A new era of privacy law in Australia

31 October 2013

On 29 November 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 passed both houses of parliament, paving the way for a set of new, harmonised principles for both the public and private sector.

Due to take effect from 12 March 2014, the new law will replace the National Privacy Principles and the Information Privacy Principles contained in the current Privacy Act 1988 (Cth).  Instead, there be mandatory principles known as the Australian Privacy Principles (“APP’s”).  The new regime will apply to most entities handling personal information, including Commonwealth agencies and private sector organisations (referred to as “APP entities”). The principles seek to encourage greater transparency in the collecting and maintaining of personal information, and better protection for individuals. 

Key changes under the new law includes:

Privacy policies

To ensure that privacy policies comply with the new privacy laws, businesses will need to have their current policies reviewed to ensure that new required information is contained in their policies.  New requirements and matters which a privacy policy must set out include:

-        The kind of personal information collected;

-        The avenues available to individuals to complain; and

-        Details of overseas organisations to which personal information may be disclosed, and in which countries they are located.

Disclosure to overseas entities

Australian businesses should be aware that they will be liable for any breaches of the APP’s by overseas entities that are the recipients of personal information provided to them by the Australian business. 

We recommend that you consider your current business arrangements with overseas entities and whether these need to include protections for your business relevant to the APP’s.  This will be particularly relevant to businesses which outsource work or are subsidiaries of overseas companies.

Unsolicited information

Unsolicited information refers to personal information that an APP entity receives, but has not taken active steps to collect.  Under the APP’s, there are now obligations imposed on the recipient of unsolicited personal information.

If a business receives unsolicited information, it should determine whether or not it could have collected such information on the basis that it is for, or directly related to one or more of the organisation’s functions or activities:

-        If it is, then the business will be required to comply with the new law;

-        If it is not, the business should destroy or de-identify that information promptly if it is lawful and reasonable to do so.

This change will extend to a wide range of situations, and can be something as simple as a member of the public sending a query to the business regarding its goods or services.

Direct Marketing

Under the APP’s businesses can use and disclose personal information for the purpose of direct marketing, if:

-        The business collected the information from the individual;

-        The individual would reasonably expect that the business would use or disclose the information for the purpose of direct marketing;

-        The business provides a clear and simple opt-out for the individual to stop them receiving direct marketing communications; and

-        The individual has not requested to opt out.

As such, businesses should review their current direct marketing practices and privacy policies and if necessary, create and document new procedures if they wish to be able to lawfully continue to engage in direct marketing.

In light of the above, businesses should review their current policies and practices, to ensure that they fully comply with the APP’s prior to 12 March 2014. 

Please contact us for advice about how we can assist you to appropriately tailor your privacy policy to ensure compliance with the pending changes in privacy laws.