Significant amendments to the Privacy Act 1988 (Cth) (Privacy Act) come into force on 12 March 2014. These amendments give the Australian Information Commissioner greater powers to enforce the Privacy Act. The amended Privacy Act also replaces the National Privacy Principles and Information Privacy Principles with a new set of consolidated Australian Privacy Principles (APPs).
The Privacy Act applies to certain businesses, non-government organisations, private health service providers and businesses that trade in personal information for benefit, service or advantage. Although there are some businesses and organisations that are not required to comply with the Privacy Act, there is a direct link between the transparent and responsible treatment of personal information and consumer confidence. For this reason, all businesses and organisations should seriously consider complying with the APPs, irrespective of being bound to them or not.
Information Commissioner’s new powers
The amendments significantly enhance the powers of the Australian Information Commissioner. In particular, the Commissioner now has the power to take court-enforceable undertakings from organisations in relation to privacy matters. The Commissioner also has the ability to have significant monetary penalties awarded against individuals and organisation for breaches of the Privacy Act. Finally, the Commissioner will have significantly wider investigative powers after the 12 March.
The Privacy Act has always allowed the Commissioner to investigate suspected breaches of privacy in the absence of any complaint. However, the effect of these investigations was previously limited to adverse publicity for the organisation being investigated, with other enforcement actions being unavailable. Under the amended Privacy Act, the Commissioner will now have access to the full scope of enforcement options for any investigation undertaken. Importantly, a complaint is no longer a requirement for the Commissioner to take enforcement actions post-investigation.
The Commissioner will also have the power to accept undertakings from an organisation that it will not do certain things to ensure compliance with the Privacy Act. Failure to comply with an undertaking can result in significant penalties.
Civil Penalty Orders
The amendments provide for penalties to be attached to some of the provisions within the Privacy Act. Importantly, serious or repeated breaches can attract a civil penalty order. These orders can require an individual to pay up to $340,000 and a corporation to pay up to $1,700,000.
The new Australian Privacy Principles
As well as beefing up the Commissioner’s powers the amendments introduce the new set of 13 APPs.
The APPs will regulate the way Australian businesses and government agencies handle personal information. A number of the APPs place significantly different obligations upon Australian businesses when compared to the previous National Privacy Principles. In particular, APP 7 places a more direct focus on the use of personal information for direct marketing purposes. Further, APP 8 places greater accountability on organisations in relation to the transfer of personal information outside of Australia.
APP 7 – Direct marketing
APP 7 provides that an organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. Broadly, organisations may only use personal information where an individual has given consent or has a reasonable expectation that their information will be used for direct marketing. Further, organisations must use an obvious opt-out mechanism for direct marketing practices to be compliant with APP7.
APP 8 – Cross-border disclosure of person information
APP 8 works in conjunction with the Privacy Act to place greater accountability on organisations disclosing personal information to an overseas recipient.
Before a business can disclose personal information to an overseas recipient, it must take reasonable steps to ensure that the recipient will comply with the APPs in dealing with the information. APP8 goes further by providing that, in certain circumstances, an act or practice engaged by an overseas recipient will be taken to be an act of the business disclosing the information. In such circumstances, the business will be held in breach of the APPs for the actions of the overseas recipient.
APP 8 will be of particular importance for organisations using cloud technology. As data stored in the cloud may be, and often is, located anywhere in the world, there is enormous potential for disclosure of personal information to an overseas recipient. Therefore, ensuring that your cloud technology provider is compliant with the APPs is an important step to take to minimise the potential for privacy breaches.
If you use popular e-mail services such as G-mail or Hotmail, data storage services such as Dropbox or one of the more popular and innovative accounting software solutions, then it is likely that you will be you are using cloud technology. Disclosure of personal information through your use of these services may expose you to risk under the amended Privacy Act.
With the 12 March 2014 deadline fast approaching, organisations must now review their privacy policies and practices to ensure compliance with the Privacy Act. Failure to do so may end up with you being an early casualty of the Commissioner’s new and enhanced enforcement powers.