the information is not sensitive and is used for direct marketing; or
(c) if both purposes are closely related to one another and the person would reasonably expect disclosure of the information to be made for both purposes.
- Direct marketing -APP 7 discusses the "opt-out" provisions of direct marketing and how information may be used for such marketing.
- Cross-border disclosures -APP 8 requires that prior to a business providing personal information to an overseas recipient, the business must take reasonable steps to make sure that the overseas party also complies with the APPs.
- Adoption, use or disclosure of government related identifiers -APP 9 prevents an organisation or business from using or disclosing a person's government related identifier, such as a tax file number or social security number.
- Quality of personal information -APP 10 requires the information held by businesses or organisations about a person to be kept relevant, up-to-date and accurate.
- Security of personal information -Under the provisions of APP 11, a business or organisation is required take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification and disclosure.
- Access to personal information -APP 12 requires an organisation or business to grant a person access, within a reasonable timeframe and at a reasonable cost, to the personal information held about that person. Some exceptions apply and such exceptions are outside of the scope of this blog.
- Correction of personal information -APP 13 elaborates on the requirements of APP10 in that it regulates how personal information held by a business is updated by that business and the rights of the person to ensure that such information is correct and in good order.
The changes are very wide ranging and it is likely some businesses, including small businesses may get caught out with these changes. As business owners or managers, it's important you familiarise yourselves and your staff with the new laws as quickly as possible and attend to updating your privacy policies in line with the new requirements.