Anisimoff Legal

By Leanne Montibeler, Solicitor |

May 2013 |

As you may be aware, from 12 March 2014 there will be a new privacy law regime in
Australia governing how organisations collect, use, and store personal information,
as the current private sector National Privacy Principles (NPPs) and public sector
Information Privacy Principles (ICCs) will be replaced by a single cohesive set of 13
Australian Privacy Principles (APPs).

How will this impact things and what are some of the main changes?

With the new APPs there are some key reforms that will impact upon organisations and how they collect and use personal information, as well as the procedures and policies they have in place for dealing with personal information. For instance:

• The new regime will go further than the current regime to regulate the receipt of unsolicited personal information, i.e. where an organisation receives personal information that it did not request. This means organisations will need to have procedures in place for dealing with such information.
• The new regime requires organisations to take reasonable steps at the time of collection of personal data to provide individuals with a collection statement, which is separate to the privacy policy, and essentially a summary of the privacy policy. The collection statement is intended to provide certain information such as the organisation’s identity and contact details, the main consequences of not providing personal information, other entities to which the organisation will disclose personal information and how to access the privacy policy.
• There are also changes to the direct marketing provisions which will require greater accountability from organisations. An organisation will need to ensure that the individual would ‘reasonably expect’ that the organisation can engage in direct marketing with them, where consent has not been previously obtained to use personal information for a direct marketing purpose. In addition, where personal data has been collected from a third party for the purposes of direct marketing, an organisation will now need to disclose to the individual that it has collected personal information from a third party when it uses this information, and so must keep a record of the source of personal information.
• Organisations that disclose personal information to overseas recipients (such as within a group of companies or via cloud-based services) will need to take reasonable steps to ensure that overseas recipients do not breach the APPs. If the overseas organisation breaches the APPs then the Australian entity that disclosed the personal information is deemed to have committed the breach, although there are some qualifications to this. This obviously will greatly impact data protection obligations for organisations. Further, organisations will need to notify individuals that it may disclose their personal information to overseas entities.
• There will be broader enforcement focus of the Australian Information Commissioner (previously known as the Privacy Commissioner) including the power to conduct an assessment of an organisation and request demonstration of compliance with the new privacy laws, even in circumstances where no complaint has been lodged, which differs from the current system.

What should organisations be doing to prepare for the new APPs?

We strongly recommend that organisations take the time now to review their privacy policies and information collection processes to ensure that these will comply with the new privacy requirements well in advance of their implementation. The important thing is to work out what will be required for your particular organisation and ensure staff are appropriately trained to implement any changes to procedures before 12 March 2014.

Below are some examples of what you can start doing to prepare for the new regime:

• ensure that you have reviewed your privacy policy and updated this in line with the new requirements;
• review your systems and data security arrangements and ensure you have procedures in place to manage privacy compliance issues, complaints, requests for opt-outs and requests for third party data source information;
• consider whether you currently receive unsolicited personal information and how you will deal with this going forward;
• document your privacy compliance practices in the event of an assessment by the Australian Information Commissioner;
• if you presently disclose or receive personal information from other organisations, including any cross-border disclosure to foreign parties, you should carefully review those organisation’s practices to ensure they comply with the new APPs and consider including warranties and indemnities in respect of complying with the APPs in your contractual arrangements with these organisations; and
• review your direct marketing procedures and ensure necessary consents are obtained and that any direct marketing communications contain the required opt-outs and statements.

If you would like further information on the privacy law changes and how they might impact on you, please contact Leanne Montibeler. We can provide tailored legal and practical advice to assist you with reviewing your privacy policy, practices and procedures.