Are you ready for the major changes to Australia’s Privacy Laws that will come into effect on March 12 next year? Do you even know about them?
If not, you had better start preparing.
The new laws require organisations with an annual turnover of more than $3 million (and smaller organisations that deal with “sensitive information”) to do a lot more than just update their privacy policies.
For the first time the focus will be on the requirement for entities, where the Privacy Laws apply, to have well-documented procedures and actual systems in place to show how they collect, use, share and store personal information.
That means, these organisations must record and be able to track every piece of personal information from the time of collection, whether it is just simply an individual’s name or something more sensitive such as an individual’s health or financial records.
The changes to the Privacy Act will see the introduction of 13 new Australian Privacy Principles (APPs) that will replace the existing National Privacy Princples (NPPs) that apply to businesses and the Information Privacy Principles (IPPs) that apply to government agencies.
Most of these principles will replace the existing ones. But there will be some entirely new principles, which will require organisations to be more proactive in how they handle and protect personal information.
The aim of this Principle is to embed privacy compliance at the start of the collection of personal information and into the culture of an organisation not when it is too late, after a privacy breach has occurred.
The new Privacy Laws will also impose other obligations on organisations, including:
- Not using personal information for a secondary purpose (such as direct marketing), unless an individual has consented.
- Destroying or de-identifying any unsolicited personal information that is received.
- Placing a prominent statement on their website allowing individuals to opt-out from direct marketing.
- Outlining whether information will be disclosed to overseas recipients and the nature of that disclosure.
- Taking steps to ensure any overseas recipients of personal information (such as an overseas-based cloud computing provider that could be storing files with personal information) do not breach the 13 APPs.
- Being liable for any privacy breaches by overseas recipients of personal information, unless the individual consents to their personal information being sent to an overseas entity and not being protected by Australian law.
Over the coming weeks we will explore the various implications of the new Privacy Laws, and will look at the steps organisations need to take to ensure they are ready for March 12 2014.
The new APPs are not merely guidelines. The new Privacy Laws will grant greater powers to the Privacy Commissioner, who will be able to conduct “performance assessments” on organisations whether or not they has been a breach in privacy.
The Commissioner will also be able to enforce undertakings through the courts and be able to seek civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.
And given the laws were passed in November 2012, it appears the Privacy Commissioner Timothy Pilgrim already thinks businesses have had ample time to prepare for the changes.
“From the first day of operation, the privacy reforms will provide me with enforcement powers and remedies in regards to own motion investigations – those that commence as a result of my own initiative rather than as a result of a complaint from an individual,’’ he said in a speech in May.
“I will not be taking a softly softly approach.”
How can CompliSpace help?
CompliSpace combines specialist governance, risk and compliance consulting services with practical, technology-enabled solutions.
If you are looking to update your existing governance, risk or compliance programs and make them more relevant to your organisation, contact us via the details below:
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.