From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles and Information Privacy Principles and will apply to all private and public sector organisations (Organisations).
Under the changes, there are 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.
One of the biggest changes deals with cross-border disclosure of information and the introduction of a new accountability principle. Australian Organisations are required to be more transparent and responsive about how they are handling stakeholder data. And, if data is stored in the cloud, there are some new requirements that will apply, particularly if it is held offshore.
If there is an act of omission by an overseas entity, which would otherwise breach the APPs, then the Australian-based entity will be liable for the acts and omissions of the overseas entity.
The requirement for an individual to be notified of the collection of his/her personal information has also been reinforced as a result of the amendments. Specific details regarding the reasons for the collection, and the uses and intended disclosure of personal information for that specific collection event will need to be incorporated into a collection notification statement.
The new laws make it more difficult for Organisations to collect information about stakeholders without their knowledge. Organisations must now notify individuals when information has been collected, how it’s used and where it’s stored. As well, the definition of personal information has been extended to also account for certain information which is collected anonymously. This information when used with other information has the capacity to identify someone. Take particular note of this if you make use of social media data tracking in particular. Some of the tracking services collect an extensive range of information on individuals which can identify them despite use of pseudonyms. This raises issues around requirements for transparency and permission to collect personal information.
Here are our top three tips to make sure you are ready for the new privacy legislation:
- Refer to the Australian Privacy Principles (APPs) not the National Privacy Principles.
- State how an individual can complain about a breach of the APPs and how you’ll deal with such a complaint.
- State whether you’re likely to disclose personal information overseas, and if so the countries where the recipients are likely to be located.
2. Review what data that you collect and store on stakeholders.
- The definitions for ‘personal information’ have changed. For example, the definition of ‘personal information’ has broadened from data that is attached to a name, to now also including anonymous data with the potential to be linked back to an individual.
- Also review your processes for keeping up-to-date records – a number of the principles deal with the issue of updating records, disposing of records no longer required, etc.
- Once you have determined the types of personal information you collect, and you have established systems that will ensure ongoing compliance and protection of personal information, you need to determine what uses and disclosures of that data you make. The reasons for collecting specific personal information will need to be considered in terms of understanding what it can be used for, as well as the disclosures you intend on making of that personal information.
3. Review where your data is stored, particularly if you are using cloud based software and data services. You need to ascertain whether you are presently disclosing or intending to disclose any personal information you hold outside of Australia to any third parties (such as a data hosting centre) or related bodies corporate. The APPs require that if you disclose personal information outside of Australia you take reasonable steps to ensure that the overseas recipient, to whom the personal information is disclosed, does not breach the APPs. You may need to seek explicit permission from your stakeholders for their data to be shared with specific parties and in specific locations.