Major Privacy Act Reforms Take Effect

On 29 November 2012, the Australian parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill (Bill). The Bill made significant changes to the Privacy Act Cth (1988) (Privacy Act), and has rewritten the “National Privacy Principles” as the “Australian Privacy Principles” (APPs). The changes took effect on 12 March 2014. This article will set out the major tasks (but not all) that entities covered by the law need to complete to cover the changes to the Privacy Act.

Entities Affected by the Changes

The

Privacy Act affects so

called “APP entities”, which include governmental entities and “organisations”. The term “organisation” specifically excludes entities captured by the definition of “small business”.

The Privacy Act provides that an entity is a “small business” if its turnover is more than $3,000,000 per year, and it does not:

  • provide a health service;
  • disclose personal information about an individual to a third party for benefit, service or advantage; or
  • provide a benefit, service or advantage to collect personal information about an individual from a third party.

Put another way, if:

  • an entity turns over more than $3,000,000 per year; or
  • engages in any of the activities in the bullet points above,

it is captured by the Privacy Act.

Privacy Compliance Program

Under the revised Privacy Act, entities must implement a “Privacy Compliance Program” (PCP). The aim of the PCP is to prevent the entity from breaching the APPs. The PCP must also include a structured procedure to handle complaints about the entity’s compliance with the APPs. The Office of the Information Commissioner has stipulated that the PCP must be set out in a written document with specific types of information included.

Privacy Policy Changes

In all Privacy Policies, references to “National Privacy Principles” should be replaced with “Australian Privacy Principles”.

APP Entities must also add the following sections to a Privacy Policy:

  • if the entity is “likely” to disclose personal information to recipients overseas, and if so, the countries where the recipients are located; and
  • a description of the way that an individual can complain about a breach of the APPs, and how the entity will handle such complaints.

Notices When Collecting Personal Information

Under the former Privacy Act, when an entity collected information from an individual, it was necessary to notify the individual of:

  • the identity of the collecting entity;
  • the purpose that the entity collected the information for; and
  • the right of an individual right to gain access to the information that an entity collects about them.

Under the revised Privacy Act, an entity also needs to inform an individual (at the time of collection):

  • that the entity’s Privacy Policy has details on how to gain access to personal information and correct it;
  • if it is likely to disclose the personal information to recipients overseas (and where those recipients are located); and
  • that the entity’s Privacy Policy includes details on how to complain about an APP breach, and how the entity will deal with privacy complaints.

New Liabilities for Disclosing Data Offshore

APP Entities must review their arrangements for offshore data storage and processing.

According to the revised Privacy Act, if an entity discloses personal information to an overseas recipient, it must take “reasonable steps” to ensure that there is no breach of the APPs by that overseas recipient. If an overseas recipient breaches an APP, the entity that disclosed the information to the overseas recipient will be liable for that breach.

There is an exemption to this. If an entity “reasonably believes” that the overseas recipient is subject to a law that provides for privacy protections substantially similar to the APPs, the entity will not be responsible for the breach.

404