On 12 March 2014 new amendments to the Privacy Act 1988 (Cth) will drastically change how both public bodies and private businesses must deal with personal information.
The changes are being brought in by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“Amendment Act”).
The Amendment Act abolishes the National Privacy Principles, which currently apply to the private sector, and the Information Privacy Principles, which currently apply to the public sector. It replaces them with a set of uniform rules known as the Australian Privacy Principles (“APPs”). The APPs will apply to all public sector entities and private organisations that are subject to the Act (“APP entities”).
The National Privacy Principles currently apply to bodies corporate, partnerships, unincorporated associations and in some circumstances individuals. However, small businesses with annual turnover of less than $3,000,000 do not generally need to comply with them provided they do not engage in certain activities (for example health service provides must comply with the Act regardless of their turnover). The introduction of the APPs leaves this position largely unchanged.
The explanatory memorandum states that the new APPs are grouped into five sets of principles:
- Principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way (APP 1, APP 2)
- Principles that deal with the collection of personal information, including unsolicited personal information (APP 3, APP 4, APP 5)
- Principles about how APP entities deal with personal information and government-related identifiers, including principles about the use and disclosure (including cross-border disclosure) of personal information and identifiers (APP 6, APP 7, APP 8, APP 9)
- Principles about the integrity, quality and security of personal information (APP 10, APP 11)
- Principles that deal with requests for access to, and correction of, personal information (APP 12, APP 13).
The implementation of the APPs will significantly affect many businesses. For example, the National Privacy Principles do not currently require a private organisation to have privacy compliance measures in place. This will change with the implementation of APP 1.
App 1.2 creates a new positive obligation requiring APP entities to take such steps as are reasonable to implement practices, procedures and systems relating to the organisation’s functions or activities, to ensure the entity complies with the APPs.
APP 1.3 requires an APP entity to have a clearly expressed and up-to-date policy about the management of personal information. APP 1.4 details information that must be included in the policy (for example how an individual may access personal information about themselves that is held by the entity and seek correction of such information).
These requirements are more proscriptive than the current requirements of the National Privacy Principles, which require a policy relating to the management of personal information to be set out but do not specify what matters must be covered by the policy.
In addition to the creation of the APPs, the Amendment Act will introduce significant new penalties. For example, if a business does an act, or engages in a practice, that is a serious interference with the privacy of an individual, the business could be fined up to $340,000.
The Act allows organisations and industries to develop and enforce their own privacy codes. If properly approved and registered, compliance with a code will be enough to meet an organisation’s obligations under the Act.
If you are unsure as to whether the Act applies to your business or wish to clarify your obligations under the Act and how the new amendments will affect you please contact Matthew Cathcart on (08) 9321 3755.
The information published on this website is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.